Creating a Microsoft Teams Compliance Policy
In order to complete the steps below, you must have Global Administrator or Teams Service Administrator role.
At least one compliance policy has to be created in Teams which is then assigned to recorded users. Multiple policies can be configured and assigned to different bots.
For more information on policies, see https://docs.microsoft.com/en-us/powershell/module/skype/set-csteamscompliancerecordingpolicy
The policy configuration consists of the following steps:
Prerequisites
Step 1 - Download and install PowerShell 5.1.
Step 2 - Open PowerShell as administrator.
Step 3 - Set the security protocol to TLS 1.2 with the following command:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Step 4 - Install the NuGet package provider module by running the following command:
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Step 5 - Install the Microsoft Teams module by running the following command:
Install-Module MicrosoftTeams
Accessing the tenant via PowerShell
Separate Azure tenants for the recording provider (bot) and for the Teams environment to record
In the case when the recorded Teams environment and the recording bot are in separate Azure tenants, the following steps have to be done in the Teams tenant.
Step 1 - Open PowerShell as administrator.
Step 2 - Execute the following command:
Update-Module MicrosoftTeams
Step 3 - Execute the following command:
Connect-MicrosoftTeams
Step 4 - A login prompt will show up. Provide the user credentials.
Creating a Teams Compliance Recording Policy
Step 5 - Execute the following command. At the <Policy Description> part, provide some description. At the <PolicyName> part, provide a name.
New-CsTeamsComplianceRecordingPolicy -Enabled $true -Description '<Policy Description>' -Identity '<PolicyName>'
Step 6 - Execute the following command. Replace the <PolicyName> parts with the name provided in the previous command. Replace the <ObjectId> part with the Object ID gathered at the previous part of the configuration (Whitelisting the Microsoft Teams Bot App - Step 6).
Set-CsTeamsComplianceRecordingPolicy -Identity '<PolicyName>' -ComplianceRecordingApplications @(New-CsTeamsComplianceRecordingApplication -Parent '<PolicyName>' -Id '<ObjectId>')
Step 7 (Optional - 2N recording) - If 2N recording will be used, then execute the following command. Replace the <ObjectId> part with the ID from the results of the previous command and the <ObjectId_of_Bot2> part with the ID from the result of Step 8 here: Whitelisting the Microsoft Teams Bot App.
Set-CsTeamsComplianceRecordingApplication -Identity 'Tag:<PolicyName>/<ObjectId>' -ComplianceRecordingPairedApplications @(New-CsTeamsComplianceRecordingPairedApplication -Id '<ObjectId_of_Bot2>')
Changing the Compliance Recording Policy settings
The Teams Compliance Recording Policy allows the following configuration options:
Name | Description | Default Setting |
---|---|---|
RequiredBeforeMeetingJoin | Defines if the bot has to join the call before the recorded user can join the meetings | 1 (On) |
RequiredBeforeCallEstablishment | Defines if the bot has to join the call before the recorded user can place or receive calls | 1 (On) |
RequiredDuringMeeting | Defines if the recorded user will be disconnected from the meetings if the recorder bot connection is lost | 1 (On) |
RequiredDuringCall | Defines if the recorded user will be disconnected from the call if the recorder bot connection is lost | 1 (On) |
It is strongly recommended to use the default settings (strict mode) for the compliance recording policies. The default settings ensure that if, for some reason, the bot cannot join or disconnects from the call/meeting, the recorded user will be disconnected automatically to avoid compliance issues. There is no failover or automatic retry mechanism implemented on the Teams side.
Follow the steps below to change the settings:
Step 8 - Execute the following command to get the ID of the compliance recording application and the name of the compliance recording policy. It will return the name of the compliance recording policy in the Identity field. Take note of the value of the Identity field (after the Tag: part). It also returns the compliance recording application ID. Take a note of the identifier which is displayed after ComplianceRecordingApplications : {Id=.
Get-CsTeamsComplianceRecordingPolicy
Step 9 - Execute the following commands to change the compliance recording policy options. Replace the <PolicyName> and the <ComplianceApplicationId> parts with the values received in the previous command. This example below turns off all restrictions.
Set-CsTeamsComplianceRecordingApplication -Identity '<PolicyName>/<ComplianceApplicationId>' -RequiredBeforeMeetingJoin 0 -RequiredBeforeCallEstablishment 0 -RequiredDuringMeeting 0 -RequiredDuringCall 0
Changing these parameters of an existing compliance recording policy that is already granted to a recorded user might take hours to take effect on the user's calls & meetings. As an alternative, we recommend creating a new compliance recording policy (see Step 7) with all the parameters having the same values as before, except the PolicyName that should be different; setting the new policy's parameters using the Set-CsTeamsComplianceRecordingApplication command; then granting this policy to the recorded user (see Administering Compliance Policy for Microsoft Teams Users) that takes effect almost immediately. Of course, if you have a policy already set up with the desired parameter values, it's enough to grant that policy to the user, no need to create another one with the same settings.