September 10, 2025

The RheinInsights Retrieval Suite was just extended to be integrated as a Teams app via the Azure Bot Framework. There is great documentation out there, which helps developers to jump start their development with the Azure Bot Framework. Here, we wanted to add the big picture on Teams apps and explain where computations actually take place.

Teams Integration

The Teams integration of bot applications is surprisingly loose. You more or less only provide parameters in the app manifest which allows Teams to identify the bot application in your Azure subscription.

Neither within Teams and nor in the Azure Bot Application heavy lifting computations take place. This is good, as you want to be in control of your Bot and you have the full control of all computations within your web server.

So in order to register your Teams bot as an app, you first need to create it within the Azure Bot Framework.

Azure Bot Framework

Within Azure Bot Framework, you create a new bot (see also our documentation). Initially this has nothing to do with Microsoft Teams but is a brace between an HTTP endpoint (your web server) and Entra Id. Therefore, you always also need to have an Entra Id app registered to operate an Azure Bot.

Also the bot registration is everything but rocket science - only a few configuration parameters which are provided. As written above, no computations take place in the Azure Bot Framework. It however helps you to integrate your bot application, i.e., your server, into Teams and various other channels.

The bot is an intermediate between Microsoft Teams and your server. It makes sure that all communication is forwarded (back and forth), as well as it makes sure that authentication and authorization is in place.

Authentication and Authorization

When the bot framework communicates with your web server, it always sends an OIDC token (JWT) for the bot (not the user). This way, your server can make sure that the communication source is trusted.

Please have in mind that an attacker might also communicate with your service endpoint. But he cannot provide a valid OIDC token for your registered bot application.

Getting Graph API Tokens

Based on the provided parameters and the app secret from Entra Id, your service can moreover acquire a user token which can be used to access e.g. the Graph APIs. Here, the (undocumented) service

https://api.botframework.com/api/usertoken/GetToken

is used.

Your Web Server

The actual computational logic is located in your web server. It can be a .NET, NodeJS or Java application.

This means that once a communication from any inbound channel (teams, mail, etc.) to the bot framework arrives, it forwards it to your server. Here it does not matter where your server is located (AWS, Azure, or another Web Server on a VM). Only the configured URL in the bot application must be reachable from the Azure cloud.

The connection is then kept open, even for minutes, and you can do your computations to generate an answer to the inbound message and return it as an adaptive card or a plain text message in the JSON response.

Please note the Java SDK is outdated and not maintained anymore since 2022 and incompatible in the current form with single-tenant apps. We are about to release an updated version of the Java SDK to GitHub which supports the current bot framework.