Creating a Microsoft Teams Compliance Policy
- Gabor Moczar (Unlicensed)
- Janos Bodnar
In order to complete the steps below, you must have Global Administrator or Teams Service Administrator role.
At least one compliance policy has to be created in Teams which is then assigned to recorded users. Multiple policies can be configured and assigned to different bots.
For more information on policies, see https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamscompliancerecordingpolicy
The policy configuration consists of the following steps:
Accessing the tenant via PowerShell
Separate Azure tenants for the recording provider (bot) and for the Teams environment to record
In the case when the recorded Teams environment and the recording bot are in separate Azure tenants, the following steps have to be done in the Teams tenant.
Step 1 - Download and install the Skype Bus Connector PowerShell module.
Step 2 - Open PowerShell as administrator.
Step 3 - Execute the following command:
Import-Module SkypeOnlineConnector
The next step depends on what kind of authentication method your Teams administrator account uses.
Step 4, If your Teams administrator account uses account name and password for authentication
Step 4a - Execute the following command:
$userCredential = get-Credential
Step 4b - A login prompt will show up. Provide the user credentials.
Step 4c - Execute the following command:
$teamsSession = New-CsOnlineSession -Credential $userCredential -Verbose
Step 4, If your Teams administrator account uses multi-factor authentication
Step 4a - Execute the following command:
$teamsSession = New-CsOnlineSessione
Step 4b - A login prompt will show up. Provide the user credentials.
Step 4c - MFA process starts. Complete the authentication.
Step 5 - Execute the following command:
Import-PSSession $teamsSession
Creating a Teams Compliance Recording Policy
Step 6 - Execute the following command. Replace the <TenantId> part with your Azure Tenant ID (Creating the Microsoft Teams Recording Bot - Step 29).
At the <Policy Description> part, provide some description. At the <PolicyName> part, provide a name.
New-CsTeamsComplianceRecordingPolicy -Tenant '<TenantId>' -Enabled $true -Description '<Policy Description>' -Identity '<PolicyName>'
Step 7 - Execute the following command. Replace the <TenantId> parts with your Azure Tenant ID (Creating the Microsoft Teams Recording Bot - Step 29). Replace the <PolicyName> parts with the name provided in the previous command. Replace the <ObjectId> part with the Object ID gathered at the previous part of the configuration (Whitelisting the Microsoft Teams Bot App - Step 6).
Set-CsTeamsComplianceRecordingPolicy -Tenant '<TenantId>' -Identity '<PolicyName>' -ComplianceRecordingApplications @(New-CsTeamsComplianceRecordingApplication -Tenant '<TenantId>' -Parent '<PolicyName>' -Id '<ObjectId>')
Step 8 (Optional - 2N recording) - If 2N recording will be used, then execute the following command. Replace the <ObjectId> part with the ID from the results of the previous command and the <ObjectId_of_Bot2> part with the ID from the result of Step 9 here: Whitelisting the Microsoft Teams Bot App.
Set-CsTeamsComplianceRecordingApplication -Identity 'Tag:<PolicyName>/<ObjectId>' -ComplianceRecordingPairedApplications @(New-CsTeamsComplianceRecordingPairedApplication -Id '<ObjectId_of_Bot2>')
Changing the Compliance Recording Policy settings
The Teams Compliance Recording Policy allows the following configuration options:
| Name | Description | Default Setting |
|---|---|---|
| RequiredBeforeMeetingJoin | Defines if the bot has to join the call before the recorded user can join the meetings | 1 (On) |
| RequiredBeforeCallEstablishment | Defines if the bot has to join the call before the recorded user can place or receive calls | 1 (On) |
| RequiredDuringMeeting | Defines if the recorded user will be disconnected from the meetings if the recorder bot connection is lost | 1 (On) |
| RequiredDuringCall | Defines if the recorded user will be disconnected from the call if the recorder bot connection is lost | 1 (On) |
Follow the steps below to change the settings:
Step 9 - Execute the following command to get the ID of the compliance recording application and the name of the compliance recording policy. It will return the name of the compliance recording policy in the Identity field. Take note of the value of the Identity field (after the Tag: part). It also returns the compliance recording application ID. Take a note of the identifier which is displayed after ComplianceRecordingApplications : {Id=.
Get-CsTeamsComplianceRecordingPolicy
Step 10 - Execute the following commands to change the compliance recording policy options. Replace the <PolicyName> and the <ComplianceApplicationId> parts with the values received in the previous command. This example below turns off all restrictions.
Set-CsTeamsComplianceRecordingApplication -Identity '<PolicyName>/<ComplianceApplicationId>' -RequiredBeforeMeetingJoin 0 -RequiredBeforeCallEstablishment 0 -RequiredDuringMeeting 0 -RequiredDuringCall 0
Changing these parameters of an existing compliance recording policy that is already granted to a recorded user might take hours to take effect on the user's calls & meetings. As an alternative, we recommend creating a new compliancy recording policy (see Step 7) with all the parameters having the same values as before, except the PolicyName that should be different; setting the new policy's parameters using the Set-CsTeamsComplianceRecordingApplication command; then granting this poolicy to the recorded user (see Administering Compliance Policy for Microsoft Teams Users) that takes effect almost immediately. Of course, if you have a policy already set up with the desired parameter values, it's enough to grant that policy to the user, no need to create another one with the same settings.