[Teams] Unable to run Teams connector in 8.12.0

[kajal-elastic]

Bug Description

Unable to run Teams Connector in 8.12.0 (latest) Elastic deployment as the connector is stucked on log: Content sync job execution service started, listening to events from {elasticsearch url}

To Reproduce

Steps to reproduce the behavior:

1. Go to Indices -> Create a new Index -> Use a Connector
2. Click on teams and create a index by specifying a name
3. Deploy the connector by providing the elasticsearch credentials in config.yml
4. Execute make run
5. Observe the logs displayed on console

Expected behavior

Teams connector should pick up the configuration changes and connect to Elastic instance in order to run the connector

Actual behavior

Sync gets stucked at - Content sync job execution service started, listening to events from {elasticsearch url} Access control sync job execution service started, listening to events from {elasticsearch url}

Environment

Elastic Deployment : 8.12.0(latest) Branch : 8.12 connector version: 8.12.0.0

Additional context

By default, service_type is displayed as teams on UI, whereas in the connectors->sources , it is microsoft_teams So the service_type displayed on UI should be microsoft_teams in order to make it consistent and make the connector work

[kajal-elastic]

@DianaJourdan @danajuratoni When index is created using Teams Connector Client Configuration contains service_type value as teams in UI : If connector is Deployed using this configuration, Connector is stucked at log mentioned in issue. But if the connector is executed as customized connector and microsoft_teams is mentioned as service_type Connector is executed successfully. So, It seems the issue is from the UI side and needs to be fixed from your end.

[danajuratoni]

@efegurkan can you please take a look an confirm whether Kibana uses service_type teams or microsoft_teams by default?

[danajuratoni]

Issue is present in 8.11 as well

[kajal-elastic]

@danajuratoni For Teams, Currently we're facing the below errors with the credentials that were previously used for testing.

1. An error is displayed indicating the requirement to use Multifactor Authentication. But in this case the MFA is already enabled for the configured user.

2. Another error faced is that the user or Administrator has not consented to use the application . But in this case the Admin consent for the permissions is already granted for the registered App in Azure .

We're working on resolving the issues and will update if there are any changes . If there is any anything your team is aware of, Please let us know.

[efegurkan]

@danajuratoni in Kibana the service_type is teams as specified I am creating a PR to update the service type aimed for 8.12.1. It is a fix for our typo but I am not sure if this is a fix for other problems.

https://github.com/elastic/kibana/pull/174078

[danajuratoni]

@kajal-elastic can you please confirm the "service_type" issue is resolved by @efegurkan's fix?

[danajuratoni]

below errors with the credentials that were previously used for testing

cc: @navarone-feekery in case this is a known issue

[kajal-elastic]

@danajuratoni For the first issue , The error was faced as the account had MFA enabled and it is a known issue that connector doesn't work with MFA . For the solution user needs to Perform this troubleshooting steps: https://github.com/elastic/enterprise-search-microsoft-teams-connector?tab=readme-ov-file#troubleshoot-access-token-generation

For the second issue , It was resolved by granting admin consent to the organization on Microsoft Entra Admin Center

Currently, checking the Kibana fix, will update here once done.

[kajal-elastic]

@efegurkan @danajuratoni service_type issue is resolved now and I'm able to run the teams connector in 8.12

[bekhit]

@danajuratoni For Teams, Currently we're facing the below errors with the credentials that were previously used for testing.

1. An error is displayed indicating the requirement to use Multifactor Authentication. But in this case the MFA is already enabled for the configured user.
2. Another error faced is that the user or Administrator has not consented to use the application . But in this case the Admin consent for the permissions is already granted for the registered App in Azure .

We're working on resolving the issues and will update if there are any changes . If there is any anything your team is aware of, Please let us know.

i am facing the same for error # 2 (Admin Consent) .. any update on that ?

[kajal-elastic]

@bekhit In order to resolve the issue, Below steps can be followed: Go to https://entra.microsoft.com/ --> Login with Admin Credentials --> Click on Applications on the left hand side --> Enterprise Applications --> Click on your application from All applications --> Permissions --> Grant Admin consent.

Refer the screenshot mentioned in the above comment

[bekhit]

ick on Applications on the left hand side -->

Hi Kajal,

Thank you for the reply.

In fact, we already granted the admin consent and followed the exact steps .. however, it keeps showing the same Interactive Permission request error as per the screenshot below

[kajal-elastic]

It Seems like you're Granting Admin Consent from Azure Portal where the application was created. Can you check with Admin and Grant permission to Application on Microsoft Entra Admin Center ? as mentioned in steps above

Reference: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#:~:text=To%20grant-,tenant%2Dwide%20admin%20consent,-to%20an%20app

[bekhit]

It Seems like you're Granting Admin Consent from Azure Portal where the application was created. Can you check with Admin and Grant permission to Application on Microsoft Entra Admin Center ? as mentioned in steps above

Reference: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#:~:text=To%20grant-,tenant%2Dwide%20admin%20consent,-to%20an%20app

We did the same .. but for the Return URL we just kept it to a public website and it is still giving the same error after I logged in using the Teams connector app user name. Again it says request admin consent!

[kajal-elastic]

@bekhit Can you please try by creating a New application in Azure Portal and providing the permissions and admin consent for the same?

[bekhit]

@bekhit Can you please try by creating a New application in Azure Portal and providing the permissions and admin consent for the same?

@kajal-elastic It is woking now after upgrading to the latest connector and Elasticsearch 8.12.0.

However, the User Graph API was failing. Also where can I find he documentation that allows me to filter only specific data to be indexed? (ie. Only Documents in a specific Teams site)

[kajal-elastic]

@bekhit Advanced Sync rules are not supported for Teams connector yet.

[bekhit]

@bekhit Advanced Sync rules are not supported for Teams connector yet.

          @bekhit Advanced Sync rules are not supported for Teams connector yet.

Originally posted by @kajal-elastic in https://github.com/elastic/connectors/issues/1988#issuecomment-1905335360

@kajal-elastic Update:

The Consent error is gone as described. However, we are getting a lot of unauthorized errors for events, channels, users, etc. as a warning from Graph API as per the screenshot below. I am getting some data for items and Unser Meetings .. nut after 2 Hours the Connector stuck with the message on screenshot 2 """Verify that the correct Graph API and Microsoft Teams permissions are granted to the app and admin consent is given. If the permissions and consent are correct, wait for several minutes and try again..""".

Also a lot of QueeMem error came before the connector stuck with the Authorization error (Screenshot below)

NOTE: the admin consent is granted on Azure App and I have reapplied again to be sure but still the Authorization error still came.

[akanshi-elastic]

Hi @bekhit Can you please share the screenshot of all added permissions once again? I just need to verify the issue

[bekhit]

Hi @bekhit Can you please share the screenshot of all added permissions once again? I just need to verify the issue

Hi @akanshi-elastic .. permission is there asper the Connector documentation and rechecked.

[kajal-elastic]

@bekhit Authorization issue is faced as some of the permissions doesn't have Admin Consent (As per the Screenshot shared). Can you please grant Admin Consent for all the permissions ? by clicking on Grant Admin Consent for Abu Dhabi Executive Office

[bekhit]

Can you please grant Admin Consent for all the permissions ? by clicking on Grant Admin Consent for Abu Dhabi Executive Office

Hi @kajal-elastic this column is actually about Teams "Require admin consent" flag .. not the exact "admin consent". Below is another screenshot indicating we have given the required admin consent.