Getting started with Microsoft Teams call record data and Azure Functions
This article walks you through setting up Azure Functions for Splunk and Microsoft Graph to retrieve Microsoft Teams call record data and push the data to the Splunk platform via an HTTP Event Collector. For more information about Microsoft Teams call record data, how the data is made available, and how to use the data, refer to Getting started with Microsoft Teams call record data.
Process
Register your application
When you register an application with Azure Active Directory, you create an identity configuration. The Azure Functions use the application for authentication when interacting with the Microsoft Graph API. Assign the following permissions to the Azure AD app registration:
- CallRecords.Read.All (Application)
- Subscriptions.Read.All (Delegated)
- For a detailed walkthrough for registering an Azure Active Directory application refer to the documentation in the repository.
- For detailed information about Azure Active Directory service principal objects, see the Microsoft article Application and service principal objects in Microsoft Entra ID.
Deploy the functions to Azure
From the open-source repository, click the Deploy to Azure button to deploy the Functions.
During setup, you will be prompted for the following information:
- Client ID
- Client Secret
- Splunk HTTP Event Collector Endpoint
- Splunk HTTP Event Collector Token
Use Microsoft Graph subscription functions
A Microsoft Graph subscription defines where Microsoft should deliver notifications.
To create a subscription:
- Launch the Azure Portal.
- Navigate to the Function app section in the portal.
- Select the Function app created previously.
- Click Functions > create-subscription. Only callRecords subscriptions are created in version 1.x of the functions.
- In the Overview section, click Get Function Url.
- Copy the URL and paste it into a new browser tab.
You might receive a timeout when executing this function for the first time. In this event, refresh your browser. The reason for this is that the create-subscription function makes a call to the subscription-webhook function which might not be running yet.
Additional actions you can take are:
- To list subscriptions, run the list-subscriptions function.
- To delete a subscription, copy the subscription's ID field and pass it as a query parameter named subscriptionId to the delete-subscription function. For example: https://FUNCTION-APP.azurewebsites.n...UBSCRIPTION_ID
View data
In the Splunk platform, run the following search:
sourcetype="m365:*"
After the call record data is ingested, the Microsoft 365 App for Splunk has several out-of-the-box dashboards to visualize common use case scenarios for Microsoft Teams call record data. For more details, refer to Getting started with Microsoft Teams call record data.
How it works
- When the
create-subscriptionfunction successfully creates a Microsoft Graph subscription, the subscription ID and expiration date is written to a storage blob. - After a subscribed event occurs, a notification is sent to the
subscription-webhook. Thesubscription-webhookcommits the data to a notification queue to keep things speedy. - When an event arrives in the notification queue, the
process-notification-queuefunction is triggered. This function retrieves the data from Microsoft Graph and forwards the data to the Splunk platform. - Because subscriptions have a short lifespan, the
update-subscriptionsfunction periodically reads the blobs and updates subscriptions if they are about to expire.
Next steps
These resources might help you understand and implement this guidance: