Overview

This section assumes that you are familiar with the concepts of M365, Azure Entra ID, PowerShell and Microsoft Teams. Luware Recording requires that you complete these preconditions to enable the capture and archive of communication.

You will consent the required Luware Recording application permissions, whitelist the application, create and assign compliance policies and complete other preconditions required to enable Luware Recording. 

This document provides the required guidance to enable Luware Recording.

Connectivity Overview

Luware Recording natively integrates with Microsoft Teams using the Microsoft provided software development kits (SDKs). Our solution is certified  with Microsoft ensuring data privacy, security and compliance capture meets Microsoft's strict specifications. 

Luware Recording captures directly from the Microsoft Teams back end servers using Microsoft Teams Compliance Recording Policies. These policies are applied to groups of users within a customers tenant and triggered when users make or receive communications within Microsoft Teams. When the policy is triggered, Microsoft send an invite request to the Luware Recording environment via the Azure Bot, which sets up the capture of the communication using Luware Recording servers.

Luware Recording uses the Graph API service and Azure Entra to pull metadata to enhance captured conversations and allow users to login securely to the Web portal.

Microsoft provide detailed information on how this works in the Introduction to Microsoft Teams third Party Compliance Recording document.

Required Application Permissions

Luware Recording has specific Azure Entra Application Permissions that must be accepted to allow the capture, archive and web portal functions. These must be consented to enable Luware Recording:

Customer Tenant Configuration Steps

Luware recommends the following sequence is used to enable the customers environment for Luware Recording:

1. Create Azure Entra Security Groups for Luware Recording
2. Consent to the Luware Recording Bot permissions
3. Whitelist the Luware Recording Bot applications
4. Create Microsoft Teams Compliance Policies
5. Grant Microsoft Teams Compliance Policies
6. Complete the Azure Storage Account Preconditions
7. Complete the Microsoft Teams Instant Message Capture (Optional)

1.Create Azure Entra Security Groups for Luware Recording

Luware Recording utilizes Azure Entra security groups to determine role based access permissions and recording rules. Luware Recording synchronises the users of groups automatically. Compliance Policies should be granted to Azure Entra security groups which will automatically enable recording for users when they are added to the group.

In a basic setup of Luware Recording, you will have at least 3 groups:

1. Recorded Users: Members of this group will be granted the Microsoft Teams Compliance Policy and be enabled in Luware Recording for capture and archive. These are licensed users in the Luware Recording system.
2. Supervisors: Members of this group have access to the captured conversations of the Recorded Users.
3. Administrators: Members of this group have the ability to access the underlying configuration of the Luware Recording environment. 

Create the Azure Entra Security Groups

Login to the Azure Portal and create the required Azure Entra security groups. Microsoft provide a detailed help article here: Quickstart: Create a group with members and view all groups and members. 

An example of basic group configuration:

Assign Test Users

Luware recommends a unique test user is assigned to each group while you validate the features and functions of the Luware Recording environment.

💡 If you don't have enough licenses to assign unique test users, we can move users between groups later for testing. 

Save the Group Names for later

The group names will be required to grant the Microsoft Teams Compliance Policies and for the synchronisation of users into the Luware Recording system. Make a note of the created Security Groups Display Name property for each group created. 

💡For more complex group configuration, consult your Luware customer success specialist.

2. Consent to Luware Recording Graph API Permissions

You must consent to permissions within your Azure Entra tenant for the Luware Recording application to function. To consent to the Luware Recording application permissions, a user with Global Administrator role based access control permissions in the Azure Entra tenant is required. 

Find my Azure Entra Tenant ID

To create the consent URL that your Azure Global Administrator will be required to use, we first need to acquire the Azure tenant ID of the environment where the Microsoft Teams users are enabled. 

Microsoft provide guidance in their How to find your Microsoft Entra tenant ID article. 

Acquire the Luware Recording Application IDs

Your Luware Recording customer success specialist will email you the Luware Recording application Ids. These are used in the URL to generate the consent link for Luware Recording. Depending on which regional environment you have selected a set of specific application Ids will be provided. 

Generate the URL

Now we have the required information, we need to modify the below URLs with the Tenant ID and the Luware Recording Application Ids. Follow the below steps to generate the consent URL:

1. Copy the URLs from the correct regional environment below to notepad.
2. Replace <Customer Tenant ID> with your Azure Entra Tenant Id.
3. Replace <Luware Recording App Id 1> with the Id provided by the Luware Recording customer success specialist.
4. For 2N environments, Replace <Luware Recording App Id 2> with the Id provided by the Luware Recording customer success specialist.

https://login.microsoftonline.com/<Customer Tenant ID>/adminconsent?client_id=<Luware Recording App Id 1>&state=12345&redirect_uri=https://luware.com

https://login.microsoftonline.com/<Customer Tenant ID>/adminconsent?client_id=<Luware Recording App Id 1>&state=12345&redirect_uri=https://luware.com

https://login.microsoftonline.com/<Customer Tenant ID>/adminconsent?client_id=<Luware Recording App Id 2>&state=12345&redirect_uri=https://luware.com

Consent to the Application

To provide consent to the Luware Recording application, complete the below steps:

1. Login to portal.azure.com with the Global Administrator role assigned.
2. Visit the URLs generated.
3. Click Accept on the Permissions.
4. For 2N environments, you must perform this action for both URLs generated.

3. Whitelist Luware Recording Bot Graph Application

The Luware Recording Application needs to be "White-Listed" within the M365 tenant where the Microsoft Teams users are enabled. This section provides the PowerShell commands to perform this requirement, using the Teams Powershell Module.

Install module and connect using PowerShell

Open PowerShell ISE on your local machine and run the below commands from the script pane. Import-Module will download the Microsoft Teams PowerShell module. After installation, Connect-MicrosoftTeams will authenticate against the Azure Entra environment.

Import-Module MicrosoftTeams
Connect-MicrosoftTeams

The Authentication sign-in box will pop-up as shown below, sign in with the Azure Entra account which has the Global Administrator or User Administrator role assigned. 

Prepare the Commands

Follow the below steps to prepare the commands to whitelist the Luware Recording application Ids within the M365 Teams environment.

1. Depending on your chosen Luware Recording region, copy the commands from below to the PowerShell ISE script pane.
2. Replace the <domain.com> with your M365 Teams domain.
3. Replace the <Luware Recording App Id> with the corresponding Application Ids provided by your customer success specialist.

New-CsOnlineApplicationInstance -UserPrincipalname luwarerecording-mtch-1@<domain.com> -DisplayName "Luware Recording MTCH 1" -ApplicationId <Luware Recording App Id 1>

New-CsOnlineApplicationInstance -UserPrincipalname luwarerecording-mtde-1@<domain.com> -DisplayName "Luware Recording MTDE 1" -ApplicationId <Luware Recording App Id 1>

New-CsOnlineApplicationInstance -UserPrincipalname luwarerecording-mtde-2@<domain.com> -DisplayName "Luware Recording MTDE 2" -ApplicationId <Luware Recording App Id 2>

Run the commands and save the object IDs for later

Execute the commands from PowerShell ISE and if successful you will receive an update as shown below. 

💡For 2N environments, you must run this command once for each Luware Recording Application ID.

Copy the ObjectId value as shown in the screenshot below, this will be used later to link the whitelisted application to the Microsoft Teams Compliance Policy. 

Make a note in the below format:

4. Create Microsoft Teams Compliance Policies

This section explains the concept and creation of Microsoft Teams Compliance Recording Policies within your tenant. The process of creating and granting policies follows the below steps:

1. Create a Compliance Recording Policy.
2. Link the Luware Recording application and apply rules to the Compliance Recording Policy.
3. Link the 2N Recording Application to the Compliance Recording Policy.
4. Grant the Policy to users using Groups.

Overview of Policy Settings

Before creating the compliance policy, it's important to understand the difference between a Fail Close and Fail Open policy. The value column is used to set the configuration of fail close and fail open during setup. 

Create a Compliance Recording Policy

Follow the below guidance to create a Microsoft Teams Compliance Recording Policy. A user with the Global Administrator role is required to create compliance recording policies. The Description and Identity fields are customisable. 

1. Open PowerShell ISE on your local machine or use the Microsoft Teams Cloud Shell.
2. Login with a user enabled with the Global Administrator role.
3. Copy the below command and edit the Description and Identity fields.

Script:

New-CsTeamsComplianceRecordingPolicy -Enabled $true  -Description '<CompliancePolicyDescription>' -Identity '<CompliancePolicyName>'

Example:

New-CsTeamsComplianceRecordingPolicy -Enabled $true  -Description 'Luware Recording Fail Close 1' -Identity 'luwarerecordingfailclose1'

💡 If your creating more than one policy, run the command again after modifying the Description and Identity values so they are unique, for example, -Identity ‘luwarerecordingfailclose2’.

Link the Luware Recording application and apply rules to the Compliance Recording Policy

The Compliance Recording Policy must then be linked to the whitelisted applications created earlier and setup with specific settings. In the table below, we provide an explanation of the parameters used for Fail Open and Fail Close. Luware recommends setting Fail Close for all parameters.

You can choose from either the Fail Open or Fail Close policies below. To run the commands:

1. Copy the command into PowerShell ISE on your local machine, or use the editor in Microsoft Teams Cloud Shell.
2. Replace the <CompliancePolicyName> to match the Identity field used in the last step, in our example, it's luwarerecordingfailclose1
3. Replace the <ObjectId1> to match the Luware Recording Application Id one from 3. Whitelist Luware Recording Bot Graph Application

New-CsTeamsComplianceRecordingApplication -Identity 'Tag:<CompliancePolicyName>/<ObjectId1>' -RequiredBeforeCallEstablishment $true -RequiredDuringCall $true -RequiredBeforeMeetingJoin $true -RequiredDuringMeeting $true

New-CsTeamsComplianceRecordingApplication -Identity 'Tag:luwarerecordingfailclose1/b00d2f40-abcd-4e27-b2a5-93090e99c17e' -RequiredBeforeCallEstablishment $true -RequiredDuringCall $true -RequiredBeforeMeetingJoin $true -RequiredDuringMeeting $true

New-CsTeamsComplianceRecordingApplication -Identity 'Tag:<CompliancePolicyName>/<ObjectId1>' -RequiredBeforeCallEstablishment $false -RequiredDuringCall $false -RequiredBeforeMeetingJoin $false -RequiredDuringMeeting $false

New-CsTeamsComplianceRecordingApplication -Identity 'Tag:luwarerecordingfailopen1/b00d2f40-abcd-4e27-b2a5-93090e99c17e' -RequiredBeforeCallEstablishment $false -RequiredDuringCall $false -RequiredBeforeMeetingJoin $false -RequiredDuringMeeting $false

💡If you are creating multiple policies, you need to run the above command once for each compliance recording policy you have created. 

Link the 2N Recording Application to the Compliance Recording Policy

2N recording provides additional resiliency at the M365 policy check by using two invites to recorders, whereby, only one invite needs a response to allow the call to initiate. 

You can choose from either the Fail Open or Fail Close policies below. To run the commands:

1. Copy the command into PowerShell ISE on your local machine, or use the editor in Microsoft Teams Cloud Shell.
2. Replace the <CompliancePolicyName> to match the Identity field used in the last step, in our example, it's luwarerecordingfailclose1
3. Replace the <ObjectId1> to match the Luware Recording Application Id 1 from 3. Whitelist Luware Recording Bot Graph Application
4. Replace the <ObjectId2> to match the Luware Recording Application Id 2 from 3. Whitelist Luware Recording Bot Graph Application

Set-CsTeamsComplianceRecordingApplication -Identity 'Tag:<CompliancePolicyName>/<ObjectId1>' -ComplianceRecordingPairedApplications @(New-CsTeamsComplianceRecordingPairedApplication -Id '<ObjectId2>')

Set-CsTeamsComplianceRecordingApplication -Identity 'Tag:luwarerecordingfailclose1/b00d2f48-bdc2-4e27-b2a5-93090e99c17e' -ComplianceRecordingPairedApplications @(New-CsTeamsComplianceRecordingPairedApplication -Id '52097e72-d9b8-4a1a-8d23-d44e2e03c27b')

💡If you are creating multiple policies, you need to run the above command once for each compliance recording policy you have created. 

5. Grant the Microsoft Teams Compliance Policy

To enable Luware Recording to capture users in the security groups, we need to assign compliance policies to users. Luware recommends applying policies to the Azure Entra security groups that we're created earlier and will be used for synchronisation into Luware Recording. 

Find the Group Object ID

To apply the policy to a group, first we need to collect the Groups Object Id from Azure Entra.

1. Login to the Azure Portal
2. Search for Microsoft Entra Id
3. From the left navigation, click Manage, Groups.
4. From the left navigation, click All Groups.
5. Search for the Recorded User group created in section 1.Create Azure Entra Security Groups for Luware Recording
6. Click the Recorded User group name.
7. Copy the Object Id.

Grant the Compliance Recording Policy

Follow the below instructions to grant the Compliance Recording policy.

New-CsGroupPolicyAssignment -GroupId "<AzureGroupObjectId>" -PolicyType TeamsComplianceRecordingPolicy -PolicyName "<PolicyName>"

New-CsGroupPolicyAssignment -GroupId 085fd5ee-756a-4284-b81d-a62549f12293 -PolicyType TeamsComplianceRecordingPolicy -PolicyName "luwarerecordingfailclose1"

Grant-CsTeamsComplianceRecordingPolicy -Identity '<UsersUPN>' -PolicyName '<CompliancePolicyName>'

Grant-CsTeamsComplianceRecordingPolicy -Identity '265349a9-a897-4bf8-a222-3d3f87aa0346' -PolicyName 'luwarerecordingfailclose1'

Check a granted policy

After a policy is created you can verify the assignment by using the below scripts. This will show the policy is applied even if Microsoft has not completed the action on the M365 backend. 

Get-CsGroupPolicyAssignment -GroupId <AzureGroupObjectId>

Get-CsGroupPolicyAssignment -GroupId 085fd5ee-756a-4284-b81d-a62549f12293

Get-CsOnlineUser -Identity <UsersUPN> | Select-Object -ExpandProperty 'TeamsComplianceRecordingPolicy'

Get-CsOnlineUser -Identity 4092d57d-c1be-42b0-a4f2-5ff8eb34fe19 | Select-Object -ExpandProperty 'TeamsComplianceRecordingPolicy'

6. Complete the Azure Storage Account Preconditions

You will need to setup an Azure Storage Account and Blob container to archive the captured recordings to storage. Complete the below requirements in this article: Azure Storage Preconditions .

7. Complete the Microsoft Teams Instant Message Capture (Optional)

To enable capture for Microsoft Teams Instant Message capture, you will need to setup the preconditions required in this article: MS Teams Chat Recording Preconditions.

Luware Support