Call Telemetry for Cisco

Appearance

Teams Emergency Call Notifications - System Architecture

System Purpose

Call Telemetry's Microsoft Teams integration delivers real-time monitoring of emergency call notifications through Microsoft Graph API subscriptions with Event Hub streaming delivery. This architecture enables immediate detection and processing of Emergency call notifications that are automatically generated when users make Emergency calls via Microsoft Teams calling.

Core Architecture Principles

  • Event-Driven: Uses Microsoft Graph subscriptions with Event Hub streaming for real-time notifications
  • Secure by Design: OAuth 2.0 Device Authorization Grant with delegated permissions and least privilege access
  • Scalable: Event Hub with Kafka protocol supports high-throughput message processing
  • Auditable: Complete CloudEvent audit trail for compliance and troubleshooting
  • Resilient: Automatic token refresh and subscription management

High-Level System Architecture

Core Components

Microsoft Teams Emergency Calls

  • Emergency Detection: Native Teams emergency calling generates automatic chat notifications
  • Call Context: Emergency notifications include caller information, location data, and timestamp
  • Integration Trigger: Emergency calls automatically create chat messages that trigger the integration

Microsoft Graph API

  • Subscription Management: Creates real-time subscriptions to monitor chat message changes
  • Event Delivery: Pushes emergency notification events to Azure Event Hub via CloudEvents
  • Authentication: Validates delegated permissions and manages API access tokens
  • Rate Limiting: Handles API throttling and manages subscription lifecycles

Azure Event Hub

  • Event Streaming: Kafka-compatible message streaming with guaranteed delivery and ordering
  • Scalable Partitioning: Distributes emergency notifications across partitions for parallel processing
  • Retention Management: Configurable message retention (1-7 days)
  • Integration Bridge: Connects Microsoft Graph API events to Call Telemetry processing pipeline

Call Telemetry Platform

  • Event Processing: Broadway pipeline processes CloudcEvents with concurrent message handling
  • Token Management: Automatic renewal of OAuth access and refresh tokens
  • Subscription Lifecycle: Automated creation, renewal, and cleanup of Graph API subscriptions
  • Data Storage: Secure storage of emergency notifications, tokens, and audit trails

Emergency Dashboard

  • Real-time Updates: Displays realtime emergency notifications and call details
  • Workflow Integration: Triggers automated emergency response workflows
  • Administrative Interface: Management tools for subscription health and system monitoring

Security Architecture

Microsoft Graph API Permissions

The integration uses delegated permissions that operate under the authenticated service user's access rights. This ensures the principle of least privilege and maintains security boundaries.

PermissionTypeDescriptionJustification
User.ReadDelegatedRead user profileBasic user information for authentication
Chat.ReadDelegatedRead chat messagesRead user chat messages
Chat.ReadBasicDelegatedRead basic chat informationRead names and members of user chat threads
ChatMessages.ReadDelegatedRead chat messagesRead user chat messages
openidDelegatedOpenID Connect authenticationStandard authentication flow
offline_accessDelegatedAccess resources when user not presentToken refresh capability
profileDelegatedView user's basic profileUser identification

Authentication Security

Security Model

  • Delegated Permissions Only: Integration operates within service user's existing access rights
  • Zero Application Permissions: Cannot access organizational data beyond the authenticated user's scope
  • OAuth 2.0 Device Authorization Grant: Secure authentication flow designed for service accounts
  • Time-Limited Access: Access tokens expire in 1 hour, refresh tokens automatically renewed
  • Multi-Factor Authentication: Supports organizational MFA and conditional access policies

Network Security

  • HTTPS Only: All communication encrypted with TLS 1.2+
  • Outbound Only: No inbound connections required
  • Domain Validation: Connections only to verified Microsoft domains
  • Port 443: Single port requirement simplifies firewall configuration

Detailed Authentication and Message Flow

Implementation Architecture

Azure Infrastructure Requirements

Event Hub Namespace: A dedicated Azure Event Hub namespace hosts the Teams event streaming infrastructure. This provides:

  • Kafka Protocol Support: Industry-standard messaging protocol for reliable event delivery
  • Partition Management: Automatic message distribution for scalability
  • Retention Policies: Configurable message retention (1-7 days)

App Registration: Azure Active Directory app registration establishes the security boundary:

  • Client Application: Public client configuration for device authentication flow
  • API Permissions: User Delegated Microsoft Graph permissions as listed above

Integration Points

Call Telemetry Platform Integration:

  • Service Users: Dedicated Teams integration users authenticate via device flow
  • Token Management: Automatic renewal of access and refresh tokens
  • Subscription Lifecycle: Automated creation, renewal, and cleanup of Graph API subscriptions
  • Event Processing: Pipeline processes CloudEvents from Event Hub streams

Microsoft 365 Ecosystem:

  • Teams Emergency Calling: Integration triggers on native Teams emergency notifications
  • Graph API Subscriptions: Real-time push notifications for chat message changes
  • Azure Active Directory: Centralized authentication and permission management

Operational Considerations

Monitoring & Health Validation

  • Subscription Health: Real-time monitoring of Graph API subscription status and expiration
  • Token Validity: Automatic token refresh before expiration (1-hour access tokens)
  • Event Processing: Message processing rates, error rates, and latency metrics

Compliance & Data Governance

  • Audit Trail: Complete CloudEvent logging for compliance reporting
  • Data Minimization: Only emergency-related chat messages are processed and stored
  • Retention Management: Configurable retention periods align with organizational policies
  • Access Control: Role-based access control for subscription management and monitoring

Enterprise Deployment Considerations

  • Multi-Tenant Support: Each organization maintains isolated Azure resources and subscriptions
  • Scaling Characteristics: Linear scaling with organization size and Teams adoption
  • Disaster Recovery: Event Hub built-in redundancy and subscription recreation capabilities
  • Network Requirements: Outbound HTTPS only (port 443) to Microsoft domains

Device Authorization Grant via Public Client Flow

The OAuth 2.0 Device Authorization Grant provides optimal security for this integration:

  • Public Client Flow: Utilizes secure tunnel authentication, without inbound Firewall rules.
  • User Consent: Service users authenticate with their own credentials, ensuring compliance with organizational security policies.
  • No Shared Secrets: Eliminates the need for managing client secrets or certificates.
  • Conditional Access Support: Honors organizational MFA and security policies
  • User Permissions: Clear visibility into permissions granted to the integration

This enterprise-grade architecture ensures reliable, secure, and scalable emergency notification processing while maintaining compliance with organizational security policies and regulatory requirements.