Microsoft Teams Emergency Notifications - Azure Integration

Feature Overview

This document outlines the technical requirements and Azure configuration needed for integrating Call Telemetry with Microsoft Teams emergency notifications. The integration uses Azure Event Hub and Microsoft Graph API subscriptions to provide real-time monitoring of emergency calls made through Microsoft Teams.

Feature Requirements

• Call Telemetry 0.8.5 or later
• Call Telemetry Advanced or Premium License
• Azure subscription
• Microsoft 365 tenant with Teams Calling Policies
• Dedicated service integration user with Teams license
• Global Admin access for app registration and API permission setup.

Service Integration User Requirements

• Dedicated Service Account: Microsoft 365 user account for Teams integration. Must have a valid MS Teams license.

• Emergency Notification Access: User must receive emergency call notifications via Teams chat security notificaiton policies.

• OAuth 2.0 Authentication: Account must support device authentication flow

Required Microsoft Graph API Permissions

Permission	Type	Description	Justification
User.Read	Delegated	Read user profile	Basic user information for authentication
Chat.Read	Delegated	Read chat messages	Read user chat messages
Chat.ReadBasic	Delegated	Read basic chat information	Read names and members of user chat threads
ChatMessages.Read	Delegated	Read chat messages	Read user chat messages
openid	Delegated	OpenID Connect authentication	Standard authentication flow
offline_access	Delegated	Access resources when user not present	Token refresh capability
profile	Delegated	View user's basic profile	User identification

Network Requirements

Outbound Connectivity Requirements

The Event Hub integration requires outbound connectivity only - no inbound firewall rules needed:

Destination	Port	Protocol	Purpose
graph.microsoft.com	443	HTTPS	Microsoft Graph API access
login.microsoftonline.com	443	HTTPS	Azure AD device authentication
*.servicebus.windows.net	9093	Kafka/SSL	Event Hub Kafka protocol

DNS Requirements

Ensure DNS resolution for these domains:

• *.microsoft.com
• *.microsoftonline.com
• *.servicebus.windows.net

Azure Application Registration

Register a New Azure Application

1. Sign in to your Azure Portal
2. Navigate to Azure Active Directory > App registrations
3. Click New registration
4. Enter the following information:
   • Name: Call Telemetry Teams Integration
   • Supported account types: Accounts in this organizational directory only
   • Redirect URI: Leave blank (OAuth 2.0 Device Authorization Grant flow)
5. Click Register

You should see your Azure App Properties.

Configure Authentication

1. In your registered app, navigate to Authentication
2. Under Advanced settings, set Allow public client flows to YES
3. This enables OAuth 2.0 Device Authorization Grant flow (required)
4. Click Save

Create Client Secret

1. Navigate to Certificates & secrets
2. Under Client secrets, click New client secret
3. Enter a description and select an expiration period - 24 months recommended
4. Click Add
5. Copy and securely store the generated secret value immediately; it cannot be viewed again

Record Application Information

Record the following information for later use:

• Application (client) ID
• Directory (tenant) ID
• Client secret value

This will be stored in the Settings for Call Telemetry.

Configure API Permissions

1. In your registered app, navigate to API permissions
2. Click Add a permission
3. Select Microsoft Graph
4. Choose Delegated permissions
5. Add all permissions listed in the Required Microsoft Graph Permissions section
6. Admin consent is not required for these permissions.

Azure Event Hub Setup

Create Event Hub Infrastructure

1. Create Resource Group:

   • Resource group: RG-Call-Telemetry-Teams
   • Region: Choose region closest to your users

2. Create Event Hub Namespace:

   • Namespace name: calltelemetry-teams-events (globally unique)
   • Pricing tier: Basic (sufficient for most deployments)
   • Location: Same as resource group

3. Create Event Hub:

   • Name: teams-events
   • Partition count: 2 (recommended)
   • Message retention: 1 day (Basic tier)

Configure Microsoft Graph Change Tracking Permissions

Critical Step

Microsoft Graph Change Tracking service requires explicit permissions to send events to your Event Hub. Without this, subscription creation will fail.

Via Azure CLI:

# Find the Microsoft Graph Change Tracking service principal
MS_GRAPH_CT_OBJECT_ID=$(az ad sp list --display-name "Microsoft Graph Change Tracking" --query "[0].id" -o tsv)

# Grant required permission
az role assignment create \
  --assignee-object-id "$MS_GRAPH_CT_OBJECT_ID" \
  --assignee-principal-type "ServicePrincipal" \
  --role "Azure Event Hubs Data Sender" \
  --scope "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.EventHub/namespaces/NAMESPACE_NAME"

Via Azure Portal:

• Go to Event Hub namespace → Access control (IAM)
• Add role assignment: Azure Event Hubs Data Sender
• Assign to: Microsoft Graph Change Tracking service principal

Integration Architecture

Authentication Token Management

• OAuth 2.0 Device Authorization Grant: Secure authentication for service accounts
• Access tokens: Expire after 1 hour with automatic renewal
• Refresh tokens: Sliding 90-day window, automatically renewed
• Multi-Factor Authentication: Supports organizational MFA and conditional access

Event Hub Integration

• Microsoft Graph Subscriptions: Real-time chat message subscriptions with Event Hub delivery
• Kafka Protocol: High-throughput message streaming via Azure Event Hub
• Automatic Processing: Broadway pipeline processes CloudEvents automatically
• Scalable Architecture: Partition-based processing for high availability

Teams Emergency Detection

• Emergency Call Notifications: Automatic chat notifications when users make emergency calls
• Real-time Processing: Immediate detection and processing of emergency events
• Complete Audit Trail: CloudEvent logging for compliance and troubleshooting

Technical Specifications

• Graph API subscriptions: 3-day expiration with automatic renewal
• Access tokens: 1-hour expiration with automatic refresh
• Event Hub partitions: 2 partitions recommended for Teams workloads
• Message retention: 1-7 days configurable retention
• Protocol support: Kafka/SSL on port 9093

Integration Flow

1. Authentication: Service user authenticates via OAuth 2.0 Device Authorization Grant
2. Token Management: Call Telemetry receives and stores authentication tokens
3. Subscription Creation: Graph API subscriptions created with Event Hub delivery
4. Event Processing: Emergency notifications flow through Event Hub to Broadway pipeline

Authentication Flow Diagram

Event Hub Integration Flow

Token Renewal Flow

Security Considerations

• TLS 1.2+ Encryption: All communication encrypted end-to-end
• OAuth 2.0 Device Authorization Grant: Secure authentication without shared secrets
• Delegated Permissions Only: No application permissions required
• Principle of Least Privilege: Minimal required permissions for emergency monitoring
• Multi-Factor Authentication: Supports organizational MFA and conditional access policies
• Outbound Only: No inbound firewall rules required

Related Documentation

• Teams Emergency Notifications - Installation Guide
• Teams Emergency Notifications - Quick Start Guide
• Teams Emergency Notifications - Architecture Overview

References

• Microsoft Graph Change Notifications via Event Hub
• Azure Event Hubs Kafka Protocol
• OAuth 2.0 Device Authorization Grant