Data & Security FAQ

Collected Data

What data is collected from Microsoft Teams?

The collector queries the Microsoft Graph API for call records, usage reports, service health events, and optionally Auto Attendant and Call Queue data. No audio, video, chat messages, or file content is accessed or transmitted. See Getting Started Overview and Azure Permissions Reference.

Is call audio or video content captured?

No. The CallRecords.Read.All Graph API permission grants access to call metadata only: participants, duration, quality metrics, and network details. Audio and video streams are never accessed. See Azure Permissions Reference.

Does the collector process personal data?

Call records include participant identities such as UPN and display name, plus network-level data such as IP addresses, device platform, and subnet. This data is forwarded as-is to the configured backend and is subject to that platform’s data residency, retention, and access policies. See Configure Dynatrace and Configuration.

Can I scope data collection to specific users or groups?

No. Collection operates at the tenant level through the Microsoft Graph API. Granular user or group filtering at collection time is not supported. Post-ingestion filtering can be applied in the backend using Dynatrace DQL queries or Splunk search.

Storage & Retention

Where is data stored?

Storage depends on the configured output:

• Dynatrace: logs are written to a dedicated Grail bucket named ms_teams and processed by OpenPipeline.
• Splunk: events are indexed through the HTTP Event Collector into a configured Splunk index.
• Console output: events are printed to stdout only and are not persisted.

See Configure Dynatrace and Dynatrace Overview.

How long is data retained?

Retention is governed by the backend, not the collector. Dynatrace recommends 90 days for the ms_teams Grail bucket. Splunk retention is controlled by your index configuration. See Configure Dynatrace.

Transmission & External Services

How is data transmitted between the collector and the backend?

All data is sent over HTTPS. There is no plaintext transport between the collector and either the Dynatrace Log Ingest API or the Splunk HEC endpoint. See Prerequisites and Collector Connection.

Does the collector communicate with any third-party services?

Optionally. For Dynatrace deployments, ip-api.com may be contacted for geolocation enrichment. This can be disabled in configuration. Outside of that, outbound targets are limited to Microsoft Graph API endpoints and your backend. See Configure Dynatrace and Collector Troubleshooting.

Access & Credentials

Who can access the collected data?

• Dynatrace: access is controlled through the app’s Permissions panel and standard Dynatrace Grail access policies.
• Splunk: access is controlled through Splunk index and role permissions.

See Application Configuration.

How are Microsoft API credentials secured?

Two authentication methods are supported:

• Client secret: stored in config.yaml or the Dynatrace Credential Vault; config files must use restricted OS-level permissions and must not be committed to version control.
• Certificate (PEM, RSA only): recommended for production environments; it removes shared secrets and aligns with least-privilege security practices.

See Configuration, Azure Permissions Reference, and Extension Installation.

What happens if I revoke the Azure app registration or credentials?

The collector will fail to authenticate with Microsoft Graph and stop ingesting data. Historical data already stored in the backend is not affected. Rotate or update credentials in config.yaml and restart the service to resume collection. See Collector Troubleshooting.