NOTE: As of January 31st, Exoprise updated and reduced the required permissions to for the Teams AV Bot. You still have to consent (obviously) but its reduced to the minimum required to easily and synthetically test Teams Audio Video conversations from any vantage point.
The Teams AV Monitoring sensor is the only solution available for monitoring or detecting Audio Video Conferencing issues with Microsoft Teams and has special setup requirements that require consideration.
Read more about Monitoring Microsoft Teams with Exoprise
Ease of Use With Teams AV Bot
To make it easy for customers to utilize this network monitoring solution for Microsoft Teams, Exoprise leverages an Audio Video Bot that is invited into a synthetic test Teams conferencing session. Each sensor creates a conference and invites the Teams AV Bot which streams audio and video content so the Exoprise synthetic sensor can capture the real-time WebRTC statistics such as Jitter, Packet Loss, Frame Loss and more. In this way, network administrators can diagnose uptime, performance, and availability of the Microsoft Teams infrastructure, Internet and local LAN.
Teams AV Bot Permissions
To be able to invite the Teams AV Bot to a conference the Office 365 tenant must accept an OAuth Bot registration. This is dictated by Microsoft and their Microsoft Graph communications SDK. The permissions required by the Teams AV Bot were dictated by the communications SDK. The following OAuth permissions are required:
|Calls.AccessMedia.All||Application||Access media streams in a call as an app||Yes|
|Calls.Initiate.All||Application||Initiate outgoing 1 to 1 calls from the app||Yes|
|Calls.JoinGroupCall.All||Application||Join group calls and meetings as an app||Yes|
|Calls.JoinGroupCallAsGuest.All||Application||Join group calls and meetings as a guest||Yes|
These permissions and what they control are part of the Microsoft Graph and Teams infrastructure. More about how the Teams AV sensor operates can be read here:
Other Policy Requirements
- Meet Now
The Teams AV sensor utilizes Meet Now functionality to start a meeting (its not scheduled). So this policy must be enabled for the accounts that are configured to ensure successful setup. Once the meeting is established the Bot is explicitly invited into the meeting. That is the only functionality of the Teams AV Bot.
- Anonymous users can join a meeting
This is required. The term anonymous users means users that are not authenticated to the organizations tenant. In this context all external users are considered anonymous. For more information, please see here: https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide
These policy settings can be configured for the entire tenant or for subsets of users. There can be a large delay when these settings are configured and when they take affect within the tenant.
New OAuth Permissions
On January 31st, 2022, Exoprise we reduced the set of permissions needed by the Teams AV Bot. If your tenant has previously accepted the Teams AV Bot OAuth permissions then the application registration within your tenant may still show previous set of permissions. To synchronize the set of permissions, simply reauthorize within the Exoprise console, here: https://secure.exoprise.com/oauths