Appearance
Teams Emergency Call Notifications - System Architecture
Setup Information
For implementation details, see the Azure Integration Guide. This document explains how the system works technically.
What This System Does
When someone makes an emergency call (like 911) through Microsoft Teams, this integration automatically captures that emergency notification and forwards it to Call Telemetry for immediate processing and alerting.
System Components
The integration uses three main components:
- Azure App Registration - Provides secure authentication to Microsoft Graph API
- Microsoft Graph API Subscription - Monitors for emergency call notifications in Teams
- Azure Event Hub - Streams messages between Microsoft and Call Telemetry using Kafka protocol
How It Works
The process:
- User dials 911 through Microsoft Teams
- Teams automatically creates a chat notification
- Microsoft Graph API subscription detects the notification
- Azure Event Hub forwards the event using Kafka protocol
- Call Telemetry receives and processes the emergency event
- Security teams get immediate notifications through configured channels
Authentication
Call Telemetry uses OAuth 2.0 Device Authorization Grant for authentication:
Required Permissions
All permissions are delegated (acting on behalf of the service user) rather than application-level permissions:
| Permission | What It Does |
|---|---|
| User.Read | Read user profile for authentication |
| Chat.Read | Read chat messages for emergency monitoring |
| Chat.ReadBasic | Read basic chat info and members |
| ChatMessage.Read | Read individual chat messages |
| openid | OpenID Connect authentication |
| offline_access | Token refresh for continuous monitoring |
| profile | Basic profile information |
Azure Event Hub Configuration
Actual Specifications
Based on the setup guide, the Event Hub is configured with:
- Event Hub Standard tier
- 2 partitions (handles multiple concurrent emergency calls)
- 1 throughput unit for typical deployments
- 1 day message retention (Standard tier default)
- Kafka protocol on port 9093 with SSL encryption
Network Requirements
The system requires outbound connectivity only:
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
graph.microsoft.com | 443 | HTTPS | Microsoft Graph API access |
login.microsoftonline.com | 443 | HTTPS | Azure AD authentication |
*.servicebus.windows.net | 9093 | Kafka/SSL | Event Hub Kafka protocol |
Technical Specifications
Token Management
- Access Tokens: 1-hour expiration, automatically refreshed
- Graph API Subscriptions: 3-day expiration, auto-renewed by Call Telemetry
- Authentication Recovery: Automatic re-authentication on failures
Service User Account Requirements
- Microsoft 365 user account specifically for this integration
- Microsoft Teams license assigned (Business Basic or higher)
- Must be configured to receive emergency call notifications via Teams calling policies
Processing Performance
- Emergency call events appear in Call Telemetry within 10 seconds
- Microsoft Graph API subscriptions auto-renewed every 48 hours
- Client Secret expiration: 12-24 months (configurable)
Cost Structure
Monthly costs for typical deployment:
| Component | Cost | Notes |
|---|---|---|
| Azure Event Hub Standard | $25/month | Based on 1 throughput unit |
| Teams License (Service Account) | $6.30/month | Microsoft 365 Business Basic |
| App Registration | Free | No charge for Azure AD app registrations |
| Event Hub Storage | $0/month | Minimal data storage |
Total estimated cost: ~$31/month
Security Design
- End-to-End Encryption: All communication uses TLS 1.2+
- Minimal Permissions: Only chat reading permissions, no administrative access
- Delegated Access: Integration only sees what the service user can see
- No Inbound Connections: Only outbound connections required
- MFA Support: Works with organizational multi-factor authentication policies
Data Privacy and Security
Customer-Owned Infrastructure
This Teams integration is deployed entirely within your organization's infrastructure:
- Azure Resources: Event Hub and App Registration are created in your Azure subscription
- Microsoft Graph API: Uses delegated permissions scoped to your service user account only
- Call Telemetry Instance: Runs on your infrastructure (on-premises or your cloud deployment)
- Data Flow: Emergency call data flows directly from Microsoft Teams to your Call Telemetry instance
Data Privacy Principles
No Third-Party Data Sharing:
- No emergency call data is transmitted to Call Telemetry vendors or external services
- All processing occurs within your organizational boundaries
- Microsoft Graph API permissions are delegated to your service user account
- Azure Event Hub streams data directly to your Call Telemetry deployment
Data Sovereignty:
- Emergency call notifications remain within your Microsoft 365 tenant
- Call Telemetry processes data on your controlled infrastructure
- You maintain complete control over data retention and access policies
- All configurations and credentials are managed by your organization
Example References:
- Any references to "Call Telemetry" in documentation are examples of your deployment
- Screenshots and configuration examples represent your organizational setup
- No data is shared with Call Telemetry product vendors during normal operation
Version Requirements
- Call Telemetry: 0.8.5 or later
- License: Premium license required
- Microsoft Graph API: Standard permissions (no admin consent required)
- Azure Event Hub: Standard tier minimum