Azure Permissions
Use this guide to create the Microsoft Entra application used by the collector to call Microsoft Graph APIs.
Required Outcome
Section titled “Required Outcome”At the end you must have:
tenant_idclient_id- One authentication method:
client_secret, orclient_certificate_path(PEM with private and public key)
- Admin-consented Graph application permissions
flowchart TD
A[Azure Portal] --> B[Microsoft Entra ID]
B --> C[New App Registration]
C --> D[Copy tenant_id and client_id]
D --> E{Auth method}
E -->|Client secret| F[Create client secret]
E -->|Certificate| G[Upload public cert and store PEM on host]
F --> H[Add Graph API permissions]
G --> H
H --> I[Grant admin consent]
I --> J[Validate in collector config]
Create the App Registration
Section titled “Create the App Registration”- Open Azure Portal and go to Microsoft Entra ID.
- Copy Tenant ID from Overview.
- Go to App registrations and click New registration.
- Select Accounts in this organizational directory only.
- Create the application and copy Application (client) ID.
Configure Authentication
Section titled “Configure Authentication”- Open Certificates and secrets.
- In Client secrets, click New client secret.
- Copy the secret Value immediately after creation.
- Put this value in
microsoft_authentication.graph.client_secret.
- Open Certificates and secrets.
- In Certificates, upload the public certificate (
.cer,.pem, or.crt). - Keep a PEM file containing both private and public keys on the collector host.
- Put the PEM path in
microsoft_authentication.graph.client_certificate_path.
Expected PEM layout:
-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY----------BEGIN CERTIFICATE-----...-----END CERTIFICATE-----Add Microsoft Graph API Permissions
Section titled “Add Microsoft Graph API Permissions”In API permissions:
- Click Add a permission.
- Select Microsoft Graph.
- Select Application permissions (not Delegated).
- Add:
CallRecords.Read.AllReports.Read.AllServiceHealth.Read.All
- Click Grant admin consent and confirm.
Validate Collector Configuration
Section titled “Validate Collector Configuration”Use one of these authentication patterns.
microsoft_authentication: graph: tenant_id: "<tenant-id>" client_id: "<client-id>" client_secret: "<secret>"microsoft_authentication: graph: tenant_id: "<tenant-id>" client_id: "<client-id>" client_certificate_path: "/etc/ms-teams-observability-agent/graph.pem" client_certificate_passphrase: "optional"Run:
ms-teams-agent validate --config ./config.yamlms-teams-agent test-connection --config ./config.yamlFor all configuration fields, see Configuration Reference.
Complete permission and authentication reference
Required Permissions
Section titled “Required Permissions”| Permission | Type | Required | Purpose |
|---|---|---|---|
CallRecords.Read.All | Application | Yes | Retrieve Teams call records, stream details, PSTN, and Direct Routing data |
Reports.Read.All | Application | Yes | Access Teams activity reports (user activity, usage) |
ServiceHealth.Read.All | Application | Yes | Access Microsoft 365 service health incidents and advisories |
Optional Permissions (VAAC Features)
Section titled “Optional Permissions (VAAC Features)”| Permission | Type | Required For | Purpose |
|---|---|---|---|
| VAAC-specific permissions | Application | Auto Attendant and Call Queue | Voice application analytics |
Permission Type Notes
Section titled “Permission Type Notes”| Attribute | Value |
|---|---|
| Permission type | Application (not Delegated) |
| Admin consent | Required |
| Token flow | Client credentials |
Supported Authentication Methods
Section titled “Supported Authentication Methods”| Method | Description |
|---|---|
| Client secret | Secret generated in Azure App Registration |
| Certificate (PEM) | RSA certificate with private and public key |