This project demonstrates how to build and deploy a bare-minimum Microsoft Teams agent using the microsoft/Agents-for-python SDK. The agent is designed to run as a simple Python web service, leverage delegated user permissions (not a global service principal), and be deployed to Azure App Service using GitHub Actions. All dependencies and environments are managed with uv.
- Project Structure
- Prerequisites
- Setup & Development
- Managing Dependencies with uv
- Teams Agent: Delegated Permissions
- Terraform: Azure Infrastructure
- Deployment: Azure App Service & GitHub Actions
- Security Notes
- References
| Folder/File | Purpose |
|---|---|
app/ |
Python source code for the Teams agent |
pyproject.toml |
Python project metadata and dependencies |
requirements.txt |
(Optional) For uv compatibility |
.env |
Environment variables (never commit secrets) |
terraform/ |
Terraform IaC for Azure resources |
.github/workflows/azure-appservice.yml |
GitHub Actions workflow for CI/CD |
README.md |
Project documentation (this file) |
- Python 3.10+
- uv for dependency and virtual environment management
- Terraform for Azure resource provisioning
- Azure CLI for authentication and local testing
- Microsoft 365 developer account with Teams access
- Azure subscription with permissions to create App Services
- GitHub repository for source and CI/CD
- Clone the repository:
git clone https://github.com/your-org/your-repo.git
cd your-repo
- Install
uv(if not already installed):
pip install uv
- Install dependencies and create a virtual environment:
uv venv
uv pip install -r requirements.txt
Or, if using pyproject.toml:
uv pip install .
- Run the agent locally:
uv pip install -e .
# Make sure to install uvicorn if you haven't already: uv pip install uvicorn
uvicorn app.main:app --reload --port 5000
- Add dependencies:
uv pip install <package>
- Update dependencies:
uv pip install --upgrade <package>
- Export requirements (for CI/CD):
uv pip freeze > requirements.txt
- Delegated permissions: The agent should authenticate as the signed-in user (not a service principal), so actions are performed on behalf of the user, respecting their Teams/Microsoft 365 permissions.
- OAuth2 Authorization Code Flow is required; users must sign in and consent to the required scopes. The application uses FastAPI as its web framework.
- No global admin/service principal required: This improves security and auditability.
Key setup steps:
- Register an Azure AD application for your agent.
- Configure redirect URIs for both local and deployed environments.
- Request only the minimal delegated permissions (e.g.,
Chat.Read,User.Read). - Implement OAuth2 code flow in your agent (using
msalor similar). Theapp/main.pyfile contains the FastAPI application logic.
Use Terraform to provision:
- Resource group
- App Service plan (Linux)
- Azure App Service (Python runtime)
- (Optional) Azure Key Vault for secrets
Example Terraform structure:
resource "azurerm_resource_group" "main" {
name = "teams-agent-rg"
location = "westeurope"
}
resource "azurerm_app_service_plan" "main" {
name = "teams-agent-plan"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
kind = "Linux"
reserved = true
sku {
tier = "Basic"
size = "B1"
}
}
resource "azurerm_app_service" "main" {
name = "teams-agent-app"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
app_service_plan_id = azurerm_app_service_plan.main.id
site_config {
linux_fx_version = "PYTHON|3.10"
}
app_settings = {
"ENVIRONMENT" = "Production"
}
}
- Continuous Deployment: Use GitHub Actions to build and deploy on push to
main. - Azure Publish Profile: Store as a GitHub secret (
AZURE_WEBAPP_PUBLISH_PROFILE).
Sample .github/workflows/azure-appservice.yml:
name: Deploy Python Teams Agent to Azure App Service
on:
push:
branches: [main]
env:
AZURE_WEBAPP_NAME: teams-agent-app
AZURE_WEBAPP_PACKAGE_PATH: '.'
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install uv
run: pip install uv
- name: Install dependencies
run: uv pip install -r requirements.txt
- name: Archive app for deployment
run: zip -r app.zip .
- name: Deploy to Azure Web App
uses: azure/webapps-deploy@v3
with:
app-name: ${{ env.AZURE_WEBAPP_NAME }}
publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
package: app.zip
- Never commit secrets: Use
.envfor local, Azure App Service settings for production. - Delegated permissions: Users must sign in and consent; agent acts strictly within user’s access.
- Least privilege: Only request the permissions your agent needs.