Microsoft Teams Integration

Overview

The Microsoft Teams Integration serves as a bridge between Microsoft Teams and Dataiku’s Generative AI capabilities. It allows users to interact with Dataiku Agents and LLMs directly within Teams, enabling seamless access to data insights and automated responses in both chats and channel conversations.

Key Features

• Interactive Bot: Chat directly with Agents configured in Dataiku.

• Azure Bot Service Integration: Use Azure Bot Service to connect Microsoft Teams to your Dataiku webapp backend.

• Teams Conversation Support: Works in chats and in channel conversations where the app has been added.

Setup

Pre-requisites

The Microsoft Teams Integration is provided by the “Dataiku Agents on Microsoft Teams” plugin, which you must install. Please see Installing plugins.

You will need administrative access to Microsoft Azure and Microsoft Teams, alongside write permission in a Dataiku Project and code execution permission to configure the integration. If you use managed mode, you must also be able to grant the Azure Resource Manager and Microsoft Graph permissions required by the Azure identity used by DSS.

The Microsoft Teams Integration uses a webapp in DSS, with the backend exposing the messaging endpoint used by Azure Bot Service and relaying messages back & forth between Microsoft Teams and the Agent. The backend must be running to process events. Enable auto-start backend in the Edit tab to ensure it runs automatically.

DSS must be reachable through an HTTPS URL so Microsoft Azure can call the messaging endpoint exposed by the webapp. DSS must also have outbound network access.

The webapp supports two Azure resource provisioning modes:

• Managed by Dataiku DSS: DSS creates and manages the Azure Bot Service and Microsoft Entra app registration for you. This is the default and recommended mode.

• User Managed: You create the Azure Bot Service and app registration yourself in Azure, then paste the bot credentials into the webapp.

Managed by Dataiku DSS

In managed mode, DSS provisions the Azure resources needed by the Microsoft Teams integration. You only need to configure an Azure identity with the right permissions and complete the webapp settings. DSS creates an Azure Bot Service, a Microsoft Entra app registration, and the related bot credentials. You do not need to manually create the bot in the Azure portal.

Configure Azure Provisioning

In the webapp Edit tab, fill in the Azure provisioning fields in order:

• Azure Tenant ID: Microsoft Entra tenant ID where the bot application will be created.

• Provisioning Mode: Select Managed by Dataiku DSS.

• Identity type: Choose how DSS authenticates to Azure for provisioning.

  • Default credentials, from environment or System/User Assigned Managed Identity: DSS uses the default Azure credential chain, such as environment variables or the managed identity of the machine running DSS.

  • Service principal: DSS authenticates with an existing Azure service principal.

• Service principal client ID and Service principal client secret: Required when you select Service principal.

• Azure subscription ID: Subscription where DSS should create the managed resources.

• Azure location: Azure region where DSS should create the managed resources.

• Managed resources base name: Base name used for the Azure resources created by DSS. Changing this value later creates a new set of resources.

• Resource group name: Optional explicit resource group name. If left empty, DSS derives it from the managed resources base name with the -rg suffix.

Grant the Required Azure Permissions

The identity configured in the webapp must have both Azure Resource Manager permissions and Microsoft Graph permissions.

Azure Resource Manager permissions are granted through Azure RBAC, typically on the resource group used by the integration or on the whole subscription. DSS needs permissions to create, update, and delete the managed Azure resources:

• Microsoft.Resources/subscriptions/resourceGroups/read

• Microsoft.Resources/subscriptions/resourceGroups/write

• Microsoft.BotService/botServices/read

• Microsoft.BotService/botServices/write

• Microsoft.BotService/botServices/delete

• Microsoft.BotService/botServices/channels/write

You can grant these permissions through a custom role scoped to the configured resource group, or more broadly at the subscription level. A built-in role such as Contributor can also work if it matches your organization’s security requirements.

Microsoft Graph permissions are granted separately in Microsoft Entra. DSS needs one of the following permissions so it can create and manage the Entra application used by the bot:

• Application.ReadWrite.OwnedBy: minimal permission.

• Application.ReadWrite.All: full permission.

The webapp View tab includes a Required Permissions tab showing the live permission status for the configured identity.

Complete the Remaining Configuration

In the webapp Edit tab, fill in the remaining settings:

• DSS public base URL: Base URL where this DSS instance is reachable. DSS uses it to build the messaging endpoint called by Azure Bot Service.

• Agent/LLM: Dataiku Agent or LLM to use for generating responses.

• Conversation context limit and Conversation history period: Control how much conversation history the model can use.

Start the Backend and Provision Azure Resources

In the webapp backend configuration:

• Make sure Auto-start backend is enabled.

• Make sure Require authentication is disabled.

Save the webapp to apply the configuration and start the backend. When the backend starts, it checks the Azure credentials and permissions.

If the backend does not start automatically:

1. Go to the Actions panel on the right side of the screen.

2. Select Start backend to manually start it.

Note

For Dataiku Cloud, add the webapp ID to Administration -> Settings -> Security & Audit -> Other security settings -> Webapps -> Public webapps.

Once the backend is running and the Azure credentials are valid, open the webapp View tab and select Create Resources. Provisioning can take up to two minutes. Do not stop the backend while provisioning is in progress.

Managed provisioning creates:

• One resource group.

• One Azure Bot Service.

• One Microsoft Entra app registration.

When provisioning completes, continue with the test and installation steps below.

User Managed Azure Resources

Use this mode when your organization requires Azure resources to be created and governed outside of DSS. In this mode, you create the Azure Bot Service and app registration yourself, then configure DSS with the resulting bot credentials.

Create the Azure Bot Service Manually

Navigate to https://portal.azure.com and create the bot resources. This is the bot that you will later install into Microsoft Teams to interact with the Dataiku Agent or LLM.

During setup, make sure you:

• Create an Azure Bot resource. If you choose Create new Microsoft App ID, Azure will also create the related App Registration. You can also create the app registration in advance and link it during bot creation.

• Under Azure Bot -> Settings -> Configuration, set Messaging Endpoint to your DSS public base URL plus the endpoint displayed in the Dataiku webapp setup page.

• Under Azure Bot -> Settings -> Channels, add the Microsoft Teams channel.

Note

The full messaging endpoint must be reachable by Microsoft Azure over HTTPS.

If Microsoft Teams and the Azure Bot resource run in different tenants:

1. Go to the App Registration linked to the Azure Bot that you created.

2. In Azure Bot -> Settings -> Configuration, select Manage Password next to Microsoft App ID to open the corresponding app registration.

3. Under Manifest, make sure the JSON contains the following values:

   "accessTokenAcceptedVersion": 2,
   "signInAudience": "AzureADandPersonalMicrosoftAccount"
   

4. Save the manifest.

Generate App Credentials

To let Dataiku authenticate with your bot, create the application credentials in Azure:

1. Go to the App Registration linked to the Azure Bot that you created.

2. In Azure Bot -> Settings -> Configuration, select Manage Password next to Microsoft App ID to open the corresponding app registration.

3. Under Certificates & secrets, create a new client secret.

4. Copy the secret value immediately and store it somewhere safe. Azure will not show it again.

5. In the Overview tab, also copy the Application (client) ID.

Important

Treat your client secret like a password. Never share it or commit it to version control. If it is compromised, rotate it immediately in the Azure portal.

Configure the Visual Webapp with User-Managed Credentials

In the webapp Edit tab, configure the following:

• Azure Tenant ID: Paste the Microsoft Entra tenant ID where your Azure Bot and app registration are hosted.

• Provisioning Mode: Select User Managed.

• Azure Bot Service Microsoft App ID (client ID): Paste the application client ID.

• Azure Bot Service Microsoft App Password (client secret): Paste the bot client secret.

• Agent/LLM: Select the Dataiku Agent or LLM to use for generating responses.

Save to apply your configurations.

When you save the webapp, the backend should automatically start (a notification indicates that the backend is starting).

If the backend does not start automatically:

1. Go to the Actions panel on the right side of the screen.

2. Select Start backend to manually start it.

In the backend configuration:

• Make sure Auto-start backend is enabled.

• Make sure Require authentication is disabled.

Note

For Dataiku Cloud, add the webapp ID to Administration -> Settings -> Security & Audit -> Other security settings -> Webapps -> Public webapps.

Test the Bot in Azure

Before installing the app in Microsoft Teams, run a quick test in Azure to confirm that Microsoft can reach your Dataiku webapp.

1. In the Azure Bot resource, open Settings -> Test in Web Chat.

2. Send a message in the chat window. The Agent or LLM you configured earlier should respond.

3. Check the DSS webapp Logs tab if the bot does not respond.

Generate the Teams App Manifest

Before you can install the Agent in Teams, you need a Teams app manifest. You can create one in the Teams Developer Portal or with the manifest creator available in the webapp.

1. Scroll down to the Manifest creator card in the webapp.

2. Enter the Teams app details you want to use, such as the name and icons.

3. Select Create manifest zip to download the manifest.

Note

If you create the manifest in the Teams Developer Portal instead of using the webapp manifest creator, add the following resource-specific application permissions to the manifest so the bot can read conversation messages:

"authorization": {
  "permissions": {
    "resourceSpecific": [
      {
        "type": "Application",
        "name": "ChannelMessage.Read.Group"
      },
      {
        "type": "Application",
        "name": "ChatMessage.Read.Chat"
      }
    ]
  }
}

Install the App in Teams

Upload the manifest to Microsoft Teams or to your organization’s app catalog.

1. In Teams, open Apps in the left sidebar, then select Manage your apps.

2. Select Upload an app, then choose the manifest zip file that you created earlier.

Note

You may need administrator approval before you can install the app.

Test the integration in Microsoft Teams, as per the Usage section below.

Usage

In Microsoft Teams:

1. Open the bot in a chat, or add the app to a channel where you want to use it.

2. Send a message in the chat or @mention the app in a channel where it has been added.

3. Check the DSS webapp Logs tab if the bot does not respond.