Overview
Nuclei provides Microsoft Teams customers with the ability to automatically record, export, enrich, and archive all voice communications occurring within Microsoft Teams, including:
- Microsoft Teams Meetings (Audio, Screen, Video)
- Microsoft Teams Calling (Audio)
The core component of the compliance recording solution is the recorder. Recorders are built as scalable Azure-based services (bots) that use Microsoft’s communications platform and register as applications with Microsoft Graph. The recorder provides the direct interaction with the Teams calls and meetings communications platform APIs and provides the endpoint for media ingestion.
Compliance recording policies are created, assigned to users, and managed using Microsoft PowerShell can be applied at the tenant, user, or security group level within an organization. You can find more information on Microsoft Docs for Meeting policies, calling policies and group policies.
A complete overview of Microsoft's policy-based recording capabilities for Microsoft Teams is available here. Once provisioned, recordings are automatically exported and made available for archival and further processing in other 3rd party applications.
Prerequisites
Compliance Recording can be enabled for users with the following types of Microsoft licensing:
- Microsoft 365 A3/A5/E3/E5/Business Premium
- Office 365 A3/A5/E3/E5
The following resources are required by the tenant admin during provisioning:
-
Microsoft Windows 10 (client PC) with Administrator privileges
-
PowerShell: version 5.x or higher
- .NET Framework: version 4.7.2 or higher
- Global Administrator permissions
- Nuclei Application IDs
Nuclei will also require the following information prior to provisioning:
- Your Microsoft Azure Tenant ID
Scope
Microsoft Teams
Your Azure IT Administrator can determine which users are to be recorded (and which recorder will be used for each user) by creating and assigning compliance recording policies. Afterwards recording bots are automatically invited to participate in conversations based on the configuration of these policies when a communication interaction takes place. Compliance recording policies are managed using Microsoft PowerShell and can be applied at the tenant, per-user, and security group level for each organization. You can find more information on Microsoft Docs for Meeting policies, calling policies and group policies.
The following general metadata is available for each Microsoft Teams recording:
- Call Chain ID
- Call Duration
- Call Modality
- Call Start Time
- Call Type
The following types of identity metadata are also available for each recording participant:
- Display Name
- Email Address (in org users only)
- Microsoft User ID (Object ID, or PSTN number)
- Microsoft Tenant ID
The following access rights are required to support the recording application:
- CallRecords.Read.All
- Calls.AccessMedia.All
- Allows the app to get direct access to media streams in a call
- Calls.Initiate.All
- Calls.InitiateGroupCall.All
- Allows the app to place outbound calls to multiple users and add participants to meetings
- Calls.JoinGroupCall.All
- Allows the app to join group calls and scheduled meetings in your organization
- Calls.JoinGroupCallAsGuest.All
- Allows the app to join group calls and scheduled meetings in your organization
- User.Read.All
- Allows the app to read user profiles
User Experience
A visual recording notification will be displayed to users who participate in calls from a Teams client:
- Desktop/web
- Mobile (iOS/Android)
- Teams phones
- Teams rooms
An audio notification will be replayed to users who participate in calls using other types of devices:
- SIP phones
- Skype for Business
- Audio conferencing
- PSTN callers
Supported Archives
The following archiving destinations are supported for Microsoft Teams Archiving:
- ACA ComplianceAlpha
- Dell EMC SourceOne
- Global Relay Archive
- Microsoft Purview
- Mimecast Cloud Archive
- Proofpoint Enterprise Archive
- Smarsh Digital Safe
- Smarsh Enterprise Archive
- Smarsh Professional Archive
- Veritas Enterprise Vault
- ZL Unified Archive
TLDR;
Installation
- Complete admin consent
- Create an application instance
- Create a Compliance Recording Policy
- Assign the Compliance Recording Policy to Users
Uninstallation
- Remove Compliance Recording Policy assignment from Users
- Remove Compliance Recording Policy
- Remove application instance of the recording bot from Azure AD
Getting Setup
Preparation
Grant admin consent to the recording application
This step is required to provide admin consent for the permissions required by the recording application.
Nuclei will provide you with the correct region specific application URL for completing the admin consent during provisioning.
Start a PowerShell session with admin permissions
Start-Process powershell -Verb runAs
Install Microsoft Teams PowerShell Module
Uninstall-Module MicrosoftTeams -AllVersions
Install-Module PowershellGet -AllowClobber -Force
Install-Module MicrosoftTeams -AllowClobber -Force
Sign-in to Microsoft Teams (as tenant global admin)
Connect-MicrosoftTeams
A Microsoft login prompt should launch in a new window. Remember to sign-in with an in-tenant global administrator account.
Application Management
Create application instance
Creates an application instance in Azure Active Directory (documentation)
New-CsOnlineApplicationInstance ` -UserPrincipalName 'BOT_NAME@TENANT_DOMAIN' ` -DisplayName 'FRIENDLY_BOT_NAME' ` -ApplicationId APPLICATION_ID
- UserPrincipalName: (i.e., bot.instance@yourdomain.com)
- DisplayName: Display name for the UPN
- ApplicationId: Microsoft App ID of the Bot (provided by Nuclei on admin consent success page)
NOTE: This will create a user account in the tenant directory with the specified principle name.
Get application instance
Gets application instance for the tenant from Azure Active Directory (documentation):
Get-CsOnlineApplicationInstance
Sync application instance
Use the Sync-CsOnlineApplicationInstance cmdlet to sync the application instance from Azure Active Directory into Agent Provisioning Service. (documentation)
Sync-CsOnlineApplicationInstance `
-ObjectId APLICATION_INSTANCE_OBJECT_ID `
-ApplicationId APPLICATION_ID
Delete application instance
Microsoft does not provide a cmdlet for removing an online application instance. You can however find the application instance in Azure Active Directory and remove it from there. Application Instances are stored in the directory as a user account.
Policy Management
Create a Compliance Recording Policy
Create a new Teams recording policy governing automatic policy-based recording in your tenant (documentation):
New-CsTeamsComplianceRecordingPolicy ` -Identity 'POLICY_NAME' ` -Enabled $true
Update a Compliance Recording Policy
Modifies an existing Teams recording policy for governing automatic policy-based recording in your tenant (documentation):
Set-CsTeamsComplianceRecordingPolicy ` -Identity 'TestPolicy2' ` -Enabled $true
Delete a Compliance Recording Policies
Deletes an existing Teams recording policy that is used to govern automatic policy-based recording in your tenant (documentation):
Remove-CsTeamsComplianceRecordingPolicy ` -Identity 'POLICY_NAME' ` -Force
NOTE: This command only works, if no users are assigned to the policy. You will need to remove any users assigned to a policy prior to deletion.
Recording Application Management
Assign recording application to a Compliance Recording Policy
Creates an association between an application instance of a policy-based recording application and a Teams recording policy for administering automatic policy-based recording in your tenant.
Set-CsTeamsComplianceRecordingPolicy ` -Identity 'POLICY_NAME' ` -ComplianceRecordingApplications ` @(New-CsTeamsComplianceRecordingApplication ` -Parent 'POLICY_NAME' ` -Id 'ONLINE_APPLICATION_INSTANCE_OBJECT_ID' ` -RequiredBeforeCallEstablishment $true ` -RequiredBeforeMeetingJoin $true ` -RequiredDuringCall $true ` -RequiredDuringMeeting $true)
Note: ObjectID comes from output of Get-CsOnlineApplicationInstance command step.
Delete recording application from a Compliance Recording Policy
Deletes an existing association between an application instance of a policy-based recording application and a Teams recording policy for administering automatic policy-based recording in your tenant.
Remove-CsTeamsComplianceRecordingApplication -Identity POLICY_NAME/OBJECT_ID
Get recording application assignment
Returns information about the application instances of policy-based recording applications that have been configured for administering automatic policy-based recording in your tenant (documentation).
Get-CsTeamsComplianceRecordingApplication
Recording Policy Assignment
Individual Users
To assign a recording policy to an individual user:
Grant-CsTeamsComplianceRecordingPolicy -Identity 'USER_EMAIL_ADDRESS' -PolicyName POLICY_NAME
To view the current policy assignment for a user:
Get-CsOnlineUser -Identity 'USER_EMAIL_ADDRESS' | Select-Object -ExpandProperty 'TeamsComplianceRecordingPolicy'
To unassign a recording policy from an individual user:
Grant-CsTeamsComplianceRecordingPolicy -Identity 'USER_EMAIL_ADDRESS' -PolicyName $null
Groups
To assign a recording policy to a a security group or distribution list:
New-CsGroupPolicyAssignment ` -GroupId GROUP_OBJECT_ID ` -PolicyType TeamsComplianceRecordingPolicy ` -PolicyName 'POLICY_NAME' -Rank 1
To view the current policy assignment for a group:
Get-CsGroupPolicyAssignment -PolicyType TeamsComplianceRecordingPolicy
To remove the recording policy assigned to a group:
Remove-CsGroupPolicyAssignment ` -GroupId GROUP_OBJECT_ID ` -PolicyType TeamsComplianceRecordingPolicy
You can use any means of managing the members of your group. This could could be via Azure Portal, PowerShell modules, or other group memberships.
NOTE: It takes about 5 minutes for membership updates within a group to propagate to the Teams compliance recording policy rule evaluator. Removing the policy from a group and adding it back again is a way force a faster sync if there are delays.
Additional Resources
Compliance Archiving for Microsoft Teams Chat
Compliance Archiving for Microsoft Dynamics
Microsoft Teams - Documentation - Mask phone numbers in Microsoft Teams meetings
More Information
For more information in Nuclei's compliance recording capabilities for Microsoft Teams please contact our sales team at hello@nuclei.ai.
Comments
0 comments
Article is closed for comments.