Why this guide exists
Microsoft Teams is the destination platform in roughly 70% of cross-platform messaging interoperability deployments, simply because Microsoft 365 is bundled with the productivity stack at most large enterprises. NextPlane's Teams federation product sits on the receiving end of bridges from Slack, Webex, Google Chat, and historically Skype and Jabber. If you searched for "NextPlane Microsoft Teams setup," you are likely either deploying NextPlane or evaluating it.
NextPlane's official Teams user guide covers the installation steps. What it does not cover — because no vendor's own user guide ever does — is the set of architectural choices baked into the install, the trade-offs they imply, and the points at which a candid 2026 enterprise evaluation might choose a different product.
This guide does both. The first half is an honest end-to-end installation walk-through: tenant-level installation, the Microsoft Graph permissions requested, channel federation configuration, identity mapping with the Microsoft 365 UPN, ad-hoc voice/video escalation behavior, governance and compliance integration depth (including Microsoft Purview), and troubleshooting common errors. The second half is a structured comparison with SyncRivo — the modern alternative that NextPlane prospects most often evaluate against in 2026.
NextPlane is a credible, mature product. We are not going to pretend otherwise. We are going to name the specific architectural differences that matter and let you decide which product fits your enterprise.
What NextPlane Teams federation actually is
NextPlane's Microsoft Teams federation is the Teams-side endpoint of NextPlane's hub-and-spoke OpenHub architecture. The product is a Microsoft Teams app (built on the Microsoft Bot Framework) installed at the tenant level, plus a corresponding NextPlane cloud component that translates messages between Teams and the source platform (Slack, Webex, Google Chat, etc.).
Three architectural facts shape the rest of the setup:
- Tenant-level install. The Teams app is installed at the Microsoft 365 tenant level via the Teams admin center, not workspace-by-workspace. This is the right model for Teams (which is itself tenant-scoped) but means the install requires Global Administrator or Teams Administrator role.
- Bot Framework as the message transport. Inbound and outbound messages between Teams and NextPlane's cloud ride the Microsoft Bot Framework's HTTPS endpoints. This is the standard Microsoft-blessed integration pattern; it inherits Bot Framework's rate limits and message-size constraints.
- Identity mapping by UPN. A Teams user is identified by their Microsoft 365 User Principal Name (UPN), which NextPlane maps to the source-platform identity through the directory mapping configured at install time.
NextPlane's Teams federation is mature, well-documented, and proven in production at Fortune 500 scale. The architectural choices were made when the Bot Framework was the only viable Teams-side integration surface, and they remain reasonable in 2026 even though newer platform APIs (e.g., Microsoft Graph's chat and channel resources) now offer alternative integration patterns.
Prerequisites before installing
Before you begin the Teams-side install, confirm the following with your Microsoft 365 administrators and your NextPlane account team:
- A signed NextPlane order form with Microsoft Teams as either a source or destination platform.
- A Microsoft 365 tenant on E3, E5, Business Premium, or equivalent. The Teams app uses Bot Framework features that require these SKUs.
- A Global Administrator or Teams Administrator role for the install. The OAuth consent screen requires admin consent on the application-level permissions NextPlane requests.
- The destination platform's NextPlane app already installed (typically Slack, Webex, or Google Chat) — federation is bidirectional and both ends must be live before the first bridged message will route.
- A directory source for identity mapping. Azure AD is the default; on-premises AD synchronized via Azure AD Connect also works.
- Conditional Access policies reviewed. If your tenant has Conditional Access policies that require compliant or hybrid-joined devices, the NextPlane app's service principal may need an explicit exclusion or a service-principal-based policy adjustment.
A pre-install call with NextPlane's deployment team is standard. For Teams installs in particular, the call should include your Microsoft 365 administrator, because the Conditional Access and Purview review needs Microsoft-side context.
The actual installation walk-through
The Teams-side install has three phases: app deployment, permission grant, and federation configuration.
Phase 1 — App deployment
NextPlane provides the Teams app as a custom app package (a .zip containing the manifest and icons) or, for some tenants, via a private Microsoft Teams app store entry. The deployment steps:
- Sign in to the Microsoft Teams admin center as Teams Administrator.
- Navigate to Teams apps → Manage apps.
- Click Upload new app and select the NextPlane app package.
- Once uploaded, locate the app in the Manage apps list and set its policy assignment — typically "Allowed" globally, with permission policies controlling which user cohorts can install it in personal scope.
- Pin the app to the Teams app bar via app setup policies (optional but recommended for discoverability).
Custom app deployment is a 10-15 minute operation if the tenant's app upload policy permits it. Some tenants restrict custom app uploads, in which case the NextPlane app has to be allowlisted via the app permission policy first.
Phase 2 — Microsoft Graph permissions and admin consent
When the NextPlane app is first invoked in Teams, it triggers an OAuth consent flow against Microsoft Entra ID (formerly Azure AD). The permission set varies slightly by deployment configuration, but a typical install requests:
| Permission | Type | Purpose | Sensitivity |
|---|---|---|---|
User.Read | Delegated | Read the signed-in user's profile for identity mapping | Low |
User.ReadBasic.All | Delegated | Read basic profile info for federated users | Low |
ChannelMessage.Send | Delegated | Post bridged messages into Teams channels | Medium |
ChannelMessage.Read.All | Application | Read messages from federated channels | High |
Channel.ReadBasic.All | Application | List channels for federation selection | Medium |
Team.ReadBasic.All | Application | List teams for federation selection | Medium |
Files.ReadWrite.All | Application | Bridge file attachments | High |
The honest call-out here is that several of these are application-level permissions with admin consent — meaning the NextPlane backend can act tenant-wide, not just on behalf of an individual user. This is the standard Bot Framework pattern for a tenant-scoped Teams app, and it is unavoidable if you want the bot to read messages from channels it has been added to without each user re-consenting. But your security team should see the request justification in writing before granting consent, and you should ask NextPlane explicitly whether any of the application-level permissions can be scoped down to delegated equivalents.
The architectural reasoning behind preferring delegated permissions where possible is in our admin permissions cybersecurity post, which covers the operational risk of tenant-wide application tokens at length.
Phase 3 — Channel federation configuration
After the permission grant, federation policy is configured in NextPlane's admin console:
- Channel selection — the explicit list of Teams channels that are bridged to the source platform. The console reads the tenant's channel list via Microsoft Graph and presents a searchable picker.
- Destination mapping — for each Teams channel, the corresponding source-platform channel (or a "create new" instruction).
- Federation policy per channel — direction (Teams-to-source, source-to-Teams, or both), retention override, and DLP routing.
- Identity-mapping rules — UPN-to-source-platform-identity mapping, with explicit handling for shared mailboxes and service accounts.
A common gotcha: the NextPlane app must be added to each Teams channel before it can read messages from that channel, even though it has tenant-wide ChannelMessage.Read.All permission. This is a Microsoft Teams platform requirement (the bot must be a channel member). The admin console will surface this as a setup step for each newly federated channel; expect to coordinate with the channel owner for non-public team channels.
Identity mapping and the M365 UPN
Identity mapping is the most quietly important part of a Teams federation install. The model NextPlane uses:
- The Teams user is identified by their UPN (e.g.,
alex.morgan@contoso.com). - The source-platform user is identified by email or platform-specific user ID (Slack user ID, Webex email, Google Workspace email).
- NextPlane's directory mapping tables link these identities, with email as the default join key.
Three failure modes to plan for:
- UPN mismatch with primary SMTP. A user whose UPN is
alex.morgan@contoso.onmicrosoft.combut whose primary SMTP isalex.morgan@contoso.comwill fail to map by email unless the mapping is configured to use the SMTP address. Check this for any tenant where UPN suffixes differ from email suffixes. - M&A artifacts. A user who was
alex@acme.combefore the Acme acquisition and is nowalex.morgan@contoso.comin Teams but stillalex@acme.comin the source-platform directory needs an explicit mapping rule. - Shared mailboxes and service accounts. These should be explicitly excluded from federation or mapped to a service-account identity on the source side.
The NextPlane SCIM connector handles the steady state well; the M&A and UPN-mismatch cases require explicit configuration during the install.
Voice and video escalation behavior
This is the section where the architectural conversation gets real. NextPlane's Teams federation supports ad-hoc voice and video escalation through a deep-link pattern: a user in the source platform who clicks "call" on a federated Teams user is handed a Teams meeting deep link that opens the Teams client and joins a meeting room.
The strengths of this approach:
- It works with any Teams calling configuration (PSTN, Teams Phone, or chat-only Teams).
- It uses Microsoft's native calling stack on the Teams side, inheriting Microsoft's call quality and compliance recording.
The limitations:
- The called party experiences a context switch — they receive an email/chat notification and join through their browser or Teams client, not as a native incoming call.
- There is no federated media path. Each side connects to the meeting room independently; SyncRivo's tier-2/3 architecture, by contrast, federates the media path itself.
- Call analytics are split: Teams sees its leg, the source platform sees its leg, and there is no unified call record.
For deployments where chat is the primary use case and calls are occasional, NextPlane's deep-link model is acceptable. For deployments where federated calling is a daily workflow — particularly post-merger environments where teams are routinely on Teams ↔ Webex calls — the architectural difference matters. The deep architectural treatment is in our voice and video interoperability architecture deep-dive.
Governance, compliance, and Purview integration
Microsoft Purview is Microsoft's unified governance and compliance platform, and the depth of a federation product's Purview integration is one of the most under-asked questions in 2026 enterprise procurement. Three integration depths to evaluate:
- Surface-level (audit log forwarding). Bridged messages appear in Microsoft 365's unified audit log via the standard Bot Framework audit hooks. NextPlane provides this.
- Mid-level (eDiscovery). Bridged messages are discoverable in Microsoft Purview eDiscovery searches. NextPlane provides this for messages posted into Teams; messages bridged out of Teams are surfaced through NextPlane's own audit export.
- Deep (DLP and retention native to Purview). DLP policies authored in Microsoft Purview are evaluated against bridged message content. NextPlane's depth here varies by deployment; ask explicitly whether your specific DLP policies (e.g., credit-card detection, policy-based blocking) are evaluated on bridged traffic.
The honest position: NextPlane's Purview integration is good for audit and eDiscovery, less complete for native DLP enforcement on bridged content. SyncRivo's posture is similar but with an additional optional path: SyncRivo can route bridged messages through a customer-controlled DLP scanner (e.g., Microsoft Purview, Symantec DLP, or a custom inspection service) before delivery, with allow/block decisions enforced at the routing layer.
Common errors and how to troubleshoot them
A short troubleshooting catalog from real installs:
- "App installation policy blocks this app." The tenant's app permission policy doesn't allow the NextPlane custom app. Resolution: add the app to the allowed list in the Teams admin center.
- "Bot is not a member of this channel." The NextPlane bot wasn't added to the federated channel. Resolution: a channel owner adds the bot as a member.
- "Authorization failed for application permissions." Admin consent wasn't granted, or was granted by a non-admin. Resolution: a Global Administrator re-grants consent through the admin consent URL NextPlane provides.
- "User mapping not found." The Teams user's UPN doesn't match any mapping in NextPlane's directory. Resolution: verify SCIM provisioning is running, or add an explicit mapping rule.
- "Message size exceeds limit." Bot Framework caps message size at ~28KB; very long bridged messages or messages with many embedded files will be truncated. Resolution: split-message handling at the source platform, configured per-channel.
- "Conditional Access policy blocks the request." A CA policy requires compliant devices; the NextPlane bot doesn't satisfy it. Resolution: exclude the NextPlane service principal from the CA policy.
When to evaluate SyncRivo instead
The same architectural shifts that warrant a SyncRivo evaluation in the Slack guide apply on the Teams side, sometimes with even sharper edges because Microsoft 365's compliance requirements are stricter.
Sub-100ms routing. SyncRivo's routing tier is a stateless edge service with regional replication; median routing latency is sub-100ms p50 and sub-300ms p95.
Tier-2 native voice/video. SyncRivo federates voice and video natively across Slack, Teams, Webex, Google Chat, and Zoom — no deep-link handoff, no split call analytics.
Delegated-permission default. SyncRivo's default Teams install requests delegated per-user Graph scopes only. Application-level scopes are opt-in and explicitly logged.
5-platform federation. Slack, Teams, Webex, Google Chat, Zoom — under a single contract.
Faster BAA execution. Average 11 business days from request on the Enterprise tier.
EU/UK/AU/CA data residency. SyncRivo runs regional control planes in eu-west-1, eu-central-1, uk-south-1, ap-southeast-2, and ca-central-1, with message routing pinned to the chosen region. This matters more on the Teams side than the Slack side because Microsoft 365's own data-residency commitments make customers ask the same question of every adjacent service.
SOC 2 Type II. Audit window January 1 – December 31, 2025, available under NDA via the trust center.
If your deployment has none of these requirements, NextPlane is likely the right fit. If two or more apply, SyncRivo is worth a structured pilot.
Setup checklist comparison
| Setup step | NextPlane Teams | SyncRivo Teams |
|---|---|---|
| Pre-install call | Required (60 min) | Optional (30 min) |
| Custom app upload | Required | Required |
| App permission policy review | Required | Required |
| Application-level Graph consent | Required by default | Optional, opt-in only |
| Delegated Graph consent | Per-user, automatic | Per-user, automatic |
| Bot must be added to each channel | Yes | Yes |
| SCIM provisioning configuration | 1-3 business days | 1-2 hours |
| Identity mapping rules | Email/UPN, manual for edge cases | Email/UPN/SAML assertion, manual for edge cases |
| Channel federation policy | Per-channel in NextPlane console | Per-channel in SyncRivo console |
| First bridged message | 1-3 business days end-to-end | 30-60 minutes end-to-end |
| Voice/video escalation | Deep-link to Teams meeting | Native federated media path |
| Purview audit forwarding | Yes | Yes |
| Purview DLP enforcement | Audit-only on bridged content | Optional inline DLP routing |
| Default retention | Configurable, defaults to 90 days | Zero-retention default |
Deployment-effort comparison
For a 5,000-user enterprise federating Slack ↔ Teams across 50 channels, typical deployment effort:
| Effort dimension | NextPlane | SyncRivo |
|---|---|---|
| Pre-sales architecture review | 4-6 hours | 2-3 hours |
| App package upload and policy config | 2-3 hours | 2-3 hours |
| OAuth consent and admin sign-off | 1-2 hours plus security review | 1 hour, lower scope |
| SCIM provisioning setup | 1-3 business days | 4-8 hours |
| Channel federation configuration | 4-6 hours for 50 channels | 2-3 hours for 50 channels |
| User-acceptance testing | 1-2 weeks | 1-2 weeks |
| Total wall-clock to production | 4-6 weeks | 2-3 weeks |
| Net IT effort hours | 30-40 hours | 15-20 hours |
The difference is not order-of-magnitude; it is roughly 2x. For a one-time install at a single enterprise, the difference is unlikely to drive the decision on its own. For a multi-tenant deployment (e.g., a managed service provider deploying federation to dozens of customer tenants), it compounds.
A note on the broader UC strategy
If you are deploying Teams federation as part of a larger unified-communications strategy, the broader framing is in our 12 benefits of unified communications post, which covers the strategic decisions (federate vs. consolidate, single-vendor vs. best-of-breed, cloud-only vs. hybrid) that should bracket the federation product choice.
Frequently asked questions
Can I install NextPlane and SyncRivo Teams apps in the same tenant? Yes. The two apps coexist at the tenant level without conflict. You should bridge different channel pairs in each product during evaluation to avoid duplicate-message delivery.
Can I migrate from NextPlane to SyncRivo without downtime? Yes, with a phased channel-by-channel cutover. The standard plan moves channels in batches of 5-10 per cutover window with a 24-hour parallel-run on each batch. A 50-channel migration typically completes in 2-3 weeks.
Does SyncRivo support the same channels NextPlane covers on the Teams side? SyncRivo bridges Microsoft Teams to Slack, Webex, Google Chat, and Zoom. NextPlane historically covered Slack, Webex, Skype for Business, and Cisco Jabber on the Teams side. The overlap is Slack and Webex; SyncRivo adds Google Chat and Zoom; NextPlane retains Skype/Jabber for residual deployments.
Will my Microsoft Purview eDiscovery searches still find bridged messages after migration? Yes for new bridged messages. Historical NextPlane-era bridged messages remain discoverable in Purview because they were posted into Teams via the Bot Framework and stored natively in Microsoft 365. SyncRivo's bridged messages are similarly stored natively.
Does SyncRivo require Global Administrator consent like NextPlane? SyncRivo's default install can complete with Teams Administrator consent and delegated per-user permissions only — no Global Administrator role required. Customers who want application-level capabilities (e.g., tenant-wide audit export) can opt in, but it is not the default.
What is SyncRivo's actual routing latency on the Teams side? Sub-100ms p50 and sub-300ms p95 measured across all five federated platforms. The Teams-side latency is dominated by Microsoft Graph and Bot Framework response times rather than SyncRivo's processing.
Does SyncRivo have a HIPAA BAA for Teams federation? Yes, on the Enterprise tier. Average execution time from request to signed BAA is 11 business days. The BAA covers SyncRivo's processing of PHI in transit through the Teams federation path.
Where does SyncRivo store Teams message metadata? By default, nowhere. SyncRivo's zero-retention default means bridged messages are routed in memory and not persisted. Customers can opt in to metadata persistence (for audit completeness or message-mapping purposes) with regional storage in their chosen data-residency region.
Closing: the right call depends on your specifics
NextPlane's Teams federation is a mature, production-proven product. For deployments that don't need tier-2 voice/video federation, that are comfortable with application-level Graph permissions, and that don't need Google Chat or Zoom in the federation set, NextPlane remains a credible answer.
For deployments that need tier-2 voice/video, delegated-only permission defaults, 5-platform coverage, fast BAA execution, regional data residency, or sub-100ms routing latency, the SyncRivo evaluation is worth the calendar time.
The next step is a 30-minute architecture review where we map your specific Teams requirements against both products. Book a no-obligation review, or if you are ready to test, request a 30-day SyncRivo pilot on the channels where the architectural difference will matter most.
Ready to connect your messaging platforms?
