A365 Agent Sample for Teams

[rido-min]

This pull request introduces the initial implementation of the Work IQ Teams Bot sample using .NET Aspire. It adds core infrastructure for service defaults, telemetry, health checks, configuration, and the Teams bot application itself. The changes establish a foundation for secure, observable, and scalable development, and include documentation for troubleshooting key integration issues.

Key changes:

1. Service Infrastructure and Observability

• Introduced a shared work-iq-teams-bot.ServiceDefaults project providing extension methods for service discovery, resilience, health checks, and OpenTelemetry tracing/metrics. This includes logic to filter out noisy MCP service spans and to map health endpoints. (Extensions.cs, work-iq-teams-bot.ServiceDefaults.csproj) [1] [2]
• Added application host project (work-iq-teams-bot.AppHost) configured for Aspire, referencing the Teams app project and setting up health checks and logging. (AppHost.cs, work-iq-teams-bot.AppHost.csproj, appsettings.json) [1] [2] [3]

2. Teams Bot Application and Agent Integration

• Implemented the Teams bot application startup, registering the Work IQ agent, Teams bot, and service defaults. (Program.cs)
• Added configuration options for MCP server endpoints (WorkIQAgent.Options.cs) and a factory for authenticated MCP client creation using delegated tokens. (WorkIQAgent.Options.cs, WorkIQAgent.McpClientFactory.cs) [1] [2]
• Provided an in-memory conversation history store with per-conversation locking for safe concurrent access. (IConversationHistoryStore.cs)

4. Build and Dependency Management

• Added a nuget.config specifying sources for required packages, including Teams SDK previews.

These changes lay the groundwork for a robust, cloud-native Teams bot sample with clear diagnostics and extensibility.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 9 package(s) with unknown licenses.

See the Details below.

License Issues

dotnet/work-iq-teams-bot/work-iq-teams-bot.ServiceDefaults/work-iq-teams-bot.ServiceDefaults.csproj

Package	Version	License	Issue Type
Azure.Monitor.OpenTelemetry.AspNetCore	1.5.0	Null	Unknown License
Microsoft.Extensions.Http.Resilience	10.6.0	Null	Unknown License
Microsoft.Extensions.ServiceDiscovery	10.6.0	Null	Unknown License
Microsoft.OpenTelemetry	1.0.2	Null	Unknown License

dotnet/work-iq-teams-bot/work-iq-teams-bot.TeamsApp/work-iq-teams-bot.TeamsApp.csproj

Package	Version	License	Issue Type
Microsoft.Extensions.AI	10.6.0	Null	Unknown License
Microsoft.Extensions.AI.OpenAI	10.6.0	Null	Unknown License
Microsoft.Teams.Apps	2.1.0-preview-0007-g7f9bc09e3b	Null	Unknown License
ModelContextProtocol	1.3.0	Null	Unknown License
OpenTelemetry.Api	1.15.3	Null	Unknown License

Denied Licenses:

GPL-3.0-only, AGPL-3.0-only

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
nuget/Azure.Monitor.OpenTelemetry.AspNetCore	1.5.0	Unknown	Unknown
nuget/Microsoft.Extensions.Http.Resilience	10.6.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.ServiceDiscovery	10.6.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Identity.Abstractions	12.0.0	Unknown	Unknown
nuget/Microsoft.Identity.Web.AgentIdentities	4.8.0	🟢 6.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 2 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
nuget/Microsoft.OpenTelemetry	1.0.2	Unknown	Unknown
nuget/OpenTelemetry.Exporter.OpenTelemetryProtocol	1.15.3	🟢 8.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices 🟢 5 badge detected: Passing Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 37 contributing companies or organizations
nuget/OpenTelemetry.Extensions.Hosting	1.15.3	🟢 8.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices 🟢 5 badge detected: Passing Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 37 contributing companies or organizations
nuget/OpenTelemetry.Instrumentation.AspNetCore	1.15.2	🟢 8.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 23 contributing companies or organizations
nuget/OpenTelemetry.Instrumentation.Http	1.15.1	🟢 8.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 23 contributing companies or organizations
nuget/OpenTelemetry.Instrumentation.Runtime	1.15.1	🟢 8.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 23 contributing companies or organizations
nuget/Azure.AI.OpenAI	2.1.0	🟢 7.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Fuzzing ⚠️ 0 project is not fuzzed
nuget/Microsoft.Extensions.AI	10.6.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Extensions.AI.OpenAI	10.6.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/Microsoft.Teams.Apps	2.1.0-preview-0007-g7f9bc09e3b	Unknown	Unknown
nuget/ModelContextProtocol	1.3.0	Unknown	Unknown
nuget/OpenTelemetry.Api	1.15.3	🟢 8.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices 🟢 5 badge detected: Passing Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 37 contributing companies or organizations

Scanned Files

• dotnet/work-iq-teams-bot/work-iq-teams-bot.ServiceDefaults/work-iq-teams-bot.ServiceDefaults.csproj
• dotnet/work-iq-teams-bot/work-iq-teams-bot.TeamsApp/work-iq-teams-bot.TeamsApp.csproj