Task Notifications Setup

When a new TATER Ops task is created - by the endpoint agent (Self-Service Fix follow-ups), an MCP agent, the web UI, or the public intake portal - TATER fires a notification through every channel you've enabled. Configure per org in TATER Manage → Connections → Task Notifications.

Configuration overview

Stored under Settings.integrations.taskNotifications. Fields:

emailEnabled + emailRecipients[] - list of email addresses that receive the notification email
teamsEnabled + teamsWebhookUrl - single Power Automate (or classic) webhook URL that posts an Adaptive Card to a channel
notifyOnAgentCreated - fire when an endpoint agent opens a task (e.g. a Self-Service Fix failed). Default true.
notifyOnMcpCreated - fire when an MCP/AI agent creates a task. Default true.
notifyOnWebCreated - fire when a human creates a task via the web UI. Default true. Public intake portal traffic uses the public channel and follows the same default.

Per-channel toggles let you choose, for example, "always page Teams for agent failures, but only email for human-created tasks." Set the flag to false to suppress.

Email setup

Open TATER Manage → Connections → Task Notifications.
Tick Enable email.
Add one address per line under Recipients. Up to 20 addresses; commas and semicolons in a single line are split automatically.
Save. Delivery uses the system-level Graph or SMTP config from Settings → System (SuperAdmin) - see Settings reference.

Each email is sent individually with the recipient on the To line (not BCC) so reply-all behaviors work cleanly when staff coordinate on a ticket.

Microsoft Teams setup

Microsoft retired the classic "Incoming Webhook" connector for Teams in October 2025. The replacement is a Power Automate Workflow that exposes a webhook URL. The setup below is the current Microsoft-supported path as of 2026 and reflects exactly the steps we used to wire CB's helpdesk channel.

Step 1 - Pick the destination channel

Decide which Teams channel TATER tickets should land in. A dedicated channel ("TATER Tickets", "Helpdesk Alerts") is better than General (which gets noisy). The channel can be private - only members will see the cards.

Group chats are not supported. Workflow webhooks bind to a channel, not a group chat. If you want it to feel like a small group, create a private channel with just the helpdesk members.

Step 2 - Create the Workflow

In Teams, click the "…" next to the channel name → Workflows.
Search for the template "Post to a channel when a webhook request is received".
Click Next.
Set the workflow name to something like TATER Ticket Alerts.
Confirm the Team and Channel are correct → Add workflow.
Teams shows the HTTP POST URL - looks like https://prod-NN.eastus.logic.azure.com/workflows/... or https://...environment.api.powerplatform.com/.../triggers/manual/paths/invoke?api-version=1&sp=...&sig=.... Click Copy → Done.

Ownership note: only the workflow creator can manage it afterwards. If that account leaves the organization, the workflow must be recreated. For long-term ownership, create the workflow under a shared service account if you have one.

Step 3 - Resolve a Data Loss Prevention (DLP) block if it happens

Many tenants have a Power Platform DLP policy that classifies the Request (HTTP) trigger and the Microsoft Teams action into different connector groups. When that's the case, the workflow gets created and then immediately gets a red Suspended banner with the message:

⊗ Suspended: Workflow cannot run because it's blocked by your organization's data policy.

To unblock:

Open admin.powerplatform.microsoft.com as a Power Platform admin.
Go to Policies → Data policies.
Find the policy covering the environment your workflow is in (often Default or a managed-environment policy).
Choose either approach:
- Connector groups: move the Request (HTTP trigger) connector into the same group as Microsoft Teams (typically the "Business" group). The workflow's connectors will then match the policy.
- Environment exception: add the workflow's environment to the policy's exclusion list. Use this if you don't want to change the global connector grouping.
Save the policy. Back in Teams (or make.powerautomate.com), open the suspended workflow and click Resubmit. It should switch from Suspended to On.

The fix is one-time per environment - once the connector classification is aligned, future workflow webhooks (for any other internal integration) work without further policy edits.

Step 4 - Paste the URL into TATER

Open TATER Manage → Connections → Task Notifications.
Tick Enable Teams.
Paste the workflow URL into Teams Webhook URL.
Save.
Use the Send Test button (or fire a real task via the public intake / agent) to verify a card lands in the channel.

Adaptive Card format

TATER sends an Adaptive Card 1.4 payload with:

Priority emoji + bold colored priority pill (Critical=red, High=red, Medium=warning, Low=good, default=accent)
Two-line header: "New TATER Ops Task" subtitle + large bold task title
Badge row: priority · category · via channel (web / agent / mcp / public)
Description in an emphasis container for visual separation
Fact set showing only populated fields (Requester / Assigned to / Due / Status / Linked / Created by)
"🔗 Open in TATER Ops" action button (positive style) linking directly to the task
Subtle Task ID: footer for traceability

The card uses msTeams.width: 'Full' so it renders full-width inside the channel.

Example payload

The exact JSON envelope TATER POSTs to the configured webhook. Use this to verify your Workflow template handles the shape, to test your endpoint with a known-good body, or as a starting point for your own integrations that want to mirror the look.

POST <teamsWebhookUrl>
Content-Type: application/json

{
  "type": "message",
  "attachments": [
    {
      "contentType": "application/vnd.microsoft.card.adaptive",
      "content": {
        "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
        "type": "AdaptiveCard",
        "version": "1.4",
        "msTeams": { "width": "Full" },
        "body": [
          {
            "type": "ColumnSet",
            "columns": [
              {
                "type": "Column", "width": "auto", "verticalContentAlignment": "Center",
                "items": [
                  { "type": "TextBlock", "text": "🔴", "size": "ExtraLarge", "spacing": "None" }
                ]
              },
              {
                "type": "Column", "width": "stretch", "verticalContentAlignment": "Center",
                "items": [
                  { "type": "TextBlock", "text": "New TATER Ops Task", "isSubtle": true, "size": "Small", "weight": "Bolder", "spacing": "None" },
                  { "type": "TextBlock", "text": "OneDrive sync stuck on X1-14-2024-09", "size": "Large", "weight": "Bolder", "wrap": true, "spacing": "None" }
                ]
              }
            ]
          },
          {
            "type": "ColumnSet", "spacing": "Small",
            "columns": [
              { "type": "Column", "width": "auto", "items": [
                { "type": "TextBlock", "text": "**HIGH**", "color": "attention", "weight": "Bolder", "size": "Small", "spacing": "None" }
              ]},
              { "type": "Column", "width": "auto", "items": [
                { "type": "TextBlock", "text": "· OneDrive", "isSubtle": true, "size": "Small", "spacing": "None" }
              ]},
              { "type": "Column", "width": "auto", "items": [
                { "type": "TextBlock", "text": "· via Endpoint Agent", "isSubtle": true, "size": "Small", "spacing": "None" }
              ]}
            ]
          },
          {
            "type": "Container", "style": "emphasis", "bleed": true, "spacing": "Medium",
            "items": [
              { "type": "TextBlock", "text": "Self-Service Fix \"Reset OneDrive Sync\" was triggered but the cldflt driver did not return to a healthy state after 3 retry cycles. Manual review by IT required.", "wrap": true }
            ]
          },
          {
            "type": "FactSet", "spacing": "Medium",
            "facts": [
              { "title": "Requester",   "value": "ckimura@caronbletzer.com" },
              { "title": "Assigned to", "value": "helpdesk@caronbletzer.com" },
              { "title": "Due",         "value": "2026-06-07" },
              { "title": "Status",      "value": "Open" },
              { "title": "Linked",      "value": "control: ONEDRIVE-HEALTH" }
            ]
          },
          {
            "type": "TextBlock",
            "text": "Task ID: task-9c3a17b2-...",
            "isSubtle": true, "size": "Small", "spacing": "Medium", "wrap": true
          }
        ],
        "actions": [
          {
            "type": "Action.OpenUrl",
            "title": "🔗 Open in TATER Ops",
            "url": "https://ops.tatersecurity.com/?page=tasks&id=task-9c3a17b2-...",
            "style": "positive"
          }
        ]
      }
    }
  ]
}

What it looks like rendered

The above payload renders in a channel as roughly:

┌────────────────────────────────────────────────────────────┐
│  🔴   New TATER Ops Task                                   │
│       OneDrive sync stuck on X1-14-2024-09                 │
│                                                            │
│  HIGH · OneDrive · via Endpoint Agent                      │
│  ┌──────────────────────────────────────────────────────┐  │
│  │ Self-Service Fix "Reset OneDrive Sync" was           │  │
│  │ triggered but the cldflt driver did not return to a  │  │
│  │ healthy state after 3 retry cycles. Manual review    │  │
│  │ by IT required.                                      │  │
│  └──────────────────────────────────────────────────────┘  │
│                                                            │
│  Requester    ckimura@caronbletzer.com                     │
│  Assigned to  helpdesk@caronbletzer.com                    │
│  Due          2026-06-07                                   │
│  Status       Open                                         │
│  Linked       control: ONEDRIVE-HEALTH                     │
│                                                            │
│  Task ID: task-9c3a17b2-...                                │
│                                                            │
│  [ 🔗 Open in TATER Ops ]                                  │
└────────────────────────────────────────────────────────────┘

HIGH is rendered in red ("attention" color); MEDIUM in amber ("warning"); LOW in green ("good"). The button uses the host's positive accent color.

Testing your workflow with this payload

Paste the JSON above into the body of any HTTP test client (curl, Postman, Power Automate's run-test, etc.) and POST it to your workflow URL. If the card renders correctly in the channel, your workflow template handles the standard envelope; if Teams shows raw JSON or "Card couldn't be rendered," the template's body schema expects a different shape - adjust the workflow's "Post your own adaptive card" action's attachments mapping to forward triggerBody().attachments verbatim.

Quick curl:

curl -X POST \
  -H "Content-Type: application/json" \
  -d @example-card.json \
  "<your-workflow-url>"

A 202 response with no body means the workflow accepted the trigger (success). A 400 with a Power Automate error body usually means the JSON shape doesn't match the trigger schema - open the workflow's run history to see the parse error.

Security considerations

Workflow URL is a secret. Anyone with the URL can post to the channel. Don't paste it into chat logs, public tickets, or commit messages. TATER stores it encrypted at rest via encryption.ts (AES-256-GCM) and redacts it to [REDACTED] on GET responses; only the original Admin who set it can read it back.
Rotation. Power Automate doesn't have a built-in "rotate signature" button. If the URL is leaked, recreate the workflow (which generates a new signature) and update TATER. The old URL stays valid until you delete the workflow.
SSRF guard. TATER validates the URL is HTTPS and not pointing at internal/private addresses before each POST.
Audit log. Every successful notification adds an entry with via set to the channel that fired (Teams, email, or both), and the audit-log payload records which OrgAdmin enabled the integration.

Troubleshooting

Cards never appear and no errors: check the workflow's Run history in make.powerautomate.com. If TATER fired but the workflow didn't trigger, the URL is wrong (signature mismatch - recopy from the workflow's trigger step).
Cards appear but render as plain JSON or "Card couldn't be rendered": the channel might have an outdated Teams client or the workflow template wraps the payload differently. The standard {type:'message', attachments[]} envelope works for the default template. If your template's body schema expects the AdaptiveCard root directly, adjust the workflow's "Post your own adaptive card as the Flow bot to a channel" action's attachments mapping accordingly.
Email arrives but Teams doesn't: open the workflow in Power Automate - if it shows Suspended, you've hit the DLP block (see Step 3 above). If it shows On and the run history shows failures, click into the failed run to see the exact error (commonly "Action 'Post_card_in_a_chat_or_channel' failed" with a permissions message - re-authorize the Teams connection inside the workflow).
Per-channel toggle isn't honored: the trigger uses the lowercase via field on the task - agent, mcp, web, public. The notifyOnAgentCreated / notifyOnMcpCreated / notifyOnWebCreated flags suppress only when explicitly false; missing or undefined defaults to fire. Use the toggle on the form to set false rather than blanking the field.

Alternative channels

If Power Automate isn't an option (DLP can't be loosened, no Power Automate license, or you don't want to maintain a workflow), TATER also supports:

Teams channel email address. Every channel has a hidden ...@amer.teams.ms address (channel name → "…" → Get email address). Add it to your TATER email recipients list; each task creation lands in the channel as an email. Loses the rich Adaptive Card; gains zero maintenance. Note that Teams admins can globally disable channel email addresses - if "Get email address" is missing from the menu, that's why.
Azure Logic App or Function App. Build the same HTTP-trigger → Teams-post outside Power Platform governance. Same Adaptive Card format works. Worth the effort if CB needs action buttons (Approve / Acknowledge) inside the card that the default Workflow template doesn't expose.
SIEM forwarding. Every task creation also fires a SIEM event over syslog (CEF) or webhook (HMAC-signed) if SIEM forwarding is enabled in Settings → SIEM. Useful for centralized SOC alerting independent of Teams.

Daily Technician Digest

Complementary to the per-event channels above: a once-a-day morning queue email for each technician (TATER Manage → Connections → Task Notifications → Daily Technician Digest). Solves the "unassigned email-intake tickets sit in the queue and nobody notices" problem.

What each tech receives: their own Open / In Progress / On Hold tasks — SLA-breached first, then priority, then age, with due dates and DUE SOON / SLA BREACHED chips — plus the unassigned open tasks in the queue so anyone can claim them. Every row deep-links into TATER Ops.
Recipients are automatic: the union of current task assignees and Ops team members (TATER Ops → Settings → Teams). Add anyone to the opt-out list to exclude them.
Scope of the unassigned section: org-wide by default; untick Every tech sees ALL unassigned tasks to scope it to each tech's team queues (tasks with no assignment group always show).
Schedule: per-org send hour (UTC, with a local-time hint in the picker). One email per tech per day — techs with nothing assigned and an empty queue get no email at all.
Delivery: the system Graph mailbox, with SMTP fallback — same engine as every other TATER notification. Suspended orgs are skipped.