Deploy a MS Bot into Teams securely in the enterprise

Question

Deploy a MS Bot into Teams securely in the enterprise

Welsh Beuller 10

We've built an app for Teams that takes a synchro video AI webrtc feed and drops it into Teams. The bot joins and shows the Avatar as an active participant. We're now rolling this out to our first Enterprise customer.

A few questions:

Does this need to be in app store, or can we do just a private install?
Can we configure which of their users get access to it on their Teams tenant?
How do we control if a meeting as the lobby on? Can bots navigate this?

0 comments

2 answers

Your answer

Answer 1

Anonymous

Hi Matthew Dewstowe,

Welcome to Microsoft Q&A Forum! Have a good day and I hope you're doing well!

First off, huge congratulations on securing your first Enterprise customer! Moving from development to a live enterprise tenant is a major milestone. Dealing with IT governance and security policies can definitely be tricky compared to the dev environment, but based on my research and experience with Teams deployments, here are some insights to help you navigate this rollout.

Since your app involves real-time media (WebRTC/Video), the configuration of the bot's identity within the tenant is critical to ensure it isn't blocked by standard meeting security policies.

Here are the specific answers to your questions:

1. Does this need to be in the App Store? No. For a specific enterprise client, you do not need to go through the public App Store validation process.

You should provide the customer with the app package (.zip file). Their IT Admin can perform a "Private Install" by uploading it as a Custom App in the Teams Admin Center (Teams apps > Manage apps > Upload new app). This keeps the app secure and visible only to that specific organization.

Reference: Manage custom apps in Microsoft Teams admin center

2. Can we configure which users get access? Yes, absolutely. Enterprises rarely roll out a new tool to everyone at once.

This is handled via App Permission Policies in the Teams Admin Center. The Admin can create a policy that "Allows" your specific app and assign that policy only to the pilot users (or specific departments). Other users won't even see the app in their catalog.

Reference: Manage app permission policies in Microsoft Teams

3. How do we control if a meeting has the lobby on? Can bots navigate this? To be clear: Bots cannot "navigate" or interact with the lobby interface autonomously. They cannot "click" a button to request entry; they are either admitted by a human or allowed to bypass based on their identity.

To ensure your bot joins automatically without getting stuck, you need to configure its Identity and Permissions:

The Identity Factor: If your bot joins as an "anonymous" guest, it will almost always be stuck in the lobby. You should configure the bot with a Resource Account within the customer's tenant and associate it with your app’s Application ID. This treats the bot as an "Internal User" (Trusted App).

Graph API Permissions: If you are using Graph APIs for the bot to join (e.g., POST /communications/calls), ensure you have granted the application-level permission: Calls.JoinGroupCall.All. This is a high-privilege permission that allows the bot to join meetings directly.

Meeting Policies: Even with the right identity, the bot is subject to the Meeting Policies set by the Admin. The "Who can bypass the lobby" setting should be configured to "People in my organization". If your bot is configured as an internal resource account, it will bypass the lobby automatically.

References:

Register calls and meetings bot for Microsoft Teams

Graph API: Create call / Join meeting

Manage resource accounts for service numbers

Manage who can present and request control in Teams meetings and webinars

Hope this helps, at least partially. Good luck with the rollout! Let me know if you need further clarification on the Resource Account setup.

If the answer is partially helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Sayali-MSFT 5,771 Reputation points Microsoft External Staff Moderator

2026-02-20T05:03:19.61+00:00

Hello Matthew Dewstowe ,
Could you please confirm if your issue has resolved with provided suggestions or still looking for any help?
Welsh Beuller 10 Reputation points

2026-02-20T08:00:11.41+00:00

Still open.
Sayali-MSFT 5,771 Reputation points Microsoft External Staff Moderator

2026-02-20T10:37:47.1666667+00:00

Hello Matthew Dewstowe,
The app does not need to be in the public Teams App Store. It can be installed privately in your tenant and restricted to specific users or groups. Access is fully controlled by Teams app policies. The avatar bot joins meetings as a participant and follows the same lobby rules as other attendees — it cannot bypass the lobby on its own and must be admitted unless meeting policies allow in‑org participants to bypass the lobby.
Anonymous

2026-02-20T14:07:04.2433333+00:00

Hi Matthew Dewstowe,

Hope you found these responses helpful. If you have any updates on this, feel free to share them anytime.
Welsh Beuller 10 Reputation points

2026-02-21T06:50:22.7133333+00:00

A few more questions to add here, then I have everything.

If we are using the bot framework to join, to be clear, do we always new a tenant app installed or is there a way without this?

Also, if we wanted to extend the app so that we could start a call with a video av`atar of choice direct from Teams, what would we need to do.
Anonymous

2026-02-23T06:35:52.93+00:00

Hi Matthew Dewstowe,

Thanks for your response. Based on my research into Microsoft Teams development, here is the breakdown for your specific scenarios.

To address your follow-up questions:

1. Do we always need a tenant app installed, or is there a way without this? Technically, you don't always need to install the app in the customer's tenant, but there are significant trade-offs.

The "Guest Join" Method (No Install): If your bot only needs to join meetings via a meeting URL to stream video and doesn't need to interact with chat or files, it can join as an external "Anonymous Guest."

Zero installation for the IT Admin. The bot will almost always get stuck in the Lobby and require manual admission by a human. It will appear as an external user (e.g., "Guest: AI Bot"), which can look less professional in an enterprise setting.

The "Tenant App" Method: To bypass the lobby automatically, be treated as a trusted internal participant, or have a proper name/identity in the meeting, you must install it as a Custom App (LOB) in the customer's tenant.

2. What would we need to do to start a call with a video avatar directly from Teams? To allow internal users to start a call with a chosen avatar directly from their Teams client, you will need to surface your service as a fully integrated Teams App. Here is the general technical approach:

Step 1 - User Interface (The "Tab"): You would add a Personal Tab to your app manifest. This tab is essentially a web page hosted inside Teams where users can browse your avatar library and click a "Start Call" button.

Step 2 - Initiate the Session: When the user clicks the button, your app's backend uses the Microsoft Graph API (specifically POST /me/onlineMeetings or POST /communications/calls) to generate a meeting instance or a 1:1 call.

Step 3 - Programmatic Join & Inject Media: Your bot, built with the Microsoft Graph Communications Local Media SDK (Application Hosted Media), then programmatically joins that newly created meeting. Once connected, it dynamically loads and streams the specific WebRTC video feed (the chosen avatar) based on the user's selection.

Because this scenario requires an actual interface inside the Teams client for the user to make their selection, it does require packaging and deploying your solution as a custom Teams App into their tenant.

Hope this clarifies things!

Best regards.
Anonymous

2026-02-25T05:54:26.1066667+00:00

Hi Matthew Dewstowe,

We’d love to hear back from you whenever you're ready.

If the answer has been even partially helpful, please consider marking it as “Accepted Answer” so others facing similar issues can find it more easily.

If there’s any update, please don’t hesitate to let us know.

Thanks for your understanding and support!

Answer 2

kagiyama yutaka 3,250

I think u can keep it privte… we just sideload the bot into their tenant n lock it down with a scoped app‑setup pol so only the groups they pick can touch it. bots dont get thru lobby… u need a meeting pol that auto‑admits cloud apps or it’ll just sit there blinkin. hope that helps a bit.

Welsh Beuller 10 Reputation points

2026-02-20T07:59:36.6733333+00:00

Thank you. So to be clear. No need to put in the App store to make this work?

And what do you mean by meeting pol?
kagiyama yutaka 3,250 Reputation points

2026-02-20T11:47:33.32+00:00

yeah, no store needed… u can keep it private and just upload the app into their tenant. by “meeting pol” I meant the Teams meeting policy in TAC and they need one that auto‑admits cloud apps or the bot gets stuck in lobby. wish this help u.
Welsh Beuller 10 Reputation points

2026-02-23T14:44:52.2333333+00:00

These are great answers, thank you. I just want to go back to one point. If there is no lobby can the bot still join a meeting on another tenant where the app is not installed? Will this allow us to bring our Avatar into it?
kagiyama yutaka 3,250 Reputation points

2026-02-25T06:18:13.1666667+00:00

nah, even with no lobby the bot can’t join a meeting in another tenant unless the app exists in that tenant. teams bots only run inside the tenant where the app’s installed, so they’d need to add ur app on their side for the avatar to show up.

Share via

Deploy a MS Bot into Teams securely in the enterprise

2 answers

Your answer