> ## Documentation Index
> Fetch the complete documentation index at: https://docs.devinenterprise.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Microsoft Teams
> Chat and collaborate with Devin directly in Microsoft Teams
Tag **@Devin** in Microsoft Teams as soon as bugs, feature requests, and questions come in. Devin responds in-thread with updates and questions when it's tagged.
## Get started
### Installation
1. Go to [Settings > Integrations](https://app.devin.ai/settings/integrations) and select **Microsoft Teams**
2. Click "Connect"
3. You’ll be prompted to install the Devin app for Microsoft Teams in your tenant and/or target Team
4. Make sure to link your individual user. All users in your organization will need to complete this step to use Devin
5. Mention `@Devin` in a Team channel or chat to start a session
> Note: For Devin to work for each user, every individual must connect their own account in the Devin dashboard (Settings > Integrations). This lets Devin associate their Microsoft Teams identity with their Devin user.
### How to use Devin from Microsoft Teams
Once you’ve installed the Microsoft Teams integration, simply trigger Devin with `@Devin` in any Team channel.
Devin will respond in-thread to your session. You can communicate back and forth just like in the regular Devin chat interface.
*Note that Devin may make mistakes. Please double-check responses.*
### Inline Teams Keywords & Functions
| Keyword | Function |
| ------------------- | -------------------------------------------------------------------------------------------- |
| `!ask` | Begin your message with !ask to get a quick codebase answer without starting a full agent |
| `!deep` | Get a deeper research answer using advanced search |
| `mute` | Prevents Devin from seeing further messages in the thread |
| `unmute` | Reverses the above |
| `(aside)`, `!aside` | Causes Devin to ignore the message (useful for commentary on Devin's run directly in-thread) |
| `sleep` | Puts Devin to sleep; to wake Devin up, send any message in the thread |
| `archive` | Puts Devin to sleep + archives the session |
| `EXIT` | Ends the session |
| `help` | Shows help message with available keywords and functions |
### Pricing
If you don't yet have a Devin account, you can learn more about pricing and plans [here](https://devin.ai/pricing).
### Privacy
Our privacy policy is available [here](https://cognition.ai/privacy-policy).
### Authentication Flow
The diagram below illustrates the high-level authentication architecture for the Microsoft Teams integration, showing how authentication flows from Teams through various layers to create authenticated Devin sessions.
```mermaid theme={null}
graph TB
subgraph MSTeams ["Microsoft Teams"]
A[Teams User] --> B[Teams Channel]
B --> C[Teams Bot Framework]
C --> D[Microsoft Graph API]
end
subgraph AuthLayer ["Authentication Layer"]
E[Certificate-Based Auth] --> F[JWT Token Validation]
F --> G[Tenant ID Verification]
G --> H[User Identity Claims]
end
subgraph DevinPlat ["Devin Platform"]
I[Chat Manager] --> J[Identity Mapping Service]
J --> K[Organization Resolver]
K --> L[RBAC Authorization]
L --> M[Session Creation]
end
subgraph IdProviders ["Identity Providers"]
N[Azure AD/Entra ID] --> O[SAML/SSO Provider]
O --> P[Devin Identity Store]
end
A --> E
D --> F
H --> J
N --> J
P --> L
M --> Q[Devin Session]
```
### Permissions Details
Below is a summary of the Microsoft Teams and Microsoft Graph permissions our integration requires—what each grants, why we need it, and where it's used.
> At a glance
>
> * Graph (Application, tenant-wide): discovery & installation orchestration.
> * Teams bot RSC (per Team/Chat): scoped access to messages/members/settings only where the bot is installed or present.
#### Tenant-wide Microsoft Graph (Application) Permissions
These require Admin Consent in Entra ID (Azure AD). They are app-only (no user delegation).
| Permission | What it allows | Why we need it |
| --------------------------------------------------------- | -------------------------------------------- | ------------------------------------------------------------------ |
| `Organization.Read.All` | Read basic org profile | Validate the tenant where the app is being installed |
| `User.ReadBasic.All` | Read basic profiles for all users | Map member identities and resolve mentions in linked Teams |
| `AppCatalog.Read.All` | Read the Teams app catalog | Locate our app and fetch `teamsAppId` required for installation |
| `TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All` | Install/uninstall our own app; grant app RSC | Install/remove the bot in a selected Team from the Devin dashboard |
> Note: We do not use tenant-wide Graph to read message content. Message access is granted only via RSC and only where the bot is installed/present.
#### Teams Bot Resource-Specific Consent (RSC) Permissions
These are granted per Team/Chat at install time (do not apply tenant-wide).
| Permission | Scope | What it allows | Why we need it |
| --------------------------- | ------------ | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
| `ChannelMessage.Read.Group` | Team/Channel | Read channel messages where the app is installed | Process channel conversations (summaries, triggers, syncing) |
| `ChannelMessage.Send.Group` | Team/Channel | Send messages in channels (new posts and threaded replies) where the app is installed | Respond to messages in channel threads and proactively post updates to channels |
| `Member.Read.Group` | Team/Channel | Read team membership | Map identities, permission checks, mention routing |
| `TeamSettings.Read.Group` | Team/Channel | Read Team settings | Respect Team-level policies and tailor behavior |
| `ChatMember.Read.Chat` | Chat | Read chat participants | Address/respond correctly and support audit trails |
| `ChatMessage.Read.Chat` | Chat | Read messages in chats where the bot participates | Process prompts, context, and follow-ups |
| `ChatMessage.Send.Chat` | Chat | Send messages in 1:1 and group chats (DMs) where the bot participates; not for channels | Respond to users in DMs and group chats, post notifications, and interactive replies in chat threads |
| `ChatSettings.Read.Chat` | Chat | Read chat settings (e.g., moderation) | Align behavior with chat policies (rate limits, who can post, etc.) |
> RSC guardrails: Access is limited to the specific Team/Chat where the app is installed or participates. Removing the app from a Team/Chat revokes that access.
#### Example: Certificate-Based Authentication for Teams Discovery
The diagram below illustrates our app-only, certificate-based authentication with Microsoft Graph. Using an X.509 client certificate, the service acquires an access token and then calls Graph to list Teams (GET /v1.0/teams). This example demonstrates how Devin securely performs tenant discovery without user context.
```mermaid theme={null}
sequenceDiagram
participant S as Cognition
participant M as MSAL client
participant K as Certificate private key
participant A as Entra ID token endpoint
participant G as Microsoft Graph
S->>M: Acquire token for Graph (.default scope)
M->>M: Check token cache (tenant, scope, client)
M->>K: Build client_assertion JWT (sign with cert)
K-->M: client_assertion (signed JWT)
M->>A: POST /oauth2/v2.0/token
A-->A: Validate signature & cert thumbprint
Verify app roles to Graph
A-->M: 200 access_token (aud=graph)
M-->S: Return access_token (store in cache)
S->>G: GET /v1.0/teams with Authorization: Bearer access_token
G-->S: 200 list of teams (paged via @odata.nextLink)
```
> Credential note: We use an X.509 certificate (client assertion) rather than a client secret for service-to-service authentication. This applies to Microsoft Graph calls, bot communications with the Bot Framework adapter, and any app-only API calls from the integration.
#### Complete Message Processing Flow (Teams → Cognition)
The diagram below shows the complete end-to-end flow when a user sends a message to Devin in Microsoft Teams, including token validation and bot processing.
```mermaid theme={null}
sequenceDiagram
participant U as Teams client
participant T as Teams service
participant W as Bot webhook adapter
participant J as Jwt validator
participant O as OpenID metadata & keys
participant C as Credential provider
participant B as Bot logic
U->>T: @Devin user message
T->>W: HTTP POST activity + Authorization Bearer token
note over W: Extract Authorization header and token
W->>J: Validate token
J->>O: Fetch OpenID config and signing keys
O-->J: Return JWKS keys
J->>J: Verify RS256 signature
and parse claims
J-->W: Validated claims
W->>C: Check appId against credentials
C-->W: AppId recognized
W->>W: Add serviceUrl to trusted list
W->>B: Create TurnContext and call bot handler
B->>B: Execute business logic
B-->W: Outgoing activity
W->>T: Send reply via connector service
T->>U: Deliver message to user
```
> Credential note: We use an X.509 certificate (client assertion) rather than a client secret for service-to-service authentication. This applies to Microsoft Graph calls, bot communications with the Bot Framework adapter, and any app-only API calls from the integration.
#### Consent & Installation Flow
1. **Admin Consent (tenant-wide)**
* An Entra ID admin grants the Graph Application permissions listed above.
2. **App Discovery**
* The integration queries the Teams app catalog to locate our app and retrieve `teamsAppId`.
3. **Targeted Installation**
* From our dashboard, we install the bot into a specific Team.
* During installation, the RSC scopes are granted only to that Team (or to the specific Chat when invoked in a chat).
4. **Operation**
* Discovery (org/teams/channels/app catalog) uses Graph Application permissions.
* Reading/sending messages and reading members/settings rely on RSC within installed surfaces.
#### Least-Privilege Notes
* Basic readers only: `User.ReadBasic.All` (no tenant-wide message reading).
* Message content is accessed exclusively via RSC and only where the bot is installed/present.
* No mailbox, files, or calendar permissions are requested.
#### Revocation & Uninstallation
* Revoke Admin Consent: A tenant admin can remove the app’s enterprise app permissions in Entra ID.
* Uninstall from Teams: Remove the app from a Team/Chat to revoke RSC for that resource.
* Data Handling: On uninstall, our integration stops processing events for that Team/Chat and cleans up related subscriptions/links.