Skip to main content

Integration · Team messaging

Shipped — production

ClarityLift + Microsoft Teams

Microsoft Teams is the second primary deployment surface. Channel messages only, processed via Microsoft Graph subscriptions.

Signals derived from Microsoft Teams

Team friction

Disengagement patterns

Communication health

Culture drift

Retention signals

Strategic alignment

Silence

OAuth scopes ClarityLift requests

Every scope below has a documented purpose tied to a specific step in the data flow. ClarityLift never requests scopes it does not use.

ChannelMessage.Read.All

Read messages in standard team channels

Channel.ReadBasic.All

List channels in connected teams

Team.ReadBasic.All

List teams to surface in the channel-selection UI

User.Read.All

Resolve Azure AD user objects for the consent gate

Data flow, end to end

  1. 1Tenant admin grants the ClarityLift Teams app the listed application permissions via the Microsoft 365 admin portal.
  2. 2Admin selects which channels to connect (default none).
  3. 3ClarityLift creates Microsoft Graph change-notification subscriptions on each connected channel.
  4. 4Graph delivers a notification when a new message is posted; ClarityLift refetches the message body via Graph (not via the notification payload, which is metadata-only).
  5. 5The DM gate rejects 1:1 chat events; ClarityLift requests no chat-message scope.
  6. 6Consent gate resolves the sender against the workspace member roster.
  7. 7Classifier runs; aggregate signals are persisted; raw text is not.
  8. 8Subscriptions are renewed automatically by a scheduled cron before they expire.

What ClarityLift does NOT read on Microsoft Teams

The privacy posture is led by what is excluded, not what is included.

  • Direct messages between individuals — never read, ever.
  • Group DMs — out of scope by design.
  • Channel content from teams below the 10-member group floor.
  • Personal account content of any kind.
  • Teams 1:1 chats — the chat-read scope is not requested. ClarityLift’s Graph permission set is restricted to channel-message scopes only, blocked at the OAuth-manifest layer.
  • Teams meeting recordings, transcripts, captions — out of scope.
  • Teams call records — not requested.
  • OneDrive or SharePoint files shared into chat — file content is not ingested.

Retention

No message text is persisted. Aggregate signals only. Graph subscription metadata (subscription id, expiry) is stored to manage the renewal cron. Customer hard-delete cascades through derived rows and revokes the Graph subscriptions.

Privacy considerations specific to Microsoft Teams

  • Application permissions in Microsoft Graph are tenant-wide — admin grants once, ClarityLift cannot escalate.
  • Microsoft Teams shared channels (Teams Connect): default is excluded. Connecting them requires deliberate admin action.
  • Teams private channels are scoped separately under Graph — ClarityLift requests no private-channel scope by default.
  • OAuth tokens for the tenant are encrypted at rest using AES-256-GCM (CL_ENCRYPTION_KEY).

What the customer does at install time

  1. 1.Tenant admin grants the application permissions in the Microsoft 365 admin portal.
  2. 2.Admin selects channels in the ClarityLift dashboard.
  3. 3.Admin sets the org-wide consent mode.
  4. 4.ClarityLift verifies a test subscription against one connected channel before signal generation begins.

Other integrations

Slack

Team messaging

SharePoint

Knowledge + docs

See all integrations →

See ClarityLift running against your Microsoft Teams workspace.

Get Early AccessRead the privacy architecture