Overview
TOTAL collects collaboration and communication events from Microsoft Teams via Microsoft Graph API change notifications (webhooks). Events are streamed in real time — when a message is sent, a meeting occurs, or a membership changes, TOTAL receives the notification within seconds. We collect metadata only — message content is never accessed or stored. Connector Type: Streaming (Webhooks via Microsoft Graph Change Notifications)Prerequisites
- Microsoft Entra ID (Azure AD) access with Application Administrator or Global Administrator role
- Microsoft Teams enabled and actively used in your organization
- Microsoft 365 E3/E5 or equivalent license (for Graph API access)
- Approximately 20 minutes to complete setup
Step 1: Register an Application in Entra ID
- Sign in to the Azure Portal
- Navigate to Microsoft Entra ID → App registrations
- Click New registration
- Enter:
- Name:
TruU TOTAL - Teams Integration - Supported account types: Accounts in this organizational directory only
- Redirect URI: Leave blank
- Name:
- Click Register
- On the app’s Overview page, copy:
- Application (client) ID
- Directory (tenant) ID
- Paste the Client ID and Tenant ID into the TruU Portal
Step 2: Create a Client Secret
- In your App Registration, go to Certificates & secrets
- Click New client secret
- Enter:
- Description:
TOTAL Teams integration - Expires: Choose your organization’s preferred expiry
- Description:
- Click Add
- Immediately copy the secret Value — it will only be shown once
- Paste the Client Secret value into the TruU Portal
Step 3: Grant API Permissions
- In the App Registration, click API permissions
- Click Add a permission → Microsoft Graph → Application permissions
- Add the following permissions:
ChannelMessage.Read.All— Read Teams channel messages (metadata)Chat.Read.All— Read chat metadataTeam.ReadBasic.All— Read team propertiesTeamMember.Read.All— Read team membershipOnlineMeetings.Read.All— Read meeting metadataCallRecords.Read.All— Read call/meeting recordsUser.Read.All— Read user profiles for identity resolution
- Click Add permissions
- Click Grant admin consent for [Your Organization]
- Click Yes to confirm
All permissions are read-only. TOTAL cannot send messages, create teams, schedule meetings, or modify any Teams resources.
Step 4: Verify Connectivity
Once credentials are entered in the TruU Portal:- Click Test Connection — TOTAL will validate the credentials and confirm Graph API access
- TOTAL will automatically create webhook subscriptions for your Teams resources
- Real-time event streaming will begin within minutes
Webhook subscriptions are automatically renewed by TOTAL before they expire. No manual maintenance is required.
Security & Privacy
What We Access
- Read-only access to Teams event metadata via Microsoft Graph webhooks
- Channel message metadata (sender, timestamp, channel — not message content)
- Team membership changes
- Meeting metadata (participants, duration, join/leave times)
- Call records (participants, duration, modality)
What We Don’t Have Access To
- Message content (body text, subject lines)
- Private chat content
- File contents shared in Teams
- Screen sharing or recording content
- User passwords or authentication tokens
Updating or Rotating Credentials
Rotate Client Secret (Recommended: Before expiry)
- In Azure Portal, go to Entra ID → App registrations →
TruU TOTAL - Teams Integration - Go to Certificates & secrets
- Click New client secret (create the new one before deleting the old one)
- Copy the new secret value
- Paste the new secret in the Teams section in the TruU Portal
- After TOTAL confirms the new secret is active, delete the old secret
Revoke Access
To immediately remove TOTAL’s access:- Option A — Disable in the TruU Portal
- Option B — Remove the App Registration’s API permissions in Entra ID
- Option C — Delete the App Registration entirely
Rate Limiting & Scalability
Microsoft Graph Rate Limits (Teams)
| Parameter | Limit |
|---|---|
| Global Graph API limit | 130,000 requests per 10 seconds per app |
| Teams subscription limit | 10,000 total subscriptions per organization |
| Subscription max lifetime | 60 minutes (auto-renewed) |
| Throttle response | HTTP 429 with Retry-After header |
Ingestion Capacity
Teams uses a streaming/webhook model — Microsoft pushes change notifications to TOTAL in near real-time, so throughput is not constrained by polling rate limits. TOTAL uses tenant-wide subscription resources (e.g.,/teams/getAllMessages) to minimize subscription count well below the 10,000 limit. A large enterprise with 100K+ users typically generates 3M–15M Teams events/day. Webhook delivery capacity is effectively unlimited.
Event Freshness
Microsoft delivers change notifications within seconds of the event. TOTAL acknowledges and processes them immediately. End-to-end latency from event occurrence to TOTAL processing is typically under 10 seconds.Resilience
TOTAL acknowledges webhook notifications immediately and processes them in the background. If the webhook endpoint is temporarily unavailable, Microsoft retries delivery with exponential backoff for up to 4 hours. Subscriptions are auto-renewed before their 60-minute expiry. If a subscription lapses, TOTAL creates a new one and performs a catch-up poll via the Graph API delta query to fill any gap. For outages exceeding 4 hours (beyond Microsoft’s retry window), the same delta query mechanism ensures no events are permanently lost.Connector Design
TOTAL’s webhook endpoint acknowledges notifications immediately and processes them asynchronously. Events are batched and published in per-user order to preserve sequence integrity for persona building. The webhook service scales horizontally behind a load balancer. All subscription scopes and batching parameters are tunable from the TruU Portal.Part 2: Event Types & Data Schema
Signal Classification
| Signal Class | TOTAL Category |
|---|---|
| Communications | Activity, Collaboration |
Event Types We Ingest
TOTAL subscribes to the following Microsoft Graph change notification resources for Teams. Every event is tied to a human identity — the user who sent the message, joined the meeting, or modified the team. Bot and application-generated events are excluded.Channel Message Events
| Graph Resource | Change Types | Description | TOTAL Classification |
|---|---|---|---|
/teams/{id}/channels/{id}/messages | created | New message posted in a channel | Activity |
/teams/{id}/channels/{id}/messages | updated | Message edited in a channel | Activity |
/teams/{id}/channels/{id}/messages | deleted | Message deleted from a channel | Activity |
/teams/getAllMessages | created, updated, deleted | All messages across all teams (tenant-wide) | Activity |
Chat Events
| Graph Resource | Change Types | Description | TOTAL Classification |
|---|---|---|---|
/chats/getAllMessages | created, updated, deleted | Chat message events across all chats | Activity |
/chats | created, updated | New chat created or chat properties updated | Activity |
/chats/{id}/members | created, deleted | Members added/removed from a chat | Activity |
Team & Channel Membership Events
| Graph Resource | Change Types | Description | TOTAL Classification |
|---|---|---|---|
/teams | created, updated, deleted | User created, updated, or deleted a team | Admin |
/teams/{id}/channels | created, updated, deleted | User created, updated, or deleted a channel | Admin |
/teams/{id}/members | created, updated, deleted | User added/removed a member or changed a member’s role | Admin |
Meeting & Call Events
| Graph Resource | Change Types | Description | TOTAL Classification |
|---|---|---|---|
/communications/callRecords | created | User participated in a call or meeting | Activity |
/communications/onlineMeetings | created, updated | User created or updated an online meeting | Activity |
/communications/callRecords/{id}/sessions | — | Individual user session details within a call | Activity |
Presence Events
| Graph Resource | Change Types | Description | TOTAL Classification |
|---|---|---|---|
/communications/presences/{id} | updated | User presence status changed | Activity |
Sample Source Event (Microsoft Graph Change Notification — Channel Message)
TOTAL Normalized Event
How This Feeds TOTAL
Persona Building
Teams events define a user’s communication graph and collaboration pattern — who they message, which channels they’re active in, what meetings they attend, and when they’re online. This forms a behavioral fingerprint of each identity’s normal collaboration routine, including peer networks, working hours, and communication cadence.Anomaly Detection
TOTAL’s behavioral engine uses Teams events to detect:- Communication graph anomalies — sudden messaging with users outside normal peer networks, indicating potential collusion or account takeover
- Insider threat indicators — unusual file sharing patterns, bulk data sharing in channels, or communication with external contacts that deviates from baseline
- Low-and-slow activity — gradual shifts in communication patterns that represent behavioral precursors to exploitation
- Working hours drift — activity outside established patterns that may indicate compromised credentials being used from a different time zone
- Collaboration pattern breaks — sudden absence from regular channels/meetings combined with activity in unusual contexts