Microsoft Teams
Connect Cardinal to Microsoft Teams so the AI agent can resolve users and channels in your tenant and post messages to them on demand. You register an Entra app in your own Microsoft 365 tenant, grant admin consent on it, and paste the resulting credentials into Cardinal — no Cardinal-hosted Microsoft assets, no third-party multi-tenant app to trust.
Overview
With the Microsoft Teams integration, the AI agent can:
- Find a user by display name, given name, surname, UPN, or email
- Find a standard channel by name, optionally narrowed to a specific team
- Send a 1:1 message to a user the agent has resolved
- Send a top-level message to a standard channel the agent has resolved
The agent uses bot delivery — your Entra app installs in a user’s personal scope (for 1:1 sends) or in a team (for channel sends) and proactively posts from there.
What changed for v1
The previous Teams integration relied on a customer-supplied incoming webhook URL (an Office 365 connector). Microsoft has retired that path: connector incoming webhooks roll out of Teams between May 18 and May 22, 2026 (Microsoft retirement announcement ). Cardinal removed connector webhook support along with the rollout.
The replacement is agent (bot) delivery backed by your own Entra app:
- Capability is now
Agent, notNotify. - You register an Entra app in your tenant and paste
(tenantId, clientId, clientSecret)into Cardinal. - Cardinal mints Microsoft Graph tokens against your tenant directly. There is no Cardinal-side Microsoft asset and no Cardinal-controlled trust path — important for airgapped on-prem deployments.
If you previously configured a Teams alerting webhook, that path no longer works — set up the agent app instead.
Capabilities
| Capability | Enabled |
|---|---|
| Agent | When the OAuth triple is set and admin consent has been granted on the customer’s Entra app |
v1 scope
Supported:
- 1:1 user messages (target identified by Microsoft Entra object id, not UPN)
- Standard-channel messages (top-level thread, no replies)
Out of scope in v1:
- Private channels
- Shared channels
- Group chats
- Threaded replies, message edits, message deletes
- Adaptive Cards / attachments — plain text only
- Reading channel/chat history
- Presence and status lookups
Configuration
Credentials
| Field | Required | Description |
|---|---|---|
| Tenant ID | Yes | Your Microsoft Entra directory (tenant) ID — a UUID |
| Client ID | Yes | The application (client) ID of the Entra app you registered for Cardinal |
| Client Secret | Yes | A client secret on that app (Cardinal stores it encrypted; never returned in API responses) |
Either all three are set or all three are absent. A partial triple is rejected at create/update time so a hand-edited row can’t sit in a half-broken state.
Prerequisites
- A Microsoft 365 tenant with Entra admin privileges
- The ability to register an Entra app in that tenant and grant admin consent on it
- Network egress from Maestro to
login.microsoftonline.comandgraph.microsoft.com(your network team may need to allow these in airgapped or restricted-egress deployments)
Entra app registration
- Sign in to the Microsoft Entra admin center as a tenant admin.
- Go to Identity → Applications → App registrations and click New registration.
- Name the app something memorable (e.g.,
Cardinal Teams Agent). - Supported account types: choose Accounts in this organizational directory only. The app does not need to be multi-tenant.
- Leave Redirect URI blank — the integration uses the OAuth client-credentials grant, not a redirect flow.
- Click Register. Copy the Application (client) ID and Directory (tenant) ID from the Overview page.
Required Graph API permissions
Open the app’s API permissions page and grant these application permissions (not delegated):
| Permission | Used by |
|---|---|
User.Read.All | find_user (directory lookups) |
Team.ReadBasic.All | find_channel (team enumeration) |
Channel.ReadBasic.All | find_channel (channel enumeration) |
TeamsAppInstallation.ReadWriteSelfForUser.All | send_message (install in personal scope before 1:1 send) |
TeamsAppInstallation.ReadWriteSelfForTeam.All | send_message (install in team scope before channel send) |
Click Grant admin consent for [your tenant]. The status column should turn green for every permission.
Client secret
On the app’s Certificates & secrets page, click New client secret, give it a description and an expiry, and copy the value immediately — Microsoft displays it only once. This is the Client Secret Cardinal stores.
Setup
- In Cardinal, navigate to Settings → Integrations and click Add Integration.
- Select Microsoft Teams.
- Enter a Name and Slug for the integration.
- Paste your Tenant ID, Client ID, and Client Secret.
- Click Test Connection to verify Cardinal can mint a Graph token and reach the directory.
- Click Save.
How send_message addresses targets
For users, the agent must use the Microsoft Entra object id returned by find_user — not the UPN, not the email address. Microsoft’s bot APIs use the object id as the durable proactive-send key.
For channels, the agent uses the (team_id, channel_id) pair returned by find_channel. The same channel name (e.g., general) can exist in many teams; the team id disambiguates.
Errors you might see
The agent surfaces a small, actionable error vocabulary:
| Code | Meaning | Action |
|---|---|---|
teams_not_connected | The integration row has no credentials, or only a partial triple | Re-enter all three fields and Save |
AADSTS70011 | Microsoft rejected the tenant id | Confirm the Tenant ID matches your Entra directory id |
AADSTS7000215 | Wrong or expired client secret | Generate a new secret in Entra and update the integration |
AADSTS65001 | Admin consent has not been granted on the Entra app | Click Grant admin consent on the app’s API permissions page |
consent_missing | Token minted, but Graph rejected the call | One of the required permissions is missing or not consented to |
teams_app_not_installed | The Cardinal Teams app couldn’t be installed in the target’s scope (or bot delivery isn’t yet provisioned in this Cardinal deployment) | Confirm install permissions on the Entra app; contact Cardinal if the error persists |
unsupported_target | The agent tried to address a private/shared channel, a group chat, or an unknown target type | Address a user or a standard channel instead |
message_delivery_blocked | The user has blocked the bot or restricted bot delivery in their personal scope | Ask the user to re-enable the Cardinal Teams app |
Reach out to support@cardinalhq.io for support or to ask questions not answered in our documentation.