This page provides you guidance to enable Microsoft Teams Chat Recording offered as a hosted service by Luware Recording, and a high level overview of the Microsoft Teams Chat Recording offered through Luware Recording. On this page, you also find steps that are required to carry out as a prerequisite to enabling the service.

💡It is assumed that you read this page in conjunction with the page Initial Setup and Configuration as there is some overlap in concepts. You should complete the preconditions and implementation of the integration first before proceeding with the preconditions on this page.

Overview

Luware Recording can record users' Microsoft Teams chat messages and files from a customer's M365 tenant by using an Azure Enterprise Application with authorized access to the customers tenant. The Enterprise Application will use the Microsoft Export API to pull the required Chat files from the customer's tenant, based on the configured recorded users or teams in Luware Recording. If a user has been enabled for Microsoft Teams Chat recording in Luware Recording, then the Export API will be frequently polled for any new messages. These will be ingested into the Luware Recording platform, and compliance features can be applied to ensure you meet your compliance regulations.

The high-level diagram below provides an overview of the Luware Recording integration points used for the recording of Microsoft Teams Chat files:

The following steps provide you a simplified overview on how the chat recording works:

1. A chat recording enabled end user logs into Microsoft Teams and begins a chat conversation.
2. Microsoft Teams uploads chat messages to the customer protected API.
3. Luware Recording Chat Enterprise Application pulls the chat recordings for the recorded user and imports these into the Luware Recording platform.
4. Luware Recording will upload the chat conversations into the Luware Recording SQL database and make them available for viewing in the Luware Recording Portal.
   1. If enabled, media attachments will be uploaded into the customers Azure tenant to an Azure Blob storage location.
5. The end user visits the Luware Recording web portal and requests to login.
6. The end user is redirected to Azure Entra ID for authentication. On successful login, the chat and attachments can be viewed on the Luware Recording portal.

Luware Recording with Microsoft Teams Export API

Microsoft Teams Export API

The capture and recording of Microsoft Teams Chat is achieved by utilizing the Microsoft Teams Export API with the use of an Azure Enterprise Applications. Microsoft Teams Export API allows the export of 1:1, group chat, meeting chats, and channel messages from Microsoft Teams.

🔍 For further information on the Export API, see the Microsoft document Export content with the Microsoft Teams Export APIs.

Microsoft Licensing

💡Microsoft Licensing requirements are subject to change as per Microsoft's standards, so the customer should always follow the Microsoft guidance on licensing or contact Microsoft for any changes. Luware can only provide guidance on Microsoft licensing. 

Luware Recording Chat Enterprise Application

Luware Recording utilizes the Export API by using an authorized Azure Enterprise application. The enterprise application is owned and managed by Luware. Once the customer has approved the Graph API permissions (listed below), the Luware Recording Chat Azure Enterprise Application will have access to pull Microsoft Teams Chat files from the customer's tenant.

Record Users

With Luware Recording, you can select which users you wish to have Microsoft Teams chat recorded for. When a user is enabled for chat recording, all Microsoft Teams 1:1, group chats and meeting chats that the user is a member of will be recorded and can then be viewed in the Luware Recording web portal. Teams and Channels can also be recorded, however, these need to be added independently of the users by adding the Teams object that requires recording. Further details on this are outlined later on this page.

Users can be added for recording by utilizing the Luware Recording Active Entra ID synchronization function. This integration should have already been completed as part of the prerequisites on the page Initial Setup and Configuration. If users are required to have their Microsoft Teams chat recorded, the customer would simply need to add the users to an AD group that has been setup for synchronization with Luware Recording. When users are added to this group in the customer AD, they will automatically be synced into Luware Recording and enabled for Microsoft Teams Chat recording.

Attachments

Attachments are also an option to be recorded. Attachments can be downloaded by the Luware Recording Chat Enterprise Application using the Export API and then be viewed in the Luware Recording web portal. If enabled, the attachments will be downloaded, processed, and then encrypted and uploaded with a single retention period to the customer's Azure storage location. Alternatively, customers can choose to not enable this option with the effect that attachments will not be stored and therefore not be viewable in the Luware Recording Portal.

Look-Back

It is possible for Luware Recording to perform a look-back for chat messages. The look-back feature is used if a customer wants to export any historic chat messages that might not have been captured by the Export API or Luware Recording. If this feature is required, messages that have already been imported successfully can be duplicated. A look-back request is a chargeable addition to Luware Recording, unless in the event of an incident or problem case that caused chat or attachments to be missed. The request will need to be made through your account manager.

💡 Microsoft Teams only stores chat and attachments for a set period of time. If the chat and attachments are removed by a Teams policy, they cannot be pulled into the Luware Recording system.

Customer Tenant Configuration Steps

This section details the configuration settings that need to be created and applied within your Azure tenant.

Graph API Permissions consent

The Luware Recording Chat Enterprise Application requires additional Graph API permissions to your Azure tenant to be able to gather all the information and data required to accurately capture the users' Microsoft Teams Chat messages. Below are the required permissions and explanations of the permissions access.

In order to consent to these permissions,  you will need to follow both the links below (ensuring <CUSTOMER TENANT ID> is replaced with your actual Tenant ID) and sign in as a Global Administrator.

✅ For the Luware <CLIENT ID>, please contact your partner admin or Luware support.

https://login.microsoftonline.com/<CUSTOMER TENANT ID>/adminconsent?client_id=<CLIENT ID>&redirect_uri=https://luware.com

Add Users to Azure Entra ID Security Groups

For users to be added to Luware Recording for chat recording, they must be added to an Azure Entra ID Security group first. This can be a group that might have already been created as part of the prerequisites in Initial Setup and Configuration, e.g. a Recorded Users group. If an additional group is required for chat recording, it will need to be created and the group name passed to the assigned Luware Engineer.

Users that require chat recording will need to be added/removed from this security group. It is your sole responsibility  to ensure that users are added and removed from these groups when required. Luware Recording will synchronize with the selected groups twice a day (overnight) and any changes in your Azure Entra ID security groups will be synced with Luware Recording. Bear this in mind when adding/removing users from the AD groups, as the users will not be added/removed in Luware Recording until the next day.

Microsoft Teams License

The users that are required to be recorded must have a Microsoft Communications DLP license enabled. Without this license the Export API will not allow any chat messages for that user to be exported.

The license can be enabled in the Microsoft 365 Admin Center.

1. Go to the Microsoft 365 admin center. 
2. Go to Users > Active Users in the side menu.
3. Search for the users that require the license.
4. Open the license options for the users and enable the Microsoft Communications DLP license.
   

Add Teams and Channels (Optional)

As standard, Microsoft Teams and Channels chat conversations are not recorded by adding users to Luware Recording as shown above. The Teams need to be added to Luware Recording individually and enabled for recording so that the conversations for the recorded users can be captured. Enabling recording for all teams and channels of recorded users requires all users within the customer's tenant to have the Microsoft Communications DLP assigned and enabled. Otherwise, only recorded users' messages are retrieved.

If only a specific selection of Teams require recording, the Object IDs of the selected Teams need to be provided to the Luware engineer. To export the Object IDs of the Teams that you want to record, follow the steps below.

1. Login to your Azure Active Directory.
2. Go to All Groups.
3. In the search bar, search for the name of the team to find the team object.
   
4. Select the group from the menu to go into the group properties and copy the Object ID of the Team name.
   
5. Send the Object ID and Teams name to the Luware Recording engineer who then can add the team for recording.

Once a Team has been added for recording, all Channels within that Team will also be recorded. All chat messages sent within this team will be recorded.

Capture Attachments (Optional)

If you require the attachments shared in any chat to be recorded and stored with Luware Recording, notify your Luware engineer to enable this functionality.

You can download the attachments from the chat conversations from the Microsoft Export API, but these attachments require a configured storage target so that they can be stored and viewed in the Luware Recording portal.

As part of the prerequisites in Initial Setup and Configuration, a storage target should have been created. For the storage of chat attachments, you can either use the same storage target or create an additional one. Chat attachments can only be uploaded with a single data management policy per tenant.

Another prerequisite is enabling access to your Azure storage account. This connection will be used for the upload of the chat attachments.