Unique AI Documentation

Teams MCP - Flows

2 min read

User Connection Flow

Everything starts when a user connects to the MCP server. This triggers OAuth authentication. After authentication, the user can start the KB integration via the start_kb_integration tool to begin receiving meeting notifications.

embedded_b4c049c2621433844e093e01f7c0cfdf.pngembedded_77f08fbe000895ca832ec8f562b1a1c3.png

OAuth Scopes Required: See Microsoft Graph Permissions for detailed justification.

Important: Microsoft access and refresh tokens are never sent to the client. They are received by the server, encrypted, and stored securely. After the Microsoft OAuth flow completes, the server issues opaque JWT tokens to the client for MCP authentication.

Microsoft OAuth Setup Flow

The following sequence shows the complete Microsoft OAuth authentication flow with detailed token handling:

embedded_27c3a73468a2d7008eaed81d47aba72a.png

Microsoft Token Refresh Flow

Microsoft tokens are refreshed on-demand when the Graph API returns a 401 error:

embedded_7689ea2fea834323097e360bf948a71a.png

Subscription Lifecycle

Subscriptions are renewed (not recreated) before they expire. If renewal fails for any reason, the subscription is deleted and the user must reconnect to the MCP server to re-authenticate.

embedded_4e408894ca8ffab213c47117e5f72c36.pngembedded_4e61df0cb94dedd6be53254377bb87ca.png

Subscription Scheduling:

  • Subscriptions are set to expire at a configured UTC hour (default: 3 AM)

  • This batches all renewals to a single time window

  • Daily renewal ensures token validity is checked consistently

  • Minimum 2-hour subscription lifetime required for lifecycle notifications

  • If renewal fails: Subscription is deleted and user must reconnect to MCP server

  • See Microsoft Graph Webhooks - Lifecycle Notifications for details

Transcript Processing Flow

When a meeting transcript becomes available, Microsoft Graph sends a webhook notification. The recording is fetched if available (correlated by contentCorrelationId).

embedded_4faa24bfcf8a991f212a4895bd8364bf.pngembedded_14b053742ce8cb63566ae3fe2c78544e.png

Webhook Validation:

  • Microsoft Graph sends a clientState value with each notification

  • The server validates this matches the secret configured during subscription creation

  • Invalid clientState results in request rejection

Recording Handling:

  • Recording fetch uses contentCorrelationId to find the matching recording for a transcript

  • If the recording is not available, only the transcript is captured

  • Recording failures are logged but don't fail transcript processing

  • Recordings are stored with SKIP_INGESTION mode (no RAG processing)

  • Both transcript and recording share the same content_correlation_id in metadata

Access Control:

  • Meeting organizer receives write + read access

  • Meeting participants receive read access

  • Users are resolved by email or username in Unique platform

Standard References

Last updated