Azure Permissions

Use this guide to create the Microsoft Entra application used by the collector to call Microsoft Graph API.

Required Outcome

At the end you must have:

• tenant_id
• client_id
• One authentication method:
  • client_secret, or
  • client_certificate_path (PEM with private + public key)
• Admin-consented Graph application permissions

Create the App Registration

1. Open the Azure Portal and go to Microsoft Entra ID.

2. In Overview, copy your Tenant ID.

3. Open App registrations and click New registration.

4. Set a name (for example MS Teams Observability) and select Accounts in this organizational directory only.

5. Create the application and copy the Application (client) ID.

Configure Authentication

Client Secret

1. Open Certificates & secrets.
2. In Client secrets, click New client secret.
3. Copy the secret Value immediately after creation.
4. Put this value in microsoft_authentication.microsoft_client_secret.

Certificate (PEM)

1. Open Certificates & secrets.
2. In Certificates, upload the public certificate (.cer, .pem, or .crt).
3. Keep a PEM file that contains both private and public keys for the collector host.
4. Put the PEM path in microsoft_authentication.microsoft_client_certificate_path.

Expected PEM layout:

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Caution

Use RSA certificates. EC/DSA certificates are not supported by this integration flow.

Add Microsoft Graph API Permissions

In API permissions:

1. Click Add a permission.
2. Choose Microsoft Graph.
3. Choose Application permissions (not Delegated).
4. Add:
   • CallRecords.Read.All
   • Reports.Read.All
   • ServiceHealth.Read.All
5. Click Grant admin consent and confirm.

Validate Collector Configuration

Use one of the two authentication patterns below.

Client secret

microsoft_authentication:
  microsoft_tenant_id: "<tenant-id>"
  microsoft_client_id: "<client-id>"
  microsoft_client_secret: "<secret>"
  microsoft_scope: "https://graph.microsoft.com/.default"
  microsoft_grant_type: "client_credentials"

Certificate

microsoft_authentication:
  microsoft_tenant_id: "<tenant-id>"
  microsoft_client_id: "<client-id>"
  microsoft_client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
  microsoft_client_certificate_path: "/etc/ms-teams-observability-agent/graph.pem"
  microsoft_client_certificate_passphrase: "optional"
  microsoft_scope: "https://graph.microsoft.com/.default"
  microsoft_grant_type: "client_credentials"

Then run:

./ms-teams-agent.bin --config ./conf/config.yaml --ignore_state

For all available configuration fields, see Configuration.

VAAC Account (Auto Attendant & Call Queue)

The microsoft_username and microsoft_password fields used for Auto Attendant and Call Queue collection (ms_teams_autoattendant_collection / ms_teams_callqueue_collection) are not the App Registration credentials. They refer to a dedicated Microsoft 365 user account that must be configured in Teams.

1. Create or designate a dedicated Microsoft 365 user account for the collector.

2. In the Microsoft Teams admin center, go to Voice > Voice applications policies.

3. Click Add to create a new custom policy. Grant it the minimum permissions needed (the global default policy grants no access and must not be used).

4. Assign the custom policy to the account via Manage users or with the PowerShell cmdlet:

   Grant-CsTeamsVoiceApplicationsPolicy -Identity "user@domain.com" -PolicyName "YourCustomPolicy"

5. Set the account as an Authorized user on at least one Auto Attendant or Call Queue in Voice > Auto attendants / Call queues > Authorized users.

Note

Many advanced capabilities — including real-time metrics and most configuration options — require a Teams Premium license on this account. See the Microsoft documentation for the full permissions matrix.