Installation and Configuration

Installation and Configuration Steps

This topic contains detailed configuration guidelines to enable call recording for MS Teams:

Step	Reference	Description
1	Select Deployment Assets	Select the appropriate deployment assets based on the client installation requirements.
2	Define the Cloud Service VM Details	Define the Cloud Service VM size and local storage info.
3	Provision the Microsoft Azure Subscription	Create and configure the resources required in a Microsoft Azure Subscription.
4	Configure Microsoft Teams	Configure Microsoft Teams for the Uniphore Compliance Bot.
5	Configure a Paired Bot	Configure a resilient system (optional).
6	Recording Policy	Assign the recording policy to Active Directory objects.
7	Configure the Collector Integration Adapter	Configure the Integration Adapter on the U‑Capture Collector.
8	Configure the Collector MS Teams RAM	Configure the MS Teams/Azure connection on the Collector.

Note

Steps 1 to 6 may have already been performed by a customer.
This topic provides a number of setup and configuration steps using Microsoft admin tools and processes. These are subject to regular changes from Microsoft and although the configuration steps covered here will be maintained to ensure the correct process is followed, there may be some differences present.

Select Deployment Assets

The U‑Capture / MS Teams installation requires the following deployment assets – available from the Uniphore SFTP site.

File Type	Description
`.json`	Template configuration file for the Compliance Bot. Select the `appsettings.realtimeaudio.json` file which configures the bot to use Real Time Audio (RTA), using Web Sockets. Rename the file to `appsettings.remote.json`
`.cspkg`	The Azure Cloud Service package files for the Compliance Bot. Each package represents different sizes of Cloud Service deployment (see below) select the file you need based on the client installation requirements. The filenames indicate the Cloud Service VM Size and the bot version: `ComplianceRecordingBot_{vm-size}_{bot-version}.cspkg`
`.cscfg`	The `ServiceConfiguration.ClientExtendedSupport.cscfg` Azure Cloud Service configuration file for the Compliance Bot. Templated to allow easy update. The one file can be used for all installations.
`.csdef`	The `ServiceDefinition.csdef` Azure Cloud Service resource definition file. Templated to allow easy update. The one file can be used for all installations.

`vm-size` Property	VM Size in Azure	CPUs	Memory	Channels	Type
Standard_D2_v2	Standard D2 v2 VM	2	7 GB	Up to 200	General Purpose
Standard_D3_v2	Standard D3 v2 VM	4	14 GB	Up to 750	General Purpose
Standard_D5_v2	Standard D5 v2 VM	16	56 GB	Up to 1500	General Purpose

Define the Cloud Service VM Details

Edit the ServiceDefinition.csdef file and configure the following settings:

Setting	Value/Description
`[WorkerRole]vmsize`	Cloud service VM size – set to `Standard_D2_v2`, `Standard_D3_v2`, or `Standard_D5_v2` as appropriate.
`LocalStorage]name`	Set to `CallData`
`LocalStorage]sizeInMB`	Local storage size, in MB: If `Standard_D2_v2` is selected, set to `80000` If `Standard_D2_v3` is selected, set to `180000` If `Standard_D5_v2` is selected set to `720000`

Provision the Microsoft Azure Subscription

The Uniphore Compliance Bot is intended to operate in Microsoft Azure – to start, go to the Azure Portal and perform each of the following steps in order.

Step	Reference
1	Register Resource Providers
2	Create a Resource Group for the Bot
3	Create a Key Vault
4	Upload/Import Certificate to the Key Vault
5	Create an Application Insights Resource
6	Create the Azure Bot
7	Configure the Bot
8	Create a Client Secret
9	Set API Permissions
10	Create a Storage Account
11	Create a Virtual Network
12	Create a Public IP Address
13	Update the Remaining Configuration Properties
14	Upload the Bot Configuration File
15	Create the Azure Extended Cloud Service

Register Resource Providers

The Uniphore Compliance Bot requires the following Resource Providers to be registered in your subscription (Azure Cloud Services Extended Support):

Microsoft.Compute
Microsoft.BotService

To ensure that these are correctly registered, or to register them within the portal, go to the Subscriptions blade. This can be found by searching for Subscriptions in the Search resources, services and docs search bar at the top and selecting the Subscriptions service.

Choose the desired subscription from the list and then find the Resource Providers section under the Settings heading.

Use the Filter by name... option at the top of the list and ensure the resource providers mentioned above are registered. If they’re not registered, select them and click the Register button to add them to the subscription.

If they don’t exist in the list, then the subscription type isn't capable of hosting the Uniphore Compliance Bot.

Create a Resource Group for the Bot

Use the Search bar to locate the Resource groups service from the portal, and create a new Resource Group with an appropriate name.

Ensure it's located in the same region as the Microsoft 365 tenant and that you have the correct Subscription selected.

Create a Key Vault

Create a Key Vault for the Resource Group (Azure Key Vault is a cloud service that provides a secure store for keys, secrets, and certificates.) – find the Key Vault service using the Search bar and create a new Key Vault with the following properties (note that all other settings can be left with their default values):

Property	Value/Description
Subscription	The Azure Subscription where the Key Vault will be created.
Resource group	The Resource Group created previously.
Region	As with the Resource Group, ensure this is located in the same region as the Microsoft Teams tenant.
Pricing tier	Select Standard.
Key vault name	A unique name (within the subscription) for the Key Vault.
Enable Access to	Ensure Azure Virtual Machines for deployment is checked.

Upload/Import Certificate to the Key Vault

Once the Key Vault resource has been created, navigate to that resource and go to the Certificates section.

Click on the Generate/Import button to start the certificate upload wizard.
On the Create a certificate screen, set the following:
Method of Certification Creation – select Import.
Certificate Name – enter a unique name for the certificate. The name must only contain alphanumeric characters and dashes.
Upload Certificate File – select the pfx certificate file to upload.
Password – if you’re uploading a password protected certificate file, provide the password here. Otherwise, leave it blank.
When you’re ready, click the Create button. Once the certificate is uploaded successfully it will be listed under the Certificates section with a status of Enabled.
Copy the Thumbprint value for the newly uploaded certificate and save for later.

Once created, update the following configuration file values:

Property	File	Path	Value
ServiceCertThumbprint	ServiceConfiguration. ClientExtendedSupport. cscfg	Role/ ConfigurationSettings/ ServiceCertThumbprint	Thumbprint
Name	ServiceConfiguration. ClientExtendedSupport. cscfg	Role/Certificates/ Certificate	Certificate Name
thumbprint	ServiceConfiguration. ClientExtendedSupport. cscfg	Role/Certificates/ Certificate	Thumbprint

Property

File

Path

Value

ServiceCertThumbprint

ServiceConfiguration.

ClientExtendedSupport.

cscfg

Role/

ConfigurationSettings/

ServiceCertThumbprint

Thumbprint

Name

ServiceConfiguration.

ClientExtendedSupport.

cscfg

Role/Certificates/

Certificate

Certificate Name

thumbprint

ServiceConfiguration.

ClientExtendedSupport.

cscfg

Role/Certificates/

Certificate

Thumbprint

Create an Application Insights Resource

Application Insights is an Azure cloud service that handles logging and analytics for Azure services (and more). Using the Search bar to locate the Application Insight service in the portal, create a new Application Insights resource with the following properties (all other settings can be left with their default values).

Property	Value/Description
Subscription	The Azure Subscription associated with this resource – select Microsoft Teams.
Resource Group	The Resource Group created previously.
Name	A unique name (within the subscription) for the Application Insights resource.
Region	Use the same region as the Microsoft Teams tenant.
Resource Mode	Select Workspace based.
Workspace > Subscription	Select Microsoft Teams.
Log Analytics Workspace	Select DefaultWorkspace…

Once complete, review the created Application Insights resource, and make a note of the associated Instrumentation Key.
Navigate to API Access and click Create API Key.
1. Make a note of the Application ID for the Application Insights resource.
2. Enter a description, select Read Telemetry, and click Generate key.
3. Make a note of the API key.

Create the Azure Bot

In the Azure Portal, find Azure Bot using the search bar or use Create a resource on the Home page – click Create to create a bot with the following properties:

Property	Value/Description
Bot Handle	The name of the bot – this will be needed this later.
Subscription	The Azure Subscription where the bot will be created.
Resource group	The Resource Group created previously.
Pricing tier	Set to Free. Note that at the time of writing, the bot does not send messages.
Type of app	Set to Multi Tenant.
Creation type	Set to Create new Microsoft App ID.

Once created, update the following configuration file values (find the auto-created bot in the App Registration section in Azure for the required details):

Property	Referred to as	File	Path
Display name	Bot Name	appsettings.remote.json	Host/Service/ BotName
Microsoft App ID	App ID	appsettings.remote.json	Host/Service/BotId
Application Insights Instrumentation Key	Application Insights Instrumentation Key or App Insights Key	ServiceConfiguration. ClientExtendedSupport. cscfg	APPINSIGHTS_ INSTRUMENTATIONKEY

Property

Referred to as

File

Path

Display name

Bot Name

appsettings.remote.json

Host/Service/

BotName

Microsoft App ID

App ID

appsettings.remote.json

Host/Service/BotId

Application Insights Instrumentation Key

Application Insights Instrumentation Key or App Insights Key

ServiceConfiguration.

ClientExtendedSupport.

cscfg

APPINSIGHTS_

INSTRUMENTATIONKEY

Configure the Bot

Further configuration of this bot is detailed in the Microsoft “Registering a Calling Bot” guide. However, there are some differences, so all of the steps are listed below.

Note

For this stage the CNAME record must be known, although it doesn’t need to be created at this point.

In the Azure bot page created previously, click on Channels in the Settings menu.

From there you can select Microsoft Teams from the list of available channels. Once loaded, go to the Calling tab and make sure the Enable calling option is checked and the Webhook (for calling) text-box contains the following value:

https://{cname}.{your-domain}/api/calling

Property	Value/Description
Enable calling	Checked.
Webhook (for calling)	https://{cname}.{your-domain}/api/calling Note In the linked Microsoft sample documentation, the endpoint is configured with https://{your-domain}/api/calls, whereas the correct endpoint should end with `calling`.

Create a Client Secret

To create a new client secret:

In your Azure bot instance, click Configuration in the Settings menu.
Locate the Microsoft App ID (Manage) textbox and click the Manage link. This will take you to the Certificates & secrets section.

Click the New client secret button and enter the following information:

Property	Value/ Description
Description	The friendly name of the client secret, for example Uniphore Compliance Recording Bot
Expires	Set to the maximum available timeframe (24 months, at the time of writing).

When you’re ready click Add, but do not navigate away from the blade.
Note
The created secret value is shown only at this stage and will not be visible again.
Once created, update the following configuration file values:
Property
Referred to as
File
Path
Client secret
Bot Secret
appsettings.remote.json
Host/Service/BotSecret

Property	Referred to as	File	Path
Client secret	Bot Secret	appsettings.remote.json	Host/Service/BotSecret

Set API Permissions

This step provides the Compliance Bot with permission to call the Microsoft Graph service enabling the call recording features.

Under the API permissions section, click the Add a permission button and select Microsoft Graph from the list of APIs.

Select Application permissions and select each of the permissions shown below (this can be done as a single operation).

Once selected, click the Add permissions button to add the selected permissions to the applications list. After the permissions have been added, click the Grant admin consent button and confirm the permissions. This will be slightly different for each instance as it includes the name of the organisation in the title.

Section	Permission
Calls	Calls.AccessMedia.All Calls.Initiate.All Calls.InitiateGroupCall.All Calls.JoinGroupCall.All Calls.JoinGroupCallAsGuest.All
OnlineMeetings	OnlineMeetings.Read.All OnlineMeetings.ReadWrite.All
User	User.Read.All
Calendars	Calendars.Read

Create a Storage Account

To create the storage account within your Resource Group, use the search bar to find Storage Accounts – once the blade has opened, create a new storage account with the following properties (all other settings can be left with their default values):

Property	Value/Description
Subscription	Select the subscription used to create the Resource Group.
Resource group	Select the resource group created previously.
Storage account name	The DNS friendly name of the storage account. The Storage account name must be lowercase, and must not contain any spaces/special characters. In this instance, it must also be between 3 and 24 characters.
Location	Use the same location as the Microsoft Teams tenant.
Performance	Set to Standard – the default.
Redundancy	Set to Locally-redundant storage (LRS) – currently the bot does not failover to a remote location.

Once created, go to the Access keys section and under key1 copy the Connection string property and the name of the storage account ready for use in configuring the Collector.

Once created, update the following configuration file values:

Property	Referred to as	File	Path
ConnectionString	Connection String	`ServiceConfiguration.` `ClientExtendedSupport.` `cscfg`	`AzureStorage__` `ConnectionString`
ConnectionString	Connection String	`ServiceConfiguration.` `ClientExtendedSupport.` `cscfg`	`Microsoft.WindowsAzure.` `Plugins.Diagnostics.` `ConnectionString`

Property

Referred to as

File

Path

ConnectionString

Connection String

ServiceConfiguration.

ClientExtendedSupport.

cscfg

AzureStorage__

ConnectionString

ConnectionString

Connection String

ServiceConfiguration.

ClientExtendedSupport.

cscfg

Microsoft.WindowsAzure.

Plugins.Diagnostics.

ConnectionString

Create a Virtual Network

An Azure Virtual Network (VNet) resource is the fundamental building block for a private network in Azure. To create a virtual network within your Resource Group, select + Create a resource > Networking > Virtual network, and set the following properties (all other settings can be left with their default values).

Property	Value/Description
Subscription	The Azure Subscription where the network will be created.
Resource group	The Resource Group created previously.
Name	A unique name (within the subscription) for the network.
Region	As with the Resource Group, ensure this is located in the same region as the Microsoft Teams tenant.
Subnet name	Set to `bot-net`

Once created, update the following configuration file values:

Property	File	Path	Value
name	ServiceConfiguration. ClientExtendedSupport.cscfg	NetworkConfiguration/ VirtualNetworkSite	Name of the Virtual Network.
name	ServiceConfiguration. ClientExtendedSupport.cscfg	NetworkConfiguration/ AddressAssignments/ InstanceAddress/ Subnets/Subnet	Name of the Subnet name (`bot-net`).

Property

File

Path

Value

name

ServiceConfiguration.

ClientExtendedSupport.cscfg

NetworkConfiguration/

VirtualNetworkSite

Name of the Virtual Network.

name

ServiceConfiguration.

ClientExtendedSupport.cscfg

NetworkConfiguration/

AddressAssignments/

InstanceAddress/

Subnets/Subnet

Name of the Subnet name

(bot-net).

Create a Public IP Address

Create a public IP address under the same resource group as the other resources – set the following properties (all other settings can be left with their default values):

Property	Value
IP Version	Select IPv4
SKU	Select Basic
Name	A unique name (within the subscription) for the IP address.
Routing Preference	Set to Microsoft network
IP address assignment	Set to Dynamic
DNS name label	DNS name of the bot (a public name for the bot to prefix the domain).
Subscription	Select the subscription used to create the Resource Group.
Resource Group	Select the Resource Group created previously.
Location	As with the Resource Group, ensure this is located in the same region as the Microsoft Teams tenant.

Once created you will notice that an Alias record has been added to your DNS Zone for this IP address.

Update the Remaining Configuration Properties

Go to the Azure Active Directory section in the Azure Portal associated with the Teams Tenant (you can also use https://aad.portal.azure.com/). Find the Tenant Id under Tenant Information and update the following appsettings.remote.json configuration file values:

Property	Path/Description
EnableAzureBlobLogs*	Bot/EnableAzureBlobLogs If set to `true` logging is written to Azure storage. Note that log files will need to be manually deleted at regular intervals. If not specified, the default value is `false`.
EnableHttpLogging*	Bot/EnableHttpLogging If set to `true` the http requests received by the bot are included in the logging. If not specified, the default value is `false`.
MinimumLogLevel*	Bot/MinimumLogLevel Determines the detail included in the logging. In order of detail (low to high) optional levels include: `None`, `Trace`, `Debug`, `Information`, `Warning`, `Error`, and `Critical`. Note Logging has an impact on performance and should be left on `Warning` or lower. If not specified, the default value is `Warning`.
RecordingStatusBannerDisabled	Bot/RecordingStatusBannerDisabled If set to `true` the recording status banner (within Teams) is prevented from displaying. Note This setting may not apply outside of the organisation that the bot covers, especially if there are conflicting settings for displaying the banner. If not specified, the default is `false`.
Client CNAME	Host/ClientUrl This is the client's URL (https), the CNAME pointing to the Azure DNS.
Azure DNS	Host/AzureUrl This is the URL of the Cloud Service (http), ending in cloudapp.azure.net.
Tenant Id	Host/Service/TenantId
Username**	WebSockets/Username This is used when authenticating from the Collector. Make a note of the username as it will be required to complete the installation.
Password**	WebSockets/Password This is used when authenticating from the Collector. Make a note of the password as it will be required to complete the installation. This value will be encrypted on first-run.

* The logs are always written to Application Insights, if EnableAzureBlobLogs is set to true then the logs are also written to Azure storage (blob storage).

** The Username and Password provided here must match the values in MicrosoftTeamsRAM.ini on the Collector – see Configure the Collector MS Teams RAM.

Upload the Bot Configuration File

Upload the appsettings.remote.json Compliance Bot configuration file that was updated in the previous steps. Go to the Azure Storage account created previously and select the Storage browser (preview) option from the menu. Right click the BLOB CONTAINERS node, select + Add container and enter the following options:

Property	Value/Description
Name	Set to config – note that this is a case sensitive property.
Public access level	Set to Private (no anonymous access)

Select the newly created config container and click the Upload button from the toolbar. In the Upload dialogue box enter/select the appsettings.remote.json file and click Upload.

Create the Azure Extended Cloud Service

To create the Compliance Bot, a new Azure Cloud Service must be created. Use the search bar to find Cloud services (extended support) – once the blade has opened, click the + Create button and enter the following details:

Property	Value/Description
Subscription	Select the subscription used to create the Resource Group.
Resource group	Select the Resource Group created previously.
Cloud service name	DNS name label used in the creation of the Public IP Address.
Region	Use the same location as the Microsoft Teams tenant.
Storage account	Use the storage account created previously.
Upload a package (.cspkg)	Upload the bot installation .cspkg package of the correct VM size.
Upload a configuration (.cscfg)	Upload the ServiceConfiguration.ClientExtendedSupport.cscfg Azure Cloud Service configuration file for the Compliance Bot.
Upload a service definition (.csdef)	Upload the ServiceDefinition.csdef Azure Cloud Service resource definition file.
Public IP Address	Select the Public IP address created previously.
Key Vault	Select the Key Vault created previously. Note that the list of certificates will be updated and Status should change to Found.

Click the Create and Validate button – if all the settings are correct the validation should be successful. Click the Create button to deploy the cloud service.

Once complete, in the Overview section, wait for the role instance(s) to start. When complete, the Status column will change to Running. The Uniphore Compliance Bot is now ready.

Note

The CNAME created should be the same as the one used during the bot configuration, where the value used was defined as:

https://{cname}.{your-domain}/api/calling

Configure Microsoft Teams

To provision the Uniphore Compliance Bot within MS Teams and configure policies:

Authenticate with PowerShell.
Create a new Recording Application instance – this will create the application instance required to connect the Compliance Bot with the Microsoft Teams tenant.
Assign permissions.
Synchronize the Recording Application instance from Azure Active Directory to the Agent Provisioning Service.
Create a new Recording Policy.
Assign the Recording Policy to the Recording Application.

These steps are all detailed in the Microsoft Teams Recording Policy documentation, but are also covered here for clarity.

Note

Similar to the Microsoft Azure Portal, Microsoft PowerShell commands and processes may change. Although the configuration steps covered here will be maintained to ensure the correct process is followed, there may be some differences present.
If you wish to implement a “Paired Bot” solution to provide an Active/Active or Active/Standby resiliency model, see "Configure a Paired Bot" for further guidance before executing any MS Teams PowerShell commands against the bot.

Authenticate with PowerShell

Open a PowerShell for Windows session and enter the following commands:

#Ensure correct modules are installed
Install-Module PowerShellGet -Force -AllowClobber
Install-Module MicrosoftTeams 

#To check your MicrosoftTeams version:
Get-Module -Name MicrosoftTeams -ListAvailable

# Ensure you session has correction permissions
Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Import-Module MicrosoftTeams

By default, the PowerShell Gallery (PSGallery) is not configured as a trusted repository for PowerShellGet. The first time you use the PSGallery, you'll see the following message:

Untrusted repository

You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet.

Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"):

Then authenticate with Microsoft Teams:

Connect-MicrosoftTeams

Note

The account should have permission to create and modify users and policies.

Create a New Recording Application instance

This will create the application instance required to hook the bot up to the Microsoft Teams tenant. The output of this command will include an ObjectId, save this value.

New-CsOnlineApplicationInstance -UserPrincipalname "{Application-Instance-UPN}" 
-DisplayName "{Display-Name}" -ApplicationId "{Application-Id}"

Parameter	Description
`Application-Instance-UPN`	This should be a new UPN that represents this bot. Do not reuse accounts here and ensure you’re using the correct email client domain, for example, `rcbot@domain.onmicrosoft.com` Note The UPN must end with `.onmicrosoft.com`
`Display-Name`	A friendly name for the bot installation.
`Application-Id`	The `Bot ID` created earlier.

Assign permissions

Synchronize the Recording Application instance

This will synchronize the application instance from Azure Active Directory into the Agent Provisioning Service.

Sync-CsOnlineApplicationInstance -ObjectId "{ApplicationInstance-Object-Id}"

Parameter	Description
`ApplicationInstance-Object-Id`	This is the `ObjectId` from the previous step.

Create a new Recording Policy

This section will create the policy that enables recording for Users and/or Groups.

New-CsTeamsComplianceRecordingPolicy -Identity "{Identity}" -Enabled $true 
-Description "{Description}"

Parameter	Description
`Identity`	It's important that this value does not contain any spaces. A valid identity would be `TeamsRecordingPolicy`
`Description`	A friendly name used for human readable output.

Assign the Recording Policy to the Recording Application

Here we will instantiate an instance of the previously created application and assign it to the new policy.

Set-CsTeamsComplianceRecordingPolicy -Identity "{Identity}" 
-ComplianceRecordingApplications @(New-CsTeamsComplianceRecordingApplication 
-Id "{Object-ID}" -Parent "{Identity}")

Parameter	Description
`Identity`	This is the `Identity` created above, e.g. `TeamsRecordingPolicy`. Note that this value is used twice on this command.
`Object-ID`	The `ObjectId` result from creating the application instance – you can also get this ID by executing `Get-CsOnlineApplicationInstance`

Optional - Update the Compliance Recording Application

We can configure the bot to refuse to connect calls if the bot is unavailable, using the following command:

Set-CsTeamsComplianceRecordingApplication -Identity "{Identity}" 
-RequiredBeforeCallEstablishment $true | $false 
-RequiredBeforeMeetingJoin $true | $false -RequiredDuringCall $true | $false 
-RequiredDuringMeeting $true | $false

Parameter	Description
`Identity`	This is the `Identity`, which can be returned from `Get-CsOnlineApplicationInstance` e.g. `Tag:TeamsRecordingPolicy/{GUID}`
`RequiredBefore CallEstablishment`	Set this Boolean value to `$true` to “require” that a bot is connected for every peer to peer call (user can't connected if the bot is unavailable).
`RequiredBeforeMeetingJoin`	Set this Boolean value to `$true` to “require” that a bot is connected for every meeting (user can't connected if the bot is unavailable).
`RequiredDuringCall`	Set this Boolean value to `$true` to “require” that the user be disconnected from a peer to peer call if the bot becomes unavailable.
`RequiredDuringMeeting`	Set this Boolean value to `$true` to “require” that the user be disconnected from a meeting if the bot becomes unavailable.

Configure a Paired Bot

To implement a “Paired Bot” solution to provide Active/Active or Active/Standby resiliency:

These steps are all detailed in the Microsoft Teams Compliance Recording documentation , but are also covered here for clarity.

Note

Similar to the Microsoft Azure Portal, Microsoft PowerShell commands and processes may change. Although the configuration steps covered here will be maintained to ensure the correct process is followed, there may be some differences present.

Assumptions

You’ve already installed an additional Microsoft Teams Compliance Bot as detailed in Provision the Microsoft Azure Subscription. The first bot will be known as the “primary bot”.
No MS Teams PowerShell commands should be executed against the bot. If you have run any of PowerShell commands against the bot, please delete/remove the created items by using the appropriate Remove-CsXXX commands.
If you’ve created a User Principal for this bot, only delete the UPN from the Users section of the Active Directory Portal. The UPN is created as part of the New-CsOnlineApplicationInstance commandlet.
Finally, ensure you’ve started a PowerShell session connected to your MS Teams Tenant and have the appropriate permissions.

Create the Recording Application Instance

This will create the application instance required to hook the bot up to the Microsoft Teams tenant.

New-CsOnlineApplicationInstance -UserPrincipalname "{Application-Instance-UPN}" 
-DisplayName "{Display-Name}" -ApplicationId "{Application-Id}"

Parameter	Description
`Application-Instance-UPN`	This should be a new UPN that represents this bot. Do not reuse accounts here. For example, `rcbot@domain.onmicrosoft.com` (note that the UPN must end with `.onmicrosoft.com`).
`Display-Name`	A friendly name for the bot installation.
`Application-Id`	The `Bot ID` obtained earlier.

The output of this command will include an ObjectId, save this value.

We need to ensure the new application instance has been correctly synchronised, so call the following using the ObjectId displayed in the last command:

Sync-CsOnlineApplicationInstance -ObjectId {Object-Id}

Parameter	Description
`Object-Id`	This is the `ObjectId` from the previous step.

Pair the Recording Application Instance

Now we’ll pair the newly created application instance with the application created with the primary bot. Execute the following command and copy the appropriate Identity:

Get-CsTeamsComplianceRecordingApplication

Here’s an example output:

Identity                              : Tag:redBoxRecordingPolicy/4a8b8286-ba…
Priority                              : 0
ComplianceRecordingPairedApplications : {}
Id                                    : 4a8b8286-bab2-4588-9642-6a31744fd5e6
RequiredBeforeMeetingJoin             : True
RequiredBeforeCallEstablishment       : True
RequiredDuringMeeting                 : True
RequiredDuringCall                    : True
ConcurrentInvitationCount             : 1

From this example, we would copy the Identity property which is set to:

Tag:redBoxRecordingPolicy/4a8b8286-ba… and the {Id} property which is set to:

4a8b8286-bab2-4588-9642-6a31744fd5e6. We’ll refer to the Id property as the SourceId.

Next we‘ll execute a series of commands to create the paired application and associate with our existing application and finally synchronise both the source and newly paired application.

# Create the new paired application and update the original.
Set-CsTeamsComplianceRecordingApplication -Identity {Identity} 
-ComplianceRecordingPairedApplications 
@(New-CsTeamsComplianceRecordingPairedApplication -Id {ObjectId}) 
# Synchronise both the new and original application instances.
Sync-CsOnlineApplicationInstance -ObjectId  {ObjectId}
Sync-CsOnlineApplicationInstance -ObjectId  {SourceId}

Parameter	Description
`Identity`	This is the `Identity` property from the original application instance.
`Object-Id`	This is the `ObjectId` from the new application instance.
`Source-Id`	This is the `ObjectId` from the original application instance.

Verify the Paired Application

Finally, we‘ll verify that the application has been correctly created and updated by executing the following command:

Get-CsTeamsComplianceRecordingApplication | where {$_.Id -eq {SourceId}}

Parameter	Description
`Source-Id`	This is the `ObjectId` from the original application instance.

The output from here should now include the updated source application, where the ComplianceRecordingPairedApplications property has a new Id in the array:

Identity                              : Tag:redBoxRecordingPolicy/4a8b8286-ba…
Priority                              : 0
ComplianceRecordingPairedApplications : {Id=4a8b6175-cac3-1555-6642-5a31733cc4d7}
Id                                    : 4a8b8286-bab2-4588-9642-6a31744fd5e6
RequiredBeforeMeetingJoin             : True
RequiredBeforeCallEstablishment       : True
RequiredDuringMeeting                 : True
RequiredDuringCall                    : True
ConcurrentInvitationCount             : 1

Recording Policy

Assign the recording policy to Active Directory objects as required:

To a specific Active Directory User.
To an Active Directory Group.
To Active Directory Users based on a query.
To all users in Active Directory.

These steps are covered in the Microsoft Teams Recording Policy documentation, but are also covered here for clarity. Note that, similar to the Microsoft Azure Portal, Microsoft PowerShell commands and processes may change. Although the config steps covered here will be maintained to ensure the correct process is followed, there may be some differences present.

Assign the Policy to a Single User

Grant-CsTeamsComplianceRecordingPolicy -Identity "{User-Principal-Name}" 
-PolicyName "{Policy-Identity}"

Property	Description
`User-Principal-Name`	The name of the user to assign, e.g. `terry-towelling@fabrics.com`
`Policy-Identity`	This is the name of the policy created in the previous stages.

Assign the Policy to Users in a Department

Get-CsOnlineUser -Filter {Department -eq "{Department-Name}"} | 
Grant-CsTeamsComplianceRecordingPolicy -PolicyName "{Policy-Identity}"

Property	Description
`Department-Name`	The name of the department, as it appears in Active Directory.
`Policy-Identity`	This is the name of the policy created in the previous stages.

Assign the Policy to All Existing Users

Get-CsOnlineUser | Grant-CsTeamsComplianceRecordingPolicy 
-PolicyName "{Policy-Identity}"

Property	Description
`Policy-Identity`	This is the name of the policy created in the previous stages.

Assign as a Global Policy

All new users will be assigned the policy.

Grant-CsTeamsComplianceRecordingPolicy -PolicyName "{Policy-Identity}" -Global

Property	Description
`Policy-Identity`	This is the name of the policy created in the previous stages.

Unassign Users From a Policy

Grant-CsTeamsComplianceRecordingPolicy -Identity "{User-Principal-Name}" -PolicyName $null

Property	Description
`User-Principal-Name`	The name of the user to unassign, e.g. `terry-towelling@fabrics.com`

Disable or Enable a Policy

During testing or verification stages it can be useful to disable and re-enable the policy at a global level. To do so, execute the following command:

Set-CsTeamsComplianceRecordingPolicy -Identity "{Policy-Identity}" 
-Enabled {Enabled-State}

Property	Description
`Policy-Identity`	This is the name of the policy created in the previous stages.
`Enabled-State`	`$false` to disable the policy, or `$true` to enable it.

Configure the Collector Integration Adapter

The Integration Adapter configuration is specified in IntegrationAdapter.ini on the Collector – this file is automatically generated with default values on first start of the Collector. An example is shown below:

[General]
CollectorId=0f89817f-e324-48ca-bcb6-3d61f292755b
TenantId=dcedc429-11a9-4408-84a7-c781363c62e1

[JetStream]
ServerURL=nats://u-capture.example.com:4222

[Licence]
RecordInternalCalls=1
RecordPoolChannels=1000
PP0=P5FCAA3BAASAJEJA

[INSTALLED PPS]
PP0=/usr/lib/libPP_Matcher.so

[Phones]
DetectNewItems=1

Settings

Only config settings relevant to this MS Teams integration are listed here. For all other settings, leave these set to their default values.

Note

U-Capture 2024.2 introduced the support of NATS JetStream, therefore the NATS Streaming settings (STAN and STANChannels) have been depreciated, Uniphore recommends using the new JetStream settings however the depreciated NATS Streaming settings are still available. For the depreciated STAN settings and an example of those settings in context see Depreciated NATS Streaming Settings.

Setting	Description
`[General]CollectorId`	The unique identifier for this Collector. A UUID will be automatically generated and written to IntegrationAdapter.ini on first start.
`[General]TenantId`	Set to the unique identifier of the U‑Capture tenant associated with this Collector. If no tenants are defined, set this value to `dcedc429-11a9-4408-84a7-c781363c62e1`
`[General]RecordByDefault`	Set to `1` to enable or `0` to disable recording by default, for newly discovered devices. If not specified, the default value is `1` (enabled).
`[JetStream]ServerURL`	The URL of the NATS server. In the most simple of cases, this will be the NATS server used by U-Capture’s Core Services.
`[JetStream]Username`	If the NATS server is configured for user based authentication, specify the username here. If not specified, no value is used.
`[JetStream]Password`	If the NATS server is configured for user based authentication, specify the password here. If a password is used, the NATS server should also be configured to use TLS to prevent the password from being sent over the network in the clear. If not specified, no value is used.
`[JetStream]Token`	If the NATS server is configured for token based authentication, specify the token here. If a token is used, the NATS server should also be configured to use TLS to prevent the token from being sent over the network in the clear. If not specified, no value is used.
`[JetStream]TrustedCACertificatesFileName`	If the NATS server is configured to use TLS, specify the trusted CA certificate chain here. This will be the CA certificate chain that was used to sign the server certificate. If not specified, no value is used.
`[JetStream]ClientCertificateChainFilename`	If the NATS server is configured to use TLS, specify the trusted CA certificate chain here. This will be the CA certificate chain that was used to sign the server certificate. If not specified, no value is used.
`[JetStream]ClientCertificateKeyFilename`	If the NATS server is configured to use TLS with mutual-authentication, specify the client private key here. If not specified, no value is used.
`[JetStream]SkipServerVerification`	If the NATS server is configured to use TLS, disables verification of the server certificate. Not recommended. If not specified, the default value is `0`.
`[Licence]RecordInternalCalls`	Enable (`1`) or disable (`0`) the recording of internal calls (extension to extension calls). If not specified, the default value is `1`.
`[Licence]RecordPoolChannels`	Defines how many concurrent channels can be captured by the Collector. Calls over this value will be discarded. If not specified, the default value is `1000`.
`[Licence]PP<0…N>`	PP licence code for the Collector. This will have been provided as part of the customer’s deployment information from Uniphore.
`[Phones]DetectNewItems`	Enable (`1`) or disable (`0`) the automatic detection (discovery) of new devices. The default is enabled (`1`). In general, leave this set to `1` (enabled) for initial system setup and device discovery – if the customer then wants to “lock down” their recordable devices, this can be changed to `0` (disabled).

Depreciated NATS Streaming Settings

Setting	Description
`[STAN]ServerURL`	Set to the URL of the NATS Streaming Server for the U‑Capture Core Services associated with this Collector.
`[STAN]ClusterID`	Defines the NATS Streaming cluster ID – must be set to `stan-cluster`
`[STAN]ClientID`	A string that identifies this NATS Streaming client. The Collector ID is appended to this to ensure it is unique. If not specified, the default value is `RedBox-IntegrationAdapter`
`[STAN]Username`	If the NATS Streaming Server is configured for user based authentication, specify the username here. If not specified, no value is used.
`[STAN]Password`	If the NATS Streaming Server is configured for user based authentication, specify the password here. If a password is used, the NATS Streaming Server should also be configured to use TLS to prevent the password from being sent over the network in the clear. If not specified, no value is used.
`[STAN]CertificateChainFilename`	If the NATS Streaming Server is configured to use TLS, specify the trusted CA certificate chain here. This will be the CA certificate chain that was used to sign the server certificate. If not specified, no value is used.
`[STAN]ClientCertificateChainFilename`	If the NATS Streaming Server is configured to use TLS, specify the client certificate chain here. This will be the client certificate plus the CA certificate chain used to sign the client certificate. If not specified, no value is used.
`[STAN]ClientCertificateKeyFilename`	If the NATS Streaming Server is configured to use TLS, specify the client private key here. If not specified, no value is used.
`[STAN]Ciphers`	If the NATS Streaming Server is configured to use TLS, this value can be used to restrict the allowed ciphers. If not specified, no value is used.

An example of the IntegrationAdapter.ini file using the depreciated NATS Streaming settings:

[General]
CollectorId=0f89817f-e324-48ca-bcb6-3d61f292755b
TenantId=dcedc429-11a9-4408-84a7-c781363c62e1

[STAN]
ServerURL=nats://abcd.dev.mycompany.com:4222
ClusterID=stan-cluster
ClientID=RedBox-IntegrationAdapter-1
ConnectionTimeoutMS=15000
RetryWaitMS=15000
Username=
Password=
SkipServerVerification=0
CertificateChainFilename=
ClientCertificateChainFilename=
ClientCertificateKeyFilename=
Ciphers=

[STANChannels]
Alerts=RedBox.Collector.Alert
EventLogs=RedBox.Collector.EventLogs
ConfigRequests=RedBox.Collector.ConfigRequests
ConfigEvents=RedBox.Collector.ConfigEvents
Media=media
Metadata=metadata

[Licence]
RecordInternalCalls=1
RecordPoolChannels=1000
PP0=P5FCAA3BAASAJEJA

[INSTALLED PPS]
PP0=/usr/lib/libPP_Matcher.so

[Phones]
DetectNewItems=1

Configure the Collector MS Teams RAM

To configure the MS Teams RAM, edit the MicrosoftTeamsRAM.ini file on the Collector and update the following settings – a sample is also provided below.

Section	Setting	Notes
`General`	`RecorderIp`	The IP address of the Collector. For example, `127.1.1.1`
`General`	`RecorderPort`	The port of the Collector.
`Azure`	`Hostname`	Fully qualified hostname of the bot Web Socket server. For example `wss://demo.devbot.redboxdev.com` Make sure there’s no trailing slash "`/` " at the end. This will result in a failure to connect as the port is appended to the hostname whilst connecting to the bot (Web Socket server).
	`WebSocketsPort`	The port of the Web Socket server.
	`Username` *	The username for authentication against the bot. Make sure there’s no trailing space before or after username.
	`Password` *	The password for authentication against the bot. Make sure there’s no trailing space before or after password.
`Proxy` (Optional)	`Url`	Fully qualified Host/IP address of the proxy server along with scheme and port if any. For example, `http://www.proxyserver.com:3232`
	`Username`	Username to use to authenticate against the proxy. Make sure there's no trailing spaces and/or special characters before or after the username. If the proxy doesn't require authentication then leave this setting blank.
	`Password` *	Password to use to authenticate against the proxy. Make sure there's no trailing spaces and/or special characters before or after the password. If the proxy doesn't require authentication then leave this field blank.

* The Azure Username and Password provided here must match the values defined for the bot - see Update the Remaining Configuration Properties in Provision the Microsoft Azure Subscription.

Enter the Passwords as plain text. On first execution of the RAM, the passwords will be encrypted and two new settings will be added to the Azure section (EncryptedPassword and PasswordEntropy) with pre-populated values. Also, the Password fields will have their values set to an empty string once the passwords have been successfully encrypted and stored.

[General]
RecorderIp=127.0.0.1
RecorderPort=6477

[Azure]
Hostname=wss://botdev4.devbot.redboxdev.com
WebSocketsPort=2012
Username=admin
Password=recorder

[Proxy]
Url=http://www.proxyserver.com:3333
UserName=proxyusername
Password=proxypassword

Notes

Note

Ensure that the Microsoft Teams RAM is restarted every time there’s a configuration change to the .ini file or log configuration files.
Ensure that when entering values for hostname, username, and password that no special characters or trailing white space is entered.
Ensure that when entering port numbers no special characters or white space are entered.
If you have to increase the verbosity of the logging, ensure that it’s reverted back to WARN after any diagnostic work has completed – see Collector Logs.

Troubleshooting - Common Issues

Can’t Connect to the Bot – Ensure that all of the following have been checked:

Check bot hostname is correct and has the correct scheme and no trailing slashes, white space, or special characters (for example, new lines, etc).
Check port numbers are correct.
Confirm that any network firewalls etc have been opened up for the port and scheme being used to connect to the bot.
Increase the verbosity of the log level to DEBUG and check for any errors or warnings.

Upgrade the Azure Bot

For an existing MS Teams integration upgrading to the latest version of U‑Capture, you should upgrade the Azure Bot to the latest version currently available. The bot version is provided in the Azure Cloud Service package (.cspkg) filename for the Compliance Bot:

ComplianceRecordingBot_{vm-size}_{bot-version}.cspkg

Login to the Azure Portal, go to the Cloud Service Extended Support section where the Compliance Bot was deployed, and click Update.
Select the Storage Account that was used for the Compliance Bot. Select the new cspkg file (for example, ComplianceRecordingBot.Standard_D2_v2.v1.12.cspkg) and select the existing ServiceConfiguration.ClientExtendedSupport.cscfg and ServiceDefinition.csdef files from the current install. Once all three files have been uploaded, click Update to automatically update the Compliance Bot to the latest version – this may take up to 10 minutes (see FAQs below).

FAQs

Will there be any downtime?

Yes, recording will not be available during the upgrade process. Uniphore recommends that this upgrade is performed outside of normal operational hours.

Will I lose any configuration in the Cloud Service Extended Support?

No. As long there are no changes to the previous settings, no configuration will be lost.

Update the Azure Bot Secret

If you need to update/change the existing client secret for the Azure Bot (Create a Client Secret in Provision the Microsoft Teams Azure Subscription), perform the following:

In the Azure Portal, navigate to the bot instance and click Configuration under the Settings menu.
Locate the Microsoft App ID (Manage) textbox and click the Manage link – this will take you to the Certificates & secrets.
Find the expired client secret and select Delete.
Now follow the usual process to create the new client secret and update the existing configuration file values (see Create a Client Secret in Provision the Microsoft Teams Azure Subscription).
Note
It’s advisable to keep the name of the client secret (Description) the same as the deleted one.
Finally, upload the updated configuration file (see Upload the Bot Configuration File in Provision the Microsoft Teams Azure Subscription).

MS Teams Recording Control

Recording Control Policies

Use Recording Control policies to control which call recordings are discarded and retained. Recording Control policies do not impact live calls so they can continue to be monitored, blocklisting a call will not disable the call for recording and instead simply discard the call after the call has ended.

For more info on Recording Control Policies and further direction on adding, editing and deleting Recording Control Policies see Manage Recording Control Policies.

Blocklist: Blocklist policies can be used to provide fine control of what recordings are discarded, all calls outside the scope of the Blocklist will be retained.
Allowlist: Allowlist policies are the reverse of a Blocklist, an Allowlist can be used to specify calls to be retained that would otherwise be discarded (all calls outside the scope of the Allowlist will be discarded).

Typically once the U‑Capture Collector has been fully configured and initial setup is complete recordable items (devices, agents, etc) will be recorded, any new recordable items will be automatically added to the system provided that the following conditions are met:

In IntegrationAdapter.ini [Phones]DetectNewItems is set to 1 (to enable the automatic detection of new recordable items), and [General]RecordByDefault is also set to 1 (to automatically enable those newly detected devices for recording).

Logs

Collector Logs

The following log files are provided on the Collector:

Integration Adapter – IntegrationAdapter.00.txt
MS Teams RAM – MicrosoftTeamsRAM.txt

The associated log ini/config files are:

Integration Adapter – IntegrationAdapter.Logging.ini
MS Teams RAM – MicrosoftTeamsRAM.config

To configure the Integration Adapter logs:

Set the following in the .ini file. Note that this only lists the applicable config – all other settings can be left with their default values.

[Core]
DisableLogging=false
Filter="%Severity% > Trace"

Enable/Disable Logging – Set DisableLogging to false (logging enabled) or true (logging disabled).
Logging Level – Set Severity to one of the following values (most severe first): Fatal, Error, Warning, Info, Debug, Trace.

To configure the MS Teams RAM logs, set level in the config file to define the verbosity: ALL, DEBUG, INFO, WARN, ERROR.

Note

All other settings can be left with their default values.

<level value="DEBUG" /> <!-- Use "ALL", "DEBUG", "INFO", "WARN" or "ERROR" -->

Compliance Bot Logs

In this section:

Uniphore Customer Portal

Installation and Configuration

Installation and Configuration Steps

Note

Select Deployment Assets

Define the Cloud Service VM Details

Provision the Microsoft Azure Subscription

Register Resource Providers

Create a Resource Group for the Bot

Create a Key Vault

Upload/Import Certificate to the Key Vault

Create an Application Insights Resource

Create the Azure Bot

Configure the Bot

Note

Note

Create a Client Secret

Note

Set API Permissions

Create a Storage Account

Create a Virtual Network

Create a Public IP Address

Update the Remaining Configuration Properties

Note

Note

Upload the Bot Configuration File

Create the Azure Extended Cloud Service

Note

Configure Microsoft Teams

Note

Authenticate with PowerShell

Note

Create a New Recording Application instance

Note

Assign permissions

Synchronize the Recording Application instance

Create a new Recording Policy

Assign the Recording Policy to the Recording Application

Optional - Update the Compliance Recording Application

Configure a Paired Bot

Note

Assumptions

Create the Recording Application Instance

Pair the Recording Application Instance

Verify the Paired Application

Recording Policy

Assign the Policy to a Single User

Assign the Policy to Users in a Department

Assign the Policy to All Existing Users

Assign as a Global Policy

Unassign Users From a Policy

Disable or Enable a Policy

Configure the Collector Integration Adapter

Settings

Note

Depreciated NATS Streaming Settings

Configure the Collector MS Teams RAM

Notes

Note

Troubleshooting - Common Issues

Upgrade the Azure Bot

FAQs

Update the Azure Bot Secret

Note

MS Teams Recording Control

Recording Control Policies

Logs

Collector Logs

Note

Compliance Bot Logs

Search results