Microsoft Teams
Route validated Bot Framework activities to persistent agents.
Use the adapter from @fabric-harness/channels/teams. The direct recipe configures the built-in Bot
Connector JWT verifier:
fh add channel teamsimport { createTeamsChannel } from '@fabric-harness/channels/teams';
export default createTeamsChannel({
agent: 'assistant',
applicationId: process.env.TEAMS_APP_ID!,
});The adapter discovers Microsoft Bot Connector signing keys and validates the RS256 signature,
issuer, App ID audience, token lifetime, activity serviceUrl, and channel endorsement. Key metadata
is cached for one hour and refreshed once when an unknown key ID appears. Accepted message activities
use the Azure tenant as tenantId, the AAD/Bot Framework user as onBehalfOf, the activity ID for
deduplication, and tenant/conversation/reply IDs for the stable persistent instance.
Use authenticate instead of applicationId only when an existing identity gateway performs the
same validations before the request reaches Fabric Harness. Sovereign-cloud deployments can set
botFramework.openIdMetadataUrl to their Bot Connector metadata endpoint.
Use replyInTeamsConversation(ref, { accessToken }) for outbound Bot Framework replies. The access
token resolver can rotate credentials per call.
Mount the route at POST /channels/teams/activities. Prefer managed identity where supported,
restrict Graph/Bot scopes, and policy-gate Graph mutations separately from message replies.