FabricFabricHarness
EcosystemChannels

Microsoft Teams

Route validated Bot Framework activities to persistent agents.

Use the adapter from @fabric-harness/channels/teams. The direct recipe configures the built-in Bot Connector JWT verifier:

fh add channel teams
import { createTeamsChannel } from '@fabric-harness/channels/teams';

export default createTeamsChannel({
  agent: 'assistant',
  applicationId: process.env.TEAMS_APP_ID!,
});

The adapter discovers Microsoft Bot Connector signing keys and validates the RS256 signature, issuer, App ID audience, token lifetime, activity serviceUrl, and channel endorsement. Key metadata is cached for one hour and refreshed once when an unknown key ID appears. Accepted message activities use the Azure tenant as tenantId, the AAD/Bot Framework user as onBehalfOf, the activity ID for deduplication, and tenant/conversation/reply IDs for the stable persistent instance.

Use authenticate instead of applicationId only when an existing identity gateway performs the same validations before the request reaches Fabric Harness. Sovereign-cloud deployments can set botFramework.openIdMetadataUrl to their Bot Connector metadata endpoint.

Use replyInTeamsConversation(ref, { accessToken }) for outbound Bot Framework replies. The access token resolver can rotate credentials per call.

Mount the route at POST /channels/teams/activities. Prefer managed identity where supported, restrict Graph/Bot scopes, and policy-gate Graph mutations separately from message replies.