Teams-MCP

7 min read

Pre-Release Disclaimer

teams-mcp is pre-release software.

No SLA/SSLA: No service level agreements or support level agreements apply
No Support: No guaranteed support, response times, or issue resolution
Breaking Changes: APIs, configurations, and behavior may change without notice between versions
No Stability Guarantees: Features may be incomplete, modified, or removed at any time
Data Loss Risk: Bugs or changes may result in data loss or corruption
Use at Your Own Risk: This software is provided "as-is" without warranties of any kind

Pre-release software is intended for evaluation and testing purposes only. Do not rely on this software for production workloads without understanding these limitations.

Overview

The Teams MCP Server is a cloud-native application that automatically captures meeting transcripts and recordings from Microsoft Teams and ingests them into the Unique knowledge base. This guide provides administrators with essential information about requirements, features, and limitations.

Note: This is a connector-style MCP server, not a traditional MCP server. It does not provide tools, prompts, resources, or other MCP capabilities. Once connected, it automatically ingests meeting transcripts into the Unique knowledge base without requiring any additional interaction or tool calls.

For deployment, configuration, and operational details, see the IT Operator Guide.

Quick Summary

What it does: Automatically captures meeting transcripts and recordings from Microsoft Teams and ingests them into Unique's AI knowledge base with participant-based access controls

Deployment: Kubernetes-based NestJS microservice

Authentication: Uses delegated OAuth2 with Microsoft Entra ID (user signs in and consents)

Processing: Real-time webhook-driven (notifications received immediately when transcripts are available)

Requirements

Microsoft 365 / Teams

Requirement	Details
Microsoft Teams	Active tenant with transcription enabled for meetings
Microsoft Entra ID	Tenant with Application Administrator rights for app registration
License	Microsoft 365 license with Teams meeting transcription capabilities

Prerequisites:

Access to Microsoft Entra ID for app registration
Microsoft Teams meetings with transcription enabled by policy
Users must be able to consent to delegated permissions (or admin consent granted)

Permissions

All permissions are Delegated (not Application), meaning they act on behalf of the signed-in user and can only access data that user has access to.

Permission	Type	Admin Consent	Required
`User.Read`	Delegated	No	Yes
`OnlineMeetings.Read`	Delegated	No	Yes
`OnlineMeetingRecording.Read.All`	Delegated	Yes	Yes
`OnlineMeetingTranscript.Read.All`	Delegated	Yes	Yes
`offline_access`	Delegated	No	Yes

For detailed permission justifications, see Microsoft Graph Permissions.

Features

Core Capabilities

Real-time Transcript and Recording Capture

Webhook-based notifications from Microsoft Graph API
Automatic capture when meeting transcripts become available
VTT format transcript content ingested into Unique
MP4 recording files stored alongside transcripts (with SKIP_INGESTION mode)
Both artifacts linked via content_correlation_id in metadata

Participant-Based Access Control

Meeting organizer receives write + read access in Unique
Meeting participants receive read access in Unique
Users resolved by email or username in Unique platform

Self-Service User Connection

Users connect their own Microsoft account via OAuth 2.1 with PKCE
No IT administrator involvement required for individual connections

Automatic Subscription Management

Microsoft Graph webhook subscriptions created automatically on user connection
Subscriptions renewed automatically before expiration
Failed renewals handled gracefully with user reconnection required

Advanced Features

Security

OAuth 2.1 with PKCE for authentication (RFC 7636)
Microsoft tokens encrypted at rest using AES-256-GCM
Refresh token rotation with family-based revocation
Short-lived access tokens (60 seconds default)
See Security Documentation for details

Reliability

RabbitMQ message queue for asynchronous webhook processing
Dead Letter Exchange (DLX) for failed message inspection and retry
Meets Microsoft's strict webhook response requirements (< 10 seconds)
See FAQ - Why use RabbitMQ for webhook processing? for details

Observability

Detailed logging with trace IDs

Configuration

Configurable token TTLs
Automatic subscription renewal via Microsoft lifecycle webhooks
Rate limiting support

How It Works

High-Level Architecture

See Architecture Documentation for detailed component diagrams.

User Connection Flow

See User Connection Flow for additional details.

Transcript Processing Flow

See Transcript Processing Flow for additional details.

User Workflow

User Setup (One-time) - Open MCP client and connect to Teams MCP Server - Sign in with Microsoft account - Grant required permissions
Automatic Processing (Ongoing) - Attend Microsoft Teams meetings with transcription enabled - Meeting ends and transcript becomes available - Teams MCP automatically receives webhook notification - Transcript and recording (if available) captured and uploaded
Access in Unique (Ongoing) - Meeting content available in Unique knowledge base - Organizer has write + read access - Participants have read access - Content searchable and queryable via Unique AI

Limitations and Constraints

Authentication Constraints

Constraint	Reason
Delegated permissions only	Requires user sign-in; application-only access would need admin-configured policies per user
No certificate auth	Certificate auth only works with Client Credentials flow, incompatible with delegated permissions
Single app registration	Each MCP server deployment uses one Entra ID app registration (multi-tenant capable)
Admin consent required	`OnlineMeetingRecording.Read.All` and `OnlineMeetingTranscript.Read.All` need admin approval

See Authentication Architecture - Single App Registration Architecture for details.

Operational Constraints

Constraint	Impact	Mitigation
90-day token expiry	User must reconnect after ~90 days of inactivity	Monitor for disconnected users
Webhook timeout	Microsoft requires response in <10 seconds	RabbitMQ decouples reception from processing
Subscription expiry	Graph subscriptions expire after 3 days max	Automatic renewal via lifecycle notifications
Encryption key change	All stored tokens become unreadable	Users must reconnect; plan for maintenance window

Scaling Considerations

Factor	Limit	Notes
Microsoft Graph rate limits	~10,000 requests/10 min per app	Shared across all users of the app registration
Concurrent user lookups	Configurable (default: 5)	Set via `UNIQUE_USER_FETCH_CONCURRENCY`
Database connections	PostgreSQL pool size	Monitor connection usage under load

Not Supported

Real-time transcription: Only processes completed transcripts, not live captions
Meeting creation: Read-only access; cannot create or modify meetings
Selective meeting capture: All meetings with transcription enabled are captured (no organizer-only or meeting-type filter)
Token introspection: Tokens validated locally with short TTLs for performance
Historical/full sync: No mechanism to backfill transcripts from meetings that took place before the user connected; see Why can't historical transcripts be synced?
Delta/incremental sync: No ability to poll for missed or updated transcripts since a given point in time; see Why is there no delta sync?
Missed-notification recovery: If a subscription lapses, any transcripts produced during the gap are permanently lost — there is no catch-up or replay mechanism
Multi-tenant in one session: A user belonging to multiple Microsoft tenants must authenticate separately for each tenant; one OAuth session covers exactly one tenant
Transcript format variants: Only VTT-format transcripts are processed; meetings with transcripts in other formats are silently skipped
Recording size assurance: No application-level size check on recordings; very large files (e.g., multi-hour all-hands) may time out during download and be skipped, while the transcript is still ingested

Microsoft Graph API Constraints

The following limitations originate directly from the Microsoft Graph API and cannot be worked around while using delegated permissions.

No Delta Sync with Delegated Permissions

Microsoft Graph does expose a delta API for transcripts and recordings:

none

GET /users/{userId}/onlineMeetings/getAllTranscripts(...)/delta
GET /users/{userId}/onlineMeetings/getAllRecordings(...)/delta

These APIs support both full initial synchronization and incremental sync (returning only transcripts added since the last $deltaToken). However, the official permission table is:

Permission type	Support
Delegated (work or school account)	Not supported
Delegated (personal Microsoft account)	Not supported
Application	`OnlineMeetingTranscript.Read.All` / `OnlineMeetingRecording.Read.All`

Source: callTranscript: delta — Microsoft Graph API reference · callRecording: delta — Microsoft Graph API reference

Teams MCP uses delegated permissions so that users can connect their own Microsoft account without IT administrator involvement. Switching to application permissions would enable delta sync, but would require tenant administrators to configure Application Access Policies via PowerShell for every user — defeating the self-service connection model.

No Historical/Full Sync with Delegated Permissions

The only Microsoft Graph API capable of listing transcripts across all of a user's meetings (without knowing individual meeting IDs in advance) is getAllTranscripts:

none

GET /users/{userId}/onlineMeetings/getAllTranscripts(meetingOrganizerUserId='{userId}',startDateTime=...)

This API also requires application permissions only — delegated permissions are explicitly not supported.

Source: onlineMeeting: getAllTranscripts — Microsoft Graph API reference

With delegated permissions, the only available path to read transcripts is GET /users/{userId}/onlineMeetings/{meetingId}/transcripts, which requires knowing the meeting ID in advance. There is no delegated-permission API that enumerates past meetings and their transcripts in bulk. As a result, Teams MCP can only capture transcripts going forward from the moment the user connects — not from any earlier meetings.

Additional constraints on historical data (even with application permissions):

Transcripts are only accessible for meetings that have not expired. One-time meetings expire 60 days after their scheduled time; recurring meetings with no end date expire 1 year after the last activity.
Recording and transcript files are subject to the tenant's admin-configured expiration policy (Microsoft default: 120 days after creation).

Source: Limits and specifications for Microsoft Teams — Meeting expiration

Single App Registration Architecture

Each Teams MCP Server deployment uses one Microsoft Entra ID app registration:

Multi-tenant support: Configure app as "Accounts in any organizational directory"
Enterprise Application: Created in each tenant when admin grants consent
Shared infrastructure: One deployment serves all tenants
Data isolation: Each user's data scoped by their Microsoft user ID