Get started
Installation
- Go to Settings > Integrations and select Microsoft Teams
- Click “Connect”
- You’ll be prompted to install the Devin app for Microsoft Teams in your tenant and/or target Team
- Make sure to link your individual user. All users in your organization will need to complete this step to use Devin
- Mention
@Devinin a Team channel or chat to start a session
Note: For Devin to work for each user, every individual must connect their own account in the Devin dashboard (Settings > Integrations). This lets Devin associate their Microsoft Teams identity with their Devin user.
How to use Devin from Microsoft Teams
Once you’ve installed the Microsoft Teams integration, simply trigger Devin with@Devin in any Team channel.
Devin will respond in-thread to your session. You can communicate back and forth just like in the regular Devin chat interface.
Note that Devin may make mistakes. Please double-check responses.
Inline Teams Keywords & Functions
| Keyword | Function |
|---|---|
!ask | Begin your message with !ask to get a quick codebase answer without starting a full agent |
!deep | Get a deeper research answer using advanced search |
mute | Prevents Devin from seeing further messages in the thread |
unmute | Reverses the above |
(aside), !aside | Causes Devin to ignore the message (useful for commentary on Devin’s run directly in-thread) |
sleep | Puts Devin to sleep; to wake Devin up, send any message in the thread |
archive | Puts Devin to sleep + archives the session |
EXIT | Ends the session |
help | Shows help message with available keywords and functions |
Pricing
If you don’t yet have a Devin account, you can learn more about pricing and plans here.Privacy
Our privacy policy is available here.Authentication Flow
The diagram below illustrates the high-level authentication architecture for the Microsoft Teams integration, showing how authentication flows from Teams through various layers to create authenticated Devin sessions.Permissions Details
Below is a summary of the Microsoft Teams and Microsoft Graph permissions our integration requires—what each grants, why we need it, and where it’s used.At a glance
- Graph (Application, tenant-wide): discovery & installation orchestration.
- Teams bot RSC (per Team/Chat): scoped access to messages/members/settings only where the bot is installed or present.
Tenant-wide Microsoft Graph (Application) Permissions
These require Admin Consent in Entra ID (Azure AD). They are app-only (no user delegation).| Permission | What it allows | Why we need it |
|---|---|---|
Organization.Read.All | Read basic org profile | Validate the tenant where the app is being installed |
User.ReadBasic.All | Read basic profiles for all users | Map member identities and resolve mentions in linked Teams |
AppCatalog.Read.All | Read the Teams app catalog | Locate our app and fetch teamsAppId required for installation |
TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All | Install/uninstall our own app; grant app RSC | Install/remove the bot in a selected Team from the Devin dashboard |
Note: We do not use tenant-wide Graph to read message content. Message access is granted only via RSC and only where the bot is installed/present.
Teams Bot Resource-Specific Consent (RSC) Permissions
These are granted per Team/Chat at install time (do not apply tenant-wide).| Permission | Scope | What it allows | Why we need it |
|---|---|---|---|
ChannelMessage.Read.Group | Team/Channel | Read channel messages where the app is installed | Process channel conversations (summaries, triggers, syncing) |
ChannelMessage.Send.Group | Team/Channel | Send messages in channels (new posts and threaded replies) where the app is installed | Respond to messages in channel threads and proactively post updates to channels |
Member.Read.Group | Team/Channel | Read team membership | Map identities, permission checks, mention routing |
TeamSettings.Read.Group | Team/Channel | Read Team settings | Respect Team-level policies and tailor behavior |
ChatMember.Read.Chat | Chat | Read chat participants | Address/respond correctly and support audit trails |
ChatMessage.Read.Chat | Chat | Read messages in chats where the bot participates | Process prompts, context, and follow-ups |
ChatMessage.Send.Chat | Chat | Send messages in 1:1 and group chats (DMs) where the bot participates; not for channels | Respond to users in DMs and group chats, post notifications, and interactive replies in chat threads |
ChatSettings.Read.Chat | Chat | Read chat settings (e.g., moderation) | Align behavior with chat policies (rate limits, who can post, etc.) |
RSC guardrails: Access is limited to the specific Team/Chat where the app is installed or participates. Removing the app from a Team/Chat revokes that access.
Example: Certificate-Based Authentication for Teams Discovery
The diagram below illustrates our app-only, certificate-based authentication with Microsoft Graph. Using an X.509 client certificate, the service acquires an access token and then calls Graph to list Teams (GET /v1.0/teams). This example demonstrates how Devin securely performs tenant discovery without user context.Credential note: We use an X.509 certificate (client assertion) rather than a client secret for service-to-service authentication. This applies to Microsoft Graph calls, bot communications with the Bot Framework adapter, and any app-only API calls from the integration.
Complete Message Processing Flow (Teams → Cognition)
The diagram below shows the complete end-to-end flow when a user sends a message to Devin in Microsoft Teams, including token validation and bot processing.Credential note: We use an X.509 certificate (client assertion) rather than a client secret for service-to-service authentication. This applies to Microsoft Graph calls, bot communications with the Bot Framework adapter, and any app-only API calls from the integration.
Consent & Installation Flow
- Admin Consent (tenant-wide)
- An Entra ID admin grants the Graph Application permissions listed above.
- App Discovery
- The integration queries the Teams app catalog to locate our app and retrieve
teamsAppId.
- The integration queries the Teams app catalog to locate our app and retrieve
- Targeted Installation
- From our dashboard, we install the bot into a specific Team.
- During installation, the RSC scopes are granted only to that Team (or to the specific Chat when invoked in a chat).
- Operation
- Discovery (org/teams/channels/app catalog) uses Graph Application permissions.
- Reading/sending messages and reading members/settings rely on RSC within installed surfaces.
Least-Privilege Notes
- Basic readers only:
User.ReadBasic.All(no tenant-wide message reading). - Message content is accessed exclusively via RSC and only where the bot is installed/present.
- No mailbox, files, or calendar permissions are requested.
Revocation & Uninstallation
- Revoke Admin Consent: A tenant admin can remove the app’s enterprise app permissions in Entra ID.
- Uninstall from Teams: Remove the app from a Team/Chat to revoke RSC for that resource.
- Data Handling: On uninstall, our integration stops processing events for that Team/Chat and cleans up related subscriptions/links.