Native Microsoft Teams Call Recording Configuration

Requirements

• Imagicle UCX Cloud Suite
• Admin-level access to MS Teams PowerShell
• Admin-level access to Microsoft Azure web portal, through a user with a valid Azure subscription. This is required to create new Azure Bot.
• To verify if the user has an Azure subscription, follow this procedure:
  • log into https://portal.azure.com
  • click on Subscriptions
  • check that at least one subscription is included in the subscription list
• If no subscriptions are available, it is possible to create a free one, even if a credit card is required. No charges are applied. Otherwise, it is possible to be added as a "contributor" on an existing subscription; to do so, the user managing the subscription must add this user as a contributor.
• Working public URL to access Imagicle web portal:   https://<customer_name>-public.imagicle.cloud/
• Imagicle specific Application ID URI to add in App Registration. The URI will be provided by Imagicle team
• Imagicle specific URL to add in Azure Bot. The URI will be provided by Imagicle team

Configuration Overview

To allow the recording of MS Teams users' conversations, you must associate each user to a Recording Policy, in turns connected to an Azure BOT, in turns connected to an Azure Application (App Registrations).

To enable an MS Teams user to leverage Imagicle Call Recording, the following tasks should be accomplished:

1. Add a custom domain
2. Add an Azure Application (App Registrations)
3. Send App Registration and custom domain data to Imagicle team
4. Imagicle team confirms domain entry creation and returns a webhook URL.
5. Define an Azure BOT (associated to above app)
6. Define a Recording Policy (associated to above app)
7. Associate above Recording Policy to all Call Recording users

Please bear in mind that Silence Suppression is not supported.

Configurations from MS Azure/Entra Web Portal

Custom Domain

• Please access to Microsoft Entra Admin Center web portal and go to Settings ⇒ Domain names ⇒ Add custom domain:

• Enter a domain name, based on the Azure Bot URL provided by Imagicle team
  I.e. <customer_name>-msrecorder.imagicle.cloud
• Click on "Add domain" to pop-up the following page:

• Please copy and save the "Destination or points to address" value. It should later be sent to Imagicle Team.
• Once Imagicle confirms that relevant DNS entry has been created, you can hit "Verify" button and proceed with Azure BOT creation. Do not verify domain prior to Imagicle confirmation.

Azure App Registration

• Please connect to https://portal.azure.com and login as Administrator
• Select “App registrations” service and click on “New Registration”
• Please compile the form as below sample, filling the Application name with “Imagicle Call Recording”

• Hit "Register" to get the following resume page, including Application (client) and Directory (tenant) IDs.

• Please take note NOW of above Application ID and Directory ID. They are required later on in this procedure.
• From "Manage" left panel, click on "Certificates & secrets" to define a new "Client Secret"

Client Secret

• Please click on “New client secret” and choose an expiration period. We suggest to apply the longest one (24 months) or "Never". 

• Please take note NOW of Client Secret "Value", available once new Client Secret as been created. It is required later on in this procedure and it won't be displayed anymore in the future.

• Please set a reminder for Client Secret, so you can generate a new Client Secret before actual expiration. Once Client Secret is expired, you can just create a second Client Secret by following same procedure. You can transmit new Client Secret Value to Imagicle team, who is going to apply it in Imagicle Cloud. Then you can remove expired Client Secret.

Authentication

• From "Manage" left panel, click on "Authentication".

• Under the Platform configuration sections, click on Add a platform button.

• In the right panel, select Web.
• Enter as Redirect URI "https://www.imagicle.com". Take a note of provided URL, it is needed later on.
• Click on the Configure button in the bottom.

API Permissions

• Within newly created App Registration, now you need to add permissions to leverage Microsoft Graph APIs. From "Manage" left panel, please click on "API permissions" to get the following window:

• Click on "Add a permission" and select “Microsoft Graph”:

• Now click on "Application permissions" and start searching for the following permissions:
  • Calendars.Read
  • Calls.AccessMedia.All
  • Calls.Initiate.All
  • Calls.InitiateGroupCall.All
  • Calls.JoinGroupCall.All
  • Calls.JoinGroupCallAsGuest.All
  • OnlineMeetings.Read.All
  • User.Read.All

• Tick each above permission and finally hit "Add permissions"

• Once Microsoft Graph permission has been added, you need to select “Grant admin consent for <Company_Name>” from rightmost pull-down menu. You get a confirmation pop-up, where you need to click "Yes"

• The following screenshot sample shows the actual API permissions summary page, if the procedure has been accomplished in the correct way:

• In case the recorded Teams environment and the recording bot are in separate Azure tenants, the following steps have to be done using Azure Tenant ID where Teams environment to record resides, leveraging a user which has the Teams Service Admin or Global Admin tenant role.
• In order to gather the Tenant ID, please login to tenant's Azure portal and select Azure Active Directory.
• Please open a browser and enter the following URL, replacing tenant-id with the one gathered from Azure Active Directory portal; application-id gathered during above "Azure App Registration" definition; redirect-uri with the URI you entered in above "Authentication" configuration:

https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=<application-id>&state=12345&redirect_uri=https://www.imagicle.com

• Hit enter in browser and login to Azure web portal as Administrator, then click "Accept". You will be redirected to the web site you entered in redirect-uri ("https://www.imagicle.com").
• In case you wish to leverage same BOT in a multi-tenant environment, please access multiple times to above URL, changing "tenant-id" value as required.

API Authorization

To allow the Imagicle Teams Application to leverage SSO and providing best experience for enduser, some API exposure roles must be set.

• Within Imagicle Call Recording App Registration, please click on "Expose an API" from left panel:

• Populate "Application ID URI" with the API URI provided by Imagicle team.
• Then click on "Add a scope" to pop-up relevant window on the right side:

• In above panel:

1. Complete the scope name by : Recording.ReadWrite.All (2) 
2. Change value of who can consent to : Admins and Users (3) 
3. Change Admin consent display name and description to a value you want explaining the goal of the scope (4 and 5) 
4. Validate by clicking on "Add scope" button (6)

• Now click on "Add a client Application":

• The following panel pops-up on the right side:

• Two application IDs must be added : 
  • 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (for Teams mobile and desktop application)
  • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (for Teams web application)
• Please check the "Authorized scopes" option and finally validate each AppID by clicking on "Add application"

Azure BOT

• Please access to Microsoft Azure web portal as Administrator and search for Azure Bot from top search box, then click on the link under the Marketplace section. See below:

• Once selected, you need to create a new BOT by hitting "Create an Azure Bot" option. Please bear in mind that it is required a specific license subscription for this purpose and you might be required to enter a credit card number as pro-forma. No charges are applied to credit card account:

• Please fill the following fields:
  • Bot handle: Unique name for recorder BOT ⇒ imagicle-call-recording-bot
  • Subscription: leave default value
  • Resource group: create a new group "imagicle-resource-group", if none is available
  • Pricing tier: Standard plan
  • Microsoft App ID: tick "Use existing app registration"
  • Existing app id: Paste here previously copied "Application ID" saved during App creation
  • Existing app password: Paste here previously copied "Client Secret" value, saved during Client Secret creation

• Now hit  “Review + create” and double check all displayed data:

• If otherwise you get the following error message, please hit "Previous" and review the Location you specified in "imagicle-resource-group" Resource group:

• If data is correct, click on “Create”. You get below summary page, if the Bot deployment has been correctly accomplished:

Connect Bot to MS Teams Channel

• Newly defined Bot is the native MS Teams interface that Imagicle Call Recording is using to collect recording streams from MS Teams clients. To achieve this goal, new Bot must be associated to MS Teams client by using a "Channel".

• Search for Bot Services in the search box on the top, then click on the Bot Services link under "Services" section. Alternatively, Bot Services can be also found by opening top-right pull-down menu, then selecting All services ⇒ AI + machine learning option.

• Select the previously defined imagicle-call-recording-bot
• In below screenshot sample, "Channels" option is selected, pointing to Microsoft Teams channel:

• Once MS Teams channel is selected, a new configuration window appears, where you must select "Calling" tab:

• Please tick "Enable calling" flag and add a the "Webhook" URL pointing to Imagicle Cloud, acquired from Imagicle team.

• Hit "Save" and accept Terms of Service by clicking on "Agree":

Configurations from MS Teams PowerShell

• If not yet done, please install MS Teams PowerShell module by issuing the following commands from PowerShell:
• Install-Module MicrosoftTeams
• Import-Module MicrosoftTeams
• Connect-MicrosoftTeams​​

• Please enter Tenant Administrator credentials, when requested

Recording Policy Creation

• Recording Policy is a group of rule policies which is assigned to each MS Teams user. The Recording Policy described in this paragraph allows a Call Recording user to record any conversation involving own MS-Teams client.
• First of all, please enter the following PowerShell command:

New-CsOnlineApplicationInstance -UserPrincipalName <imagicle_call_recording@tenant.com> -DisplayName "Imagicle Call Recording" -ApplicationId <app-id>

• UserPrincipalName should be a new unique UPN within the Tenant. As a guideline, Imagicle suggests to enter a username like "imagicle_call_recording". You can't use an existing UPN associated to an MS Teams user.
• ApplicationId corresponds to previously copied "Application ID" saved during App creation
• Command output is similar to below sample:

• Please take note of "ObjectId" and "TenantId". They are required later on in this procedure.

• "New-CsOnlineApplicationInstance" command might fail with an error (read here for more details). Please make sure the user is associated to an online MS-Teams tenant.

• Please proceed by issuing the following commands, replacing red parameters according to your own data:

Sync-CsOnlineApplicationInstance -ObjectId <object-id> -ApplicationId <app-id>

• object-id is the ObjectId of the Online Application Instance obtained at the previous step.

New-CsTeamsComplianceRecordingPolicy -Identity <Recording-policy-imagicle>

• Recording-policy-imagicle is the actual name assigned to new Recording Policy, to be used in following PS commands

Set-CsTeamsComplianceRecordingPolicy -Identity <Recording-policy-imagicle> -Description "Imagicle Recorder CRP" -Enabled $true -ComplianceRecordingApplications @(New-CsTeamsComplianceRecordingApplication -Parent <Recording-policy-imagicle> -Id <object-id> -RequiredBeforeMeetingJoin 0 -RequiredBeforeCallEstablishment 0 -RequiredDuringMeeting 0 -RequiredDuringCall 0)

• Recording-policy-imagicle is the actual name assigned to new Recording Policy, to be used in following PS commands
• Recording-policy-description "Imagicle Recorder CRP".
• object-id is the ObjectId of the Online Application Instance obtained at the previous step.

• Please wait few seconds and then execute the following command to display new Recording Policy data summary:

Get-CsTeamsComplianceRecordingPolicy Recording-policy-imagicle

• Now it's time to assign newly defined Recording Policy to a single Call Recording user, by executing the following command, including user's UPN, as many times as the number of users to enable:

Grant-CsTeamsComplianceRecordingPolicy -Identity <user@tenant.com> -PolicyName recording-policy-imagicle

• Pay attention: user's UPN in MS Teams is case-sensitive!
• Once done, you can double check proper Recording Policy association to a user by issuing the following command:

Get-CsOnlineUser <user@tenant.com> | ft sipaddress, tenantid, TeamsComplianceRecordingPolicy

Pay attention: if you need to create a valid Recording Policy to be used for both Imagicle Call Recording AND Attendant Console, please refer to this KB article.

Configurations from Imagicle UC Cloud Suite web portal

• Please access to Imagicle web portal as Administrator and create a local "service" user account with Call Recording "Complete management" permissions (level 10) and System's "Complete users management" permissions (level 9). This account is used to retrieve recording audio streams from MS-Teams cloud.
• Please remember to configure an actual named user account as "catch-all" user for those recordings without assignee. This setting is available here: Call Recording ⇒ Global Settings ⇒ Settings ⇒ Pilot numbers ⇒ Actions on recordings without assignee. More info available in this KB article.
• Please set "PBX username" field with same value of "email" field, in each Imagicle recording-enabled user.

Actual Native Call Recording Enablement in Imagicle Cloud

At the end of whole above procedure, please collect the following data:

• UCX Suite Activation Token
• Bot name (case sensitive)
• Application (Client) ID
• Directory (Tenant) ID
• Secret Value
• Custom domain TXT value
• Bot FQDN (customer name, as configured in public web URL)
• Username and password of local "service" user, manually defined from Imagicle web portal.

You can send above data to Imagicle team, who is going to establish the connection between MS Teams Cloud and Imagicle Cloud.

Troubleshooting

If calls are not recorded, likely something went wrong in BOT configuration. You can easily test proper BOT association to MS Teams user by directly calling it from MS Teams client itself. If BOT doesn't answer the call, it means BOT is misconfigured.

To call BOT, just select "Calls" tab in MS Teams client and search for it by App's “Display name”, as shown in below screenshot:

If BOT correctly answers the call and calls are still not recorded, then please double check Recording Policy and make sure it is correctly associated to the user.

Other useful commands

• To list all users enabled for call recording, that is, having the compliance recording policy applied (named 'Recording-policy-imagicle' in the example below):

Get-CsOnlineUser -Filter {TeamsComplianceRecordingPolicy -eq "Recording-policy-imagicle"} | Select UserPrincipalName 

• To disable a user for call recording, removing the assigned compliance recording policy:

Grant-CsTeamsComplianceRecordingPolicy -Identity user@tenant.com -PolicyName $null