Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
Splunk Lantern

Getting started with Microsoft Teams call record data and Azure Functions


This article walks you through setting up Azure Functions for Splunk and Microsoft Graph to retrieve Microsoft Teams call record data and push the data to the Splunk platform via an HTTP Event Collector. For more information about Microsoft Teams call record data, how the data is made available, and how to use the data, refer to Getting started with Microsoft Teams call record data.


Register your application

When you register an application with Azure Active Directory, you create an identity configuration. The Azure Functions use the application for authentication when interacting with the Microsoft Graph API. Assign the following permissions to the Azure AD app registration:

  • CallRecords.Read.All (Application)
  • Subscriptions.Read.All (Delegated)

Deploy the functions to Azure

From the open-source repository, click the Deploy to Azure button to deploy the Functions.

During setup, you will be prompted for the following information:

Use Microsoft Graph subscription functions

A Microsoft Graph subscription defines where Microsoft should deliver notifications.

To create a subscription:

  1. Launch the Azure Portal.
  2. Navigate to the Function app section in the portal.
  3. Select the Function app created previously.
  4. Click Functions > create-subscription. Only callRecords subscriptions are created in version 1.x of the functions.

  5. In the Overview section, click Get Function Url.
  6. Copy the URL and paste it into a new browser tab.

    You might receive a timeout when executing this function for the first time. In this event, refresh your browser. The reason for this is that the create-subscription function makes a call to the subscription-webhook function which might not be running yet.

Additional actions you can take are:

  1. To list subscriptions, run the list-subscriptions function.
  2. To delete a subscription, copy the subscription's ID field and pass it as a query parameter named subscriptionId to the delete-subscription function. For example: https://FUNCTION-APP.azurewebsites.n...UBSCRIPTION_ID

View data

In the Splunk platform, run the following search:


After the call record data is ingested, the Microsoft 365 App for Splunk has several out-of-the-box dashboards to visualize common use case scenarios for Microsoft Teams call record data. For more details, refer to Getting started with Microsoft Teams call record data.

How it works

  1. When the create-subscription function successfully creates a Microsoft Graph subscription, the subscription ID and expiration date is written to a storage blob.
  2. After a subscribed event occurs, a notification is sent to the subscription-webhook. The subscription-webhook commits the data to a notification queue to keep things speedy.
  3. When an event arrives in the notification queue, the process-notification-queue function is triggered. This function retrieves the data from Microsoft Graph and forwards the data to the Splunk platform.
  4. Because subscriptions have a short lifespan, the update-subscriptions function periodically reads the blobs and updates subscriptions if they are about to expire.

Next steps

These resources might help you understand and implement this guidance: