Initial Setup and Configuration

This page provides guidance for enabling Microsoft Teams Recording, offered as a hosted service by Luware Recording / Luware Recording Germany Multi Tenant.

SUBJECT TO CHANGE

Please note this is an evolving service, with specifications subject to change in future. This document will be maintained based on any future specification changes that pertain to the sections in this document

 

This page is mainly targeted at a Technical Audience who should be familiar with Microsoft Teams, PowerShell and M365 Services in general. It will walk through the configuration elements that will need to be performed within your Azure, O365 Teams Tenant:

  • Enable Private Endpoint connections within your Azure tenant
  • Consent to the Luware Recording Bot permissions
  • Whitelist the Luware Recording Bot applications
  • Create Microsoft Teams Compliance Policies
  • Grant Microsoft Teams Compliance Policies to the mandated Microsoft Teams users

Customer Tenant Configuration Steps

This section details the configuration settings that needs to be created and applied within the your Azure tenant, each step below must be adhered to.

Enable Private Endpoint Network Resources

✅ To allow Luware Recording to connect a Luware Private Endpoint to your Azure Storage Account, first the Microsoft.network resource must be enabled in the customers Azure subscription.

  1. Sign in to Azure portal.
  2. Search for Subscriptions.   
  3. Select the subscription you created for the recording project.
  4. Select Settings > Resource providers in the left side menu.   
  5. Find the resource provider “Microsoft.Network”.
  6. Click Register.   

You must consent permissions within your Azure tenant for the Luware Recording bot and related features. The Luware Recording Graph API Application ID and permissions that you need to consent to are listed below:

GLOBAL ADMINISTRATOR ACCOUNT NEEDED

You need to use a "Global Administrator" Account for consenting to the Luware Recording Bot Azure Application.

 

Luware Recording Bot Azure Application ID:

Multi-Tenant Germany

Bot ID App ID Service
1 ✅ Contact your partner admin or Luware technician for the App ID. <App ID Bot 1>
2 ✅ Contact your partner admin or Luware technician for the App ID. <App ID Bot 2>
 
 

Multi-Tenant Switzerland

App ID Service
✅ Contact your partner admin or Luware technician for the App ID. <Recording Bot API Identity>
 
 

Recording Application Permissions

The following permissions are required for Luware Recording:

Type

API/Permissions

Short Description

Technical Description

Delegated

User.Read

Sign in and read user profile - User

The Luware Recording portal will redirect users to your Azure Active Directory login page when a user attempts to sign in. This permission allows the users to sign in to the Luware Recording portal. The user details are pulled from Azure Active Directory using a combination of the permissions below.

Application

Calls.Access.Media.All

Access media streams in a call as an app

This permission is mandated by Verint and Microsoft for recording.

Application

Calls.JoinGroupCall.All

Join group calls and meetings as an app

This permission is mandated by Verint and Microsoft for recording.

Application

Calls.JoinGroupCallAsGuest.All

Join group calls and meetings as a guest

This permission is mandated by Verint and Microsoft for recording.

Application

OnlineMeetings.Read.All

Read online meeting details

This permission is mandated by Verint for selective recording scenarios and additional meeting metadata.

Application

Calendars.read

Read meeting and display names

This permission is mandated by Verint for selective recording scenarios and additional meeting metadata.

Application

Group.Read.All

Read all groups

To determine who to record from your tenant, we need to have a way of identifying groups of users for recording, supervision and administrative functions. To do this, we will ask you to configure 3 sets of groups. The system will then query those specific groups every day requesting user details for each user.

Application

GroupMember.Read.All

Read all group memberships

To pull the specific users that are member of the groups specified in Group.Read.All permission.

Application

User.Read.All

Read all users' full profiles

To determine the users extension for recording, we need to pull the users details such as Id field from Azure.

 

☝ Permissions can not be customized in a multi-tenant environment.

Once the the preconditions in this page are met and the permissions consented successfully, the Graph API Permissions listed in the table above will allow for:

  • Microsoft Teams Compliance Recording
  • VFC Web Portal Single Sign On via Azure Entra ID Authentication
  • VFC Azure Entra ID Synchronization

In order to consent to these permissions, you will need to follow both the links below (ensuring <CUSTOMER TENANT ID> and <APP ID Bot> are replaced with your Tenant ID the Bots App ID, respectively) and sign in as a Global Administrator:

Multi-Tenant Germany

Voice Recording Bot 1:

https://login.microsoftonline.com/<CUSTOMER TENANT ID>/adminconsent?client_id=<APP ID Bot 1>&state=12345&redirect_uri=https://luware.com

Voice Recording Bot 2:

https://login.microsoftonline.com/<CUSTOMER TENANT ID>/adminconsent?client_id=<APP ID Bot 2>&state=12345&redirect_uri=https://luware.com
 
 

Multi-Tenant Switzerland

https://login.microsoftonline.com/<CUSTOMER TENANT ID>/adminconsent?client_id=<Recording Bot API Identity>&state=12345&redirect_uri=https://luware.com
 
 

Whitelist Luware Recording Bot Graph Application

The Luware Recording Bot Application need to be "White-Listed" within your tenant. This section provides the PowerShell commands to perform this requirement, using the Teams Powershell Module.

You need to use the correct account that has full admin privileges in your Teams environment. Also make sure that the latest Teams PowerShell Module is installed:

Import-Module MicrosoftTeams
Connect-MicrosoftTeams

The commands below create an application user object within your tenant used to whitelist the Luware Bot Application ID. There are 2 required below for 2N recording. You should use the <UniqueUPN>@<CustomerDomain> for the UPN:

Multi-Tenant Germany

Voice Recording Bot 1

New-CsOnlineApplicationInstance -UserPrincipalname <UPN> -DisplayName <displayName> -ApplicationId <APP ID Bot 1>
                        

Voice Recording Bot 2

New-CsOnlineApplicationInstance -UserPrincipalname <UPN> -DisplayName <displayName> -ApplicationId <APP ID Bot 2>
 
 

Multi-Tenant Switzerland

New-CsOnlineApplicationInstance -UserPrincipalname <UPN> -DisplayName <displayName> -ApplicationId <Recording Bot API Identity>
 
 

Create Microsoft Teams Compliance Policies

This section explains the concept and creation of Microsoft Teams Compliance Recording Policies within your tenant. Note the differences between Fail Open and Fail Close Policies:

  • Fail Close - When a Recorded Microsoft Teams user is under strict compliance (i.e. mandated to be recorded at all times) then, if the call recording fails for any reason, the call will fail to connect and display an error message “We couldn't connect you - There was a problem setting up the recording required by your org.”
  • Fail Open - Opposite of Fail Close, i.e. if the recording fails for any reason, the call will still be allowed to take place. No error message or notification will be displayed to the end user.

Below we create a Blanket Policy without any settings execute the below command.

  • Replace <Policy Description> with a desired policy description value.
  • Replace <PolicyName> with a desired policy name.
New-CsTeamsComplianceRecordingPolicy -Enabled $true  -Description '<Policy Description>' -Identity '<PolicyName>'

Once the above policy has been created, we will then configure the Teams Compliance Policy Settings. Refer to the table below for the parameter options. Fail Open is 0 (off) and Fail Close is 1 (on). Luware always recommends using Fail Close for compliance recording.

Name of Parameter

Description

Default Setting

RequiredBeforeCallEstablishment Defines if the bot has to join the call before the recorded user can place or receive calls 1 (On)
RequiredBeforeMeetingJoin Defines if the bot has to join the call before the recorded user can join the meetings 1 (On)
RequiredDuringCall Defines if the recorded user will be disconnected from the call if the recorder bot connection is lost 1 (On)
RequiredDuringMeeting Defines if the recorded user will be disconnected from the meetings if the recorder bot connection is lost 1 (On)

You can choose from either the Fail Open or Fail Close policies below.

Multi-Tenant Germany

  • Replace the <PolicyName> with the Policy Name created previously
  • Replace the <ObjectId> with the value of the Object ID from the output of the New-CsOnlineApplicationInstance command of Voice Recording Bot 1
 
 

Multi-Tenant Switzerland

  • Replace the <PolicyName> with the Policy Name created previously
  • Take note of the "Object ID" from the output of the command from the "Whitelist" section, then replace <ObjectId> with this value in the command
 
 

Fail Open Policy:

New-CsTeamsComplianceRecordingApplication -Identity <Tag:"CompliancePolicyName"/ObjectID> -RequiredBeforeCallEstablishment $false -RequiredDuringCall $false -RequiredBeforeMeetingJoin $false -RequiredDuringMeeting $false

Fail Close Policy:

New-CsTeamsComplianceRecordingApplication -Identity <Tag:"CompliancePolicyName"/ObjectID> -RequiredBeforeCallEstablishment $true -RequiredDuringCall $true -RequiredBeforeMeetingJoin $true -RequiredDuringMeeting $true

💡If there is a need to create multiple compliance policies (for example a fail open and a fail close policy), then repeat the steps within this section for each new policy, ensuring each new policy references the same Object ID for the white listed application.

Multi-Tenant Germany

Setting up 2N recording

To configure 2N recording, follow the instructions below:

  • Replace the <PolicyName> with the name of the policy previously created
  • Replace <ObjectId> with the Object ID from the results of the New-CsOnlineApplicationInstance command of Voice Recording Bot 1
  • Replace <ObjectId_of_Bot2> with the Object ID from the results of the New-CsOnlineApplicationInstance command of Voice Recording Bot 2
Set-CsTeamsComplianceRecordingApplication -Identity 'Tag:<PolicyName>/<ObjectId>' -ComplianceRecordingPairedApplications @(New-CsTeamsComplianceRecordingPairedApplication -Id '<ObjectId_of_Bot2>')
 
 

Teams Compliance Policy

You will need to grant the Teams Compliance Recording Policy/Policies created previously. Luware recommends applying compliance policies to the Azure Entra ID security groups that are synchronized within Luware Recording. Below is an example of how to grant the compliance policy to a Microsoft Teams User/Group within your tenant.

💡Note that

  • Luware does not support compliance policies being enabled to an entire tenant.
  • Luware does not recommend applying compliance policies to users.
  • User policy assignment overrules group policy assignment.

Grant to a group

In the PowerShell command to grant a Teams compliance policy to an Azure  Entra ID group (Applies to 'Recorded Users' security group only):

  • Replace <Azure Entra ID Security Group ID> with the AAD Security group ID of the recorded user group
  • Replace <PolicyName> with the name of the recording policy created previously
New-CsGroupPolicyAssignment -GroupId "<Azure Entra ID Security Group ID>" -PolicyType TeamsComplianceRecordingPolicy -PolicyName "<PolicyName>"

Grant to a user

In the PowerShell command to grant a Teams compliance policy to an individual user:

  • Replace <Users UPN> with the UPN of the user you are assigning the policy to
  • Replace <PolicyName> with the name of the recording policy created previously
Grant-CsTeamsComplianceRecordingPolicy -Identity '<Users UPN>' -PolicyName '<PolicyName>'

POLICY APPLICATION DELAY

Note that Microsoft state compliance policy assignment can take up to 24 hours to apply, however, in most cases, this will occur within an hour.

 

Check a granted policy

Use the following command to check if the policy has been applied to the users:

Get-CsOnlineUser -Identity '<Users UPN>' | Select-Object -ExpandProperty 'TeamsComplianceRecordingPolicy'

Azure Active Directory Synchronization

Recording makes use of Azure Entra ID to sync users and extensions. For this to be possible, security groups will need to be created for each of the 3 roles (Recorded user, Supervisor, Administrator) above. Return a list of the groups created in the following format:

Security Group DisplayName Role
ABC_Administrators Administrators
ABC_RecordedUsers Recorded Users
ABC_Supervisors Supervisors

Ensure the users are added to the correct groups before engaging Luware to configure the Azure  Entra ID Synchronization. Users can be members of more than one group, for example a Supervisor is by default not recorded. If a user needs the rights of a supervisor but also needs to be recorded then that user MUST be apart of both the Recorded Users' group as well as the Supervisor group.

💡If a bespoke configuration is required for roles or additional roles are required, consult your Luware point of contact.

Recording Web Portal

Once the onboarding process has been completed and Recording is live, you have the ability to access recordings for playback. This is done through a web portal. You need to log in with your Azure  Entra ID UPN and Password.

✅ Contact your partner admin or a Luware technician to get the link to the portal.


Luware Support

INC Luware Support Address

 Luware Website https://luware.com/support/
Luware Helpdesk https://helpdesk.luware.cloud 
Cloud Service Status https://status.luware.cloud/
Luware support contact details

 

 

Table of Contents