Prerequisites
For VSM to receive data from Microsoft Teams you will need a VSM Virtual Collector administered. Details on adding a VSM Virtual Collector can be found here.
Azure Active Directory Configuration
VSM uses Graph API to collect data from Microsoft Teams, the following information is required to add Microsoft Teams to VSM:
- Tenant ID
- Application ID
- Shared Secret
In order to obtain the required fields the following steps need to be executed on the Tenant Azure AD
- New APP Registration
- Assign the appropriate API Permission to the new APP
- Generate Shared secret Key
All steps from this point forward require the AAD (Azure Active Directory) user permissions
New App Registration
Browse to Azure Portal AD https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade
Navigate to and click on 'App Registrations'
Click 
New registration
Enter Application Registration Details using the following table.
Application Registration Table
| Field | Value |
|---|---|
| Name | Enter the name you want to give to your application |
| Supported Account Type | Choose Accounts in this organizational directory only (Virsae Group Limited only - Single tenant) |
| Redirect URI | Leave Blank |
After creating the Application take note of Application (Client) ID and Directory (tenant) ID
Assign API Permission to the New APP
Navigate to and click on 'API Permissions'
Click Add a permission
Click on Microsoft Graph
Choose Application Permissions
Choose the following Permissions
Call Records >CallRecords.Read.All permission
Directory > Directory.Read.All Permission
Reports > Reports.Read.All
ServiceHealth > ServiceHealth.Read.All
TeamMember > TeamMember.Read.All
TeamworkDevice > TeamWorkDevice.Read.All
The following page will appear
Click on the 'Grant admin consent' tab to grant permission for newly created Application
Once Granted the following will be displayed
Authentication
There are two supported authentication methods for MS Teams data collection:
- Shared Secret
- Certificate
You can use whichever authentication you prefer, and you can change between the type of authentication method if required.
Generate Shared Secret
Navigate to and click on 'Certificates & secrets'
Click New client secret
Enter Client Secret Information using the following table.
Client Secret Table
| Field | Value |
|---|---|
| Description | Enter description for the client secret |
| Expires | The maximum length is 24 months , make sure to renew the client secret when it expires otherwise VSM won't be able to retrieve MS Teams Calls information |
Take note of Secret Value and Secret ID as it will disappear when you navigate away from the page , The value in the field Value is the value that is going to be added to VSM in Shared Secret Field
Certificate Authentication
For customers who want to use certificate authentication first they must create a certificate or obtain one from a trusted public authority, they need to make sure to have the private key exportable.
Steps of how to create self signed certificate available here once you have the certificate to use follow these steps:
Navigate to and click on 'Certificates & secrets'
Select Upload Certificate
Browse the (Public Key Certificate ) file we created earlier ( (.cer or .crt certificate)and click Add
Once Uploaded, it will appear under the App
Update Azure Active Directory Settings
For Azure AAD To Display identifiable user data data (like UPNs) Navigate to
Admin Center >> Settings >> Org Setting >> Reports >> Uncheck 'Display concealed user, group, and site names in all reports'
Web Portal Configuration
Add Microsoft Teams
Log in to the VSM web portal using your VSM credentials and password.
For your customer, select Service Desk > Equipment Locations Right-click on the Equipment Location (Virtual Collector) and select Manage Cloud Services
At the bottom of Manage Cloud Services click 'Add Services'
The 'Add Service' form will open, Select the Vendor 'Microsoft' and Service 'Teams Cloud Service'
Populate the 'Friendly Name' field with the name you wish VSM to use for this Teams Service.
Populate the Tenant ID, Application ID with the values obtained earlier in this process.
Shared Secret Authentication
Shared Secret field shall be populated with details collected earlier in this process. once populated click 'Add'
Certificate Authentication
Select the 'Upload a Certificate' radio button, then click the 'Upload' button
Then drag and drop the certificate file or click 'Select the certificate file' to browse and upload the required certificate.
Then click the 'Upload' button
If your certificate requires a password please enter it in the 'Certificate Password' field.
Once the Certificate has uploaded click 'Add'
Web Portal - Add Microsoft Teams Field Description
| Field | Value |
|---|---|
| Vendor | Microsoft |
| Service | Teams Cloud Service |
| Friendly Name | Friendly Name for MS Teams |
| Tenant Id | Directory (Tenant)ID displayed under the created Application |
| Application Id | Application (client) ID displayed under the created Application |
| Shared Secret | The value under Client Secret |
| Certificate | Click 'Upload' to upload the private key certificate |
Administration of Microsoft Teams in VSM is now complete. You can now optionally configure Line URI data.
Line URI data collection (Optional)
VSM has a facility to collect Line URI data and produce a daily document which contains all users and their associated information including Line URI details. The documents are produced daily at midnight UTC.
This document will contain the following fields for each Teams user: InterpretedUserType, DisplayName, Alias, UserPrincipalName, LineURI, Title, Office, City, StateOrProvince. These daily documents are located within 'Files and Folders > Teams Cloud Service'.
To setup data collection select the 'Line URI' tab when creating or editing the Teams Service in 'Manage Cloud Services'.
By default authentication for the Line URI data will be via the Application-based authentication already created, however this will need to have a specific role added to it as detailed below. The alternative to Application-based authentication is to authenticate with a specific user.
Application-based Authentication (Default)
Browse to Azure Portal AD https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade
In the search bar at the top search for 'Microsoft Entra roles and administrators' and then select it.
In the search tool search for 'Teams', double click 'Teams Communications Support Specialist'
Click on 'Add Assignments'
Search for the previously created App, then check the box next to it. Once done click the 'Add' button at the bottom
Service Account Authentication (optional)
If you do not wish to use the Application-based authentication a service account will need to be created in Azure AD which has the role of 'Teams Communications Support Specialist', an existing account with this role can also be used.
In Azure AD click 'New User> Create new user'
Populate the new user form, enter a password.
Click the 'Assignments' tab, then click 'Add role'.
Search the directory roles for 'Teams Communications Support Specialist' and check the box for this.
Then click on 'Review +create' at the bottom left of the screen.
Azure AD setting are now complete.
VSM Configuration
Open VSM and navigate to 'Service Desk> Equipment Locations> (right click the Virtual location) >Manage Cloud Services'
Right click the Teams service you wish to add Line URI configuration for, then select 'Edit'.
If you used Application-based authentication simply check the 'Enable Line URI collection' box.
If you opted for Service account authentication check the 'Enable Line URI collection' box, then move the radio button to 'Use Service Account' then populate the 'Account' and 'Credential' fields
| Field | Value |
|---|---|
| Account | Username of the service account |
| Credential | Password of the service account |
Account SKU Id (optional)
If this field is blank, user data for all O365 SkuPartNumber's will be collected. If you wish to limit data collection to users of a specific O365 AccountName and SkuPartNumber then this field will need to be populated..
This is a two part field made up of the ‘AccountName’ and the ‘SKUPartNumber’ in the format Accountname:SkuPartNumber. The AccountName is optional so you can just enter the SkuPartNumber if there is not more than one AccountName for the MS Teams Service
The AccountName and SkuProductNumber can be obtained by an Azure AD administrator for the business, they will need to have the Microsoft Graph PowerShell SDK installed:
Via Powershell run the command: Connect-Graph -scopes Organization.read.all
Then run the command Get-MgSubcribedSku, the output of this command will provide you with the AccountName and the SkuPartNumber’s to choose from.
Once complete click 'Save'