# Microsoft Teams Integration Guide

### Overview

EvalFlow's Microsoft Teams integration allows you to sync your organization's users and send evaluation notifications directly through Teams. This guide covers setup, permissions, and troubleshooting.

***

### Prerequisites

To set up the Teams integration, you need:

* **Microsoft 365 Subscription** with Teams enabled
* **Global Administrator** or **Teams Service Administrator** role in your organization
* **Azure Active Directory** access (included with Microsoft 365)

***

### Setup Instructions

#### 1. Initiate Connection

1. Navigate to **Settings → Integrations** in EvalFlow
2. Click **Connect to Microsoft Teams**
3. A popup window will open with the Microsoft consent screen

#### 2. Grant Admin Consent

The Microsoft consent screen will show the permissions EvalFlow requires:

| Permission                | Purpose                                                             |
| ------------------------- | ------------------------------------------------------------------- |
| **User.Read.All**         | Sync team members' names and emails to match with EvalFlow accounts |
| **Chat.Create**           | Send evaluation notifications via Teams direct messages             |
| **Chat.ReadWrite.All**    | Manage bot conversations for evaluation reminders                   |
| **Group.ReadWrite.All**   | Detect team memberships for role assignments                        |
| **TeamSettings.Read.All** | Verify Teams configuration for optimal integration                  |

**Important Notes:**

* These permissions are **read-only for user data** - EvalFlow cannot modify your directory
* EvalFlow **cannot read** existing messages, emails, or files
* All permissions use **Application** type (service-to-service) for reliable background sync
* Permissions can be revoked anytime through Azure AD

#### 3. Complete Setup

1. Click **Accept** on the consent screen
2. The popup will close automatically
3. You'll see a success message in EvalFlow
4. Click **Sync Users** to perform the initial sync

***

### User Sync Process

#### How It Works

EvalFlow syncs users by matching email addresses:

1. **Fetches users** from your Microsoft 365 directory
2. **Matches emails** with existing EvalFlow accounts (case-insensitive)
3. **Creates mappings** so evaluations can be sent via Teams
4. **Syncs automatically** every hour in the background

#### What Gets Synced

For each matched user:

* Microsoft Teams User ID (internal identifier)
* Email address
* Display name
* Last sync timestamp

#### What Doesn't Get Synced

EvalFlow does **NOT** access or store:

* Passwords or authentication credentials
* Teams messages or chat history
* Email contents
* OneDrive files
* Calendar events
* Any personal data beyond name and email

***

### Troubleshooting

#### "Admin consent required" Error

**Cause:** You don't have sufficient permissions in Microsoft 365

**Solution:**

1. Contact your **Global Administrator** or **Teams Service Administrator**
2. Ask them to complete the Teams integration setup
3. They can access EvalFlow → Settings → Integrations → Connect to Microsoft Teams

#### Users Not Syncing

**Cause:** Email addresses don't match between EvalFlow and Microsoft 365

**Solution:**

1. Go to **Settings → Integrations → Teams**
2. Check the **User Mappings** table
3. Verify email addresses match exactly in both systems
4. Update user emails in EvalFlow if needed
5. Click **Sync Users** again

#### "Integration disconnected" Message

**Cause:** Admin consent was revoked or expired

**Solution:**

1. Click **Reconnect to Teams**
2. Complete the admin consent flow again
3. All existing user mappings will be preserved

#### Sync Failed with No Error

**Cause:** Temporary connectivity issue with Microsoft services

**Solution:**

1. Wait 5 minutes and try again
2. Click **Sync Users** manually
3. If issue persists, check [Microsoft 365 Service Health](https://admin.microsoft.com/Adminportal/Home#/servicehealth)

***

### Security & Compliance

#### Authentication Method

EvalFlow uses **OAuth 2.0**, Microsoft's recommended standard for secure application authentication. This means:

* ✓ No user passwords are ever shared with EvalFlow
* ✓ All authentication is handled by Microsoft's secure infrastructure
* ✓ Access tokens are encrypted and securely managed
* ✓ Each organization's data is completely isolated
* ✓ Integration can be revoked instantly by your IT administrator

#### Data Storage

**What we store:**

* Teams User IDs (for identity matching)
* User email addresses and display names
* Integration status and sync timestamps

**What we don't store:**

* User passwords or credentials
* Message contents or chat history
* Email contents or attachments
* Files or documents
* Calendar information
* Any personal data beyond what's necessary for user matching

#### Audit & Compliance

* All API calls to Microsoft Graph are logged in your **Microsoft 365 Audit Logs**
* You can review integration activity in **Azure AD → Sign-ins**
* Integration can be revoked instantly via **Azure AD → Enterprise Applications**

#### Revoking Access

To disconnect the Teams integration:

**Option 1: From EvalFlow**

1. Go to Settings → Integrations → Teams
2. Click **Disconnect**
3. Confirm disconnection

**Option 2: From Azure AD**

1. Go to [Azure Portal](https://portal.azure.com)
2. Navigate to **Azure Active Directory → Enterprise Applications**
3. Find **EvalFlow** in the list
4. Click **Permissions** → **Revoke admin consent**

***

### Data Residency & Compliance

#### Data Processing

* Integration operates in compliance with Microsoft's data protection standards
* No Teams message content is processed or stored
* User directory information (names, emails) is processed solely for identity matching
* All data handling follows industry-standard encryption practices

#### Compliance Frameworks

EvalFlow maintains security controls aligned with:

* SOC 2 Type II standards
* GDPR requirements for EU customers
* Industry best practices for data protection

For detailed compliance documentation or specific regulatory requirements, please contact <info@evalflow.com>.

***

### Multi-Tenant Support

If your organization uses multiple Microsoft 365 tenants:

* Each tenant requires separate admin consent
* User mappings are isolated per tenant
* Contact your account manager for enterprise tenant management options

***

### API Rate Limits

Microsoft Graph API enforces rate limits to ensure service stability. EvalFlow handles these automatically:

* User sync operations are optimized to stay within Microsoft's limits
* Large organizations may experience initial sync times of 2-5 minutes
* Failed requests are automatically retried
* Sync frequency is balanced between data freshness and API efficiency

***

### Best Practices

#### For IT Administrators

✓ **Review permissions** before granting consent - understand what each permission does\
✓ **Test with a pilot group** before rolling out company-wide\
✓ **Monitor audit logs** in Azure AD for the first week after setup\
✓ **Document the integration** in your internal IT knowledge base\
✓ **Set up alerts** for any permission changes in Azure AD

#### For EvalFlow Administrators

✓ **Sync users regularly** to keep mappings up-to-date\
✓ **Verify email accuracy** in both systems before syncing\
✓ **Test notifications** with a small group first\
✓ **Review user mappings** after each sync to catch issues early

***

### Support

#### Documentation

* [Microsoft Teams Admin Center](https://admin.teams.microsoft.com)
* [Azure AD Portal](https://portal.azure.com)
* [Microsoft Graph API Documentation](https://learn.microsoft.com/en-us/graph/)

#### Contact EvalFlow Support

For integration issues, please contact:

* **Email:** <info@evalflow.com>
* **In-app chat:** Click the help icon in the bottom-right corner
* Include your organization name and a description of the issue

When reporting issues, helpful information includes:

* Error messages (screenshot or exact text)
* When the issue started occurring
* Number of users affected
* Recent changes to your Microsoft 365 setup

***

### Frequently Asked Questions

**Q: Can EvalFlow read our Teams messages?**\
A: No. EvalFlow can only send notifications to users. We cannot read message history or channel conversations.

**Q: What happens if an admin who granted consent leaves the company?**\
A: The integration continues working. Admin consent is granted to the application, not tied to a specific user account.

**Q: Can we limit which users are synced?**\
A: Currently, all active users in your Microsoft 365 directory are included in the sync. User filtering based on groups is on our roadmap.

**Q: How often does the sync run?**\
A: Automatically every hour. You can also trigger manual syncs anytime from Settings → Integrations.

**Q: Does this work with Microsoft 365 Government (GCC)?**\
A: Standard commercial Microsoft 365 only. Contact us for GCC/GCC-High requirements.

**Q: Can I use Teams integration with SSO/SAML login?**\
A: Yes, Teams integration works independently of your EvalFlow login method.

***

### Version History

**Last Updated:** January 2026\
**Integration Version:** 2.0 (Client Credentials Flow)

#### Recent Changes

* Improved reliability for large organizations (1000+ users)
* Enhanced error messages for easier troubleshooting
* Faster sync performance for initial setup
* Better handling of multi-tenant scenarios