Call reporting for Microsoft Teams Calling

VoIP Detective is able to pull call records from Microsoft and store them locally.  This allows you to store as much data as your organization requires, on premise, and allow users to access this data without having to grant Microsoft permissions.

High level overview of setting up VoIP Detective Microsoft Teams Calling:

1. Create an application in the Azure Portal
2. Give this application the proper permissions
3. Create a client secret
4. Configure Microsoft Teams Call Reporting in VoIP Detective.

Set Up Access to Microsoft Graph

Register an Application in Azure AD:

Go to the Azure portal.
Navigate to Azure Active Directory > App registrations.

Click New registration and create an application.

Note the Application (client) ID and Directory (tenant) ID.

Assign API Permissions:

Under the app's settings, go to API permissions.

Add the Microsoft Graph API permissions:

Choose "application permissions"

You'll be given a search box where we can search for permissions.

Enter "callrecord" into the search box.  You should get two results - place a checkmark next to each and save.

So that we can read your users, we'll also need the :User.Read.All permission

You should now see these permissions added

Choose the button to Grant admin consent for VoIP Detective

Choose Yes to grant permissions

Grant admin consent for these permissions.

Now, go to "Certificates and secrets"

Generate a new client secret by clicking on "New client secret"

Give the client secret a description and choose when it should expire.

Please note - client secrets must be manually created through the Azure Portal, and cannot be extended by VoIP Detective.  Because of this, you will need to manually create a new client secret when the current one expires.

Copy the client secret value and keep it in a safe place

Enabling Microsoft Teams Call Reporting in VoIP Detective.

Go to Administration -> Configuration and scroll down to the MS Teams Call Reporting section.

Enable MS Teams call reporting.  

You will then need to go to Administration -> Configuration from the menu, in order to reload the page.

Enter Your Tenant ID, Application ID, Client Secret, and choose a proper Data Retention timeframe.

SSL inspection proxies

If your organization uses an SSL inspection proxy, you may notice that Teams reporting works normally at first, but then fails.  What we have found is that the proxy may use it's own SSL certificate when passing traffic to the Microsoft API.  This prevents our token from refreshing, meaning that call retrieval will work at first, but once the token expires, we cannot renew, and call processing will stop.

To prevent this from happening, you have the option of uploading the proxy root certificate to VoIP Detective.  VoIP Detective will use this certificate on outbound requests to the Microsoft API.  To configure this, go to Administration -> Configuration and scroll down to the MS Teams Call Reporting section.  There you will have the option to upload your Root CA certificate.  You also have the option to delete this certificate if needed.

More about this certificate : This should be your organization's Root CA certificate - the one that is at the top of your internal PKI trust chain. This is the same certificate that's typically deployed to all corporate workstations to make SSL inspection work in browsers.
Your IT security or PKI team should be able to provide this. It's often called something like 'Corporate Root CA' or '[CompanyName] Root CA'. Export it in PEM format (Base64 encoded, usually a .crt or .pem file).

VoIP Detective will pull call records from MS Teams every 5 minutes.  So wait a bit, then choose "MS Teams Calls" from the top menubar and then select Admin Search.  By hitting the "search" button, you will see calls that have been imported today.