Microsoft Teams has become central to workplace communication, with hundreds of millions of users collaborating through chat, meetings, and file sharing. This concentration of communication inevitably includes sensitive personal information—customer details shared in support channels, employee data discussed in HR teams, financial information in deal discussions. The real-time, informal nature of chat communication makes it particularly likely that PII is shared without the careful consideration applied to formal documents.
Our Microsoft Teams integration brings automated PII protection directly into your collaboration environment. Messages can be monitored and redacted in real-time, files processed before wide distribution, and meeting transcripts sanitized for compliance archives. Whether you need proactive protection for active communications or remediation of historical data, the integration ensures Teams remains a productive collaboration space while meeting privacy requirements.
Integration Architecture
The integration connects through Microsoft Graph API:
Components:
- Graph API: Access to Teams messages, channels, and metadata
- Change Notifications: Real-time webhooks for new messages
- Bot Framework: User-facing interaction within Teams
- SharePoint/OneDrive Integration: File processing
// Integration flow
1. Message sent in Teams channel or chat
2. Change notification triggers Azure Function
3. Function retrieves full message content
4. Message sent to RedactionAPI
5. If PII detected, message updated via Graph API
6. Audit log entry created
Setup and Configuration
Step 1: Azure AD App Registration
// Required Graph API permissions
{
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "ChannelMessage.Read.All",
"type": "Role"
},
{
"id": "ChannelMessage.UpdatePolicyViolation.All",
"type": "Role"
},
{
"id": "Chat.Read.All",
"type": "Role"
},
{
"id": "Chat.UpdatePolicyViolation.All",
"type": "Role"
}
]
}
]
}
Step 2: Create Change Notification Subscription
POST https://graph.microsoft.com/v1.0/subscriptions
{
"changeType": "created,updated",
"notificationUrl": "https://your-function.azurewebsites.net/api/teamsWebhook",
"resource": "/teams/getAllMessages",
"expirationDateTime": "2024-02-15T00:00:00Z",
"clientState": "secretClientValue",
"includeResourceData": true,
"encryptionCertificate": "...",
"encryptionCertificateId": "..."
}
Step 3: Deploy Processing Function
// Azure Function for message processing
module.exports = async function (context, req) {
// Validate subscription
if (req.query.validationToken) {
return { body: req.query.validationToken };
}
const notifications = req.body.value;
for (const notification of notifications) {
// Decrypt resource data
const messageData = decryptResourceData(notification);
// Check if message contains PII
const detection = await redactionClient.detect({
text: messageData.body.content,
types: ['pii']
});
if (detection.hasPII) {
// Redact the message
const redacted = await redactionClient.redact({
text: messageData.body.content
});
// Update message in Teams
await graphClient
.api(`/teams/${notification.resource}/messages/${messageData.id}`)
.update({
body: {
content: redacted.text
},
policyViolation: {
policyTip: {
generalText: "PII has been automatically redacted from this message."
},
verdictDetails: "EDIT"
}
});
}
}
};
Channel Message Processing
Monitor and redact messages in Teams channels:
// Message detection and redaction
Original message:
"Please contact John Smith at [email protected] or 555-123-4567"
Processed message:
"Please contact [NAME] at [EMAIL] or [PHONE]"
// Policy tip displayed to users (optional)
"This message was modified for compliance. PII has been redacted."
// Message appears edited with redacted content
// Original message preserved in compliance archive (configurable)
Channel Configuration:
{
"channels": {
"monitor_all": false,
"specific_channels": [
{
"teamId": "team-id-123",
"channelId": "channel-id-456",
"policies": {
"redaction_types": ["pii", "phi"],
"action": "redact_and_notify"
}
}
],
"exclude_channels": [
"general-chat-channel-id" // Less sensitive
]
}
}
Private Chat Processing
Handle 1:1 and group chats with appropriate governance:
// Private chat monitoring requires careful governance
{
"private_chats": {
"enabled": true, // Requires clear organizational policy
"compliance_recording": true,
"user_notification": true, // Inform users of monitoring
"policies": {
"default": "detect_and_log", // Log without modifying
"high_risk_users": "redact" // Sales, support roles
}
}
}
// User notification banner (recommended)
"Messages in this organization may be monitored for compliance purposes."
Meeting Transcript Processing
Redact PII from meeting recordings and transcripts:
// Meeting transcript location
// Stored in OneDrive: /Recordings folder
// Processing workflow
1. Meeting ends, recording/transcript saved
2. SharePoint webhook triggers processing
3. Download transcript (.vtt or .docx format)
4. Redact PII from transcript
5. Update transcript file
6. Optionally process video captions
// Transcript redaction
Original:
"00:01:23.000 --> 00:01:28.000
John Smith: My phone number is 555-1234, call me."
Redacted:
"00:01:23.000 --> 00:01:28.000
[SPEAKER]: My phone number is [PHONE], call me."
Meeting Processing Options:
{
"meeting_processing": {
"transcripts": true,
"captions": true,
"recording_metadata": true,
"redact_speaker_names": false, // Usually keep for context
"options": {
"preserve_timestamps": true,
"output_format": "vtt"
}
}
}
Shared File Processing
Files shared in Teams are stored in SharePoint:
// Files in Teams channels → SharePoint document library
// Files in chats → Sender's OneDrive
// Integration with SharePoint processing
{
"file_processing": {
"channel_files": {
"enabled": true,
"trigger": "on_upload",
"library_path": "/sites/TeamSite/Shared Documents"
},
"chat_files": {
"enabled": true,
"process_in_onedrive": true
}
}
}
See SharePoint integration for detailed file processing configuration.
Teams Bot Integration
Deploy a bot for user-initiated redaction:
// Bot capabilities
1. User mentions bot to redact specific message
2. User sends file to bot for redaction
3. User requests redaction report
4. Admin uses bot for bulk operations
// Bot interaction example
User: @RedactBot please redact this message
Bot: I've reviewed this message and redacted 2 items:
- 1 email address
- 1 phone number
The message has been updated.
Bot Manifest Configuration:
{
"bots": [
{
"botId": "your-bot-id",
"scopes": ["team", "personal", "groupchat"],
"supportsFiles": true,
"commandLists": [
{
"commands": [
{
"title": "redact",
"description": "Redact PII from the replied message"
},
{
"title": "scan",
"description": "Scan a message for PII without redacting"
},
{
"title": "report",
"description": "Get redaction activity report"
}
]
}
]
}
]
}
Microsoft DLP Integration
Work alongside Microsoft 365 DLP:
// Microsoft DLP → Detect and alert
// RedactionAPI → Remediate by removing PII
// Integration approach 1: DLP triggers redaction
1. Microsoft DLP detects policy violation
2. DLP alert triggers Power Automate flow
3. Flow calls RedactionAPI to redact
4. Message updated with redacted content
// Integration approach 2: Parallel processing
1. RedactionAPI monitors messages in real-time
2. Redact PII before DLP even detects
3. DLP sees clean messages, fewer alerts
4. Both systems log for compliance
Power Automate Flow:
Trigger: When a DLP policy match is detected
↓
Action: Get message content (Graph API)
↓
Action: Redact text (RedactionAPI)
↓
Action: Update message (Graph API)
↓
Action: Log to compliance system
eDiscovery and Compliance Exports
Process Teams data for legal and compliance:
// eDiscovery export processing
1. Compliance admin creates Content Search
2. Export Teams messages and files
3. Process export through RedactionAPI
4. Redact privileged or third-party PII
5. Produce for legal review
// Configuration for eDiscovery
{
"ediscovery": {
"preserve_metadata": true,
"redact_third_party_pii": true,
"preserve_relevant_parties": ["[email protected]"],
"output_format": "pst", // or "msg", "html"
"include_audit_trail": true
}
}
Adaptive Cards Support
Process rich content in Adaptive Cards:
// Adaptive Cards may contain PII in various elements
{
"type": "AdaptiveCard",
"body": [
{
"type": "TextBlock",
"text": "Customer: John Smith" // PII here
},
{
"type": "FactSet",
"facts": [
{ "title": "Email", "value": "[email protected]" }, // PII
{ "title": "Phone", "value": "555-1234" } // PII
]
}
]
}
// We parse and process card structure
// Redact PII while preserving card formatting
Audit and Reporting
// Comprehensive audit logging
{
"timestamp": "2024-01-15T10:30:00Z",
"eventType": "MessageRedacted",
"platform": "MicrosoftTeams",
"location": {
"teamId": "team-123",
"channelId": "channel-456",
"messageId": "msg-789"
},
"sender": "[email protected]",
"detections": {
"email": 1,
"phone": 1
},
"action": "redacted",
"policyApplied": "default_pii"
}
// Integration with Microsoft 365 audit log
// Events logged to Unified Audit Log for compliance
Deployment Models
Organization-Wide:
// Admin consent for all users
// All teams and channels monitored
// Requires clear organizational communication
Permissions: Application permissions (no user context)
Deployment: Admin-only configuration
User visibility: Policy tip on modified messages
Specific Teams/Channels:
// Deploy to specific teams requiring protection
// HR team, Finance team, Customer Support
Configuration:
{
"scope": "specific_teams",
"teams": ["team-id-1", "team-id-2"],
"exclude_channels": ["general"]
}
User-Initiated:
// Users install bot personally
// Redact on request only
// Lower governance overhead
Bot installation: Personal or team scope
Processing: Only when user invokes bot
Use case: Self-service compliance tool
