Skip to content

Provision a Compliance Recording Policy in Microsoft Teams using PowerShell

Note

This articles describes the steps required to enable recording policy in Microsoft Teams using Powershell cmdlets.

There is an alternative (much easier) method of creating of a recording policy in Microsoft Teams, using MiaRec automation. Check Connect MiaRec to Microsoft Teams for details.

Ignore these instructions if you used MiaRec automation to create a recording policy.

Procedure overview

The process of creating a compliance recording policy in Microsoft Teams includes a few steps:

  1. Create an application instance for the recorder
  2. Create a Compliance Recording Policy
  3. Assign the Compliance Recording Policy to either Users, Groups or globally to a whole organization

A complete overview of Microsoft's policy-based recording capabilities for Microsoft Teams is available in Microsoft documentation.

Prerequisites

To setup a Compliance Recording Policy, you need to run some PowerShell cmdlets.

Open PowerShell console as admnistrator

Press Win+R to open Run dialog and enter the following command to run PowerShell console:

powershell.exe Start-Process powershell -Verb runAs

Run PowerShell console

Install Microsoft Teams PowerShell Module

Install-Module MicrosoftTeams

Install-Module MicrosoftTeams

Note

If you see the error PowerShellGet requires NuGet provider version '2.8.5.201' or newer..., then run the following commands:

Install-Module PowershellGet -AllowClobber -Force

And try again to install module MicrosoftTeams.

Sign-in to Microsoft Teams (as tenant global admin)

In PowerShell console, run:

Connect-MicrosoftTeams

You will be asked to sign in to your Microsoft accounts. Make sure you sing-in with your Teams global administrator account.

Connect-MicrosoftTeams

After a successfull sign-in, you should see your Teams tenant ID in a console.

Connect-MicrosoftTeams Success

Step 1. Create application instance for the MiaRec recorder

In the previously opened PowerShell session run the following commands.

Before proceeding with the next steps, you need to know the following information:

  • MiaRec Application ID (contact your MiaRec representative)
  • UserPrincipalName (UPN) for the recording application. Choose a unique UPN in your domain (i.e. miarec@yourdomain.com)
  • Descriptive name for the recording application

Run the following commands to declare these three variables (substitute the values as required):

# Replace <MIAREC_APPLICATION_ID> with the value provided by MiaRec
$RecorderAppID = "<MIAREC_APPLICATION_ID>"

# Replace <YOUR_DOMAIN> with your Azure directory domain
$RecorderUPN = "miarec@<YOUR_DOMAIN>.com"

# Choose a name for the recorder as you like
$RecorderDisplayName = "MiaRec Recorder"

Run New-CsOnlineApplicationInstance command to create an application instance in your Azure Active directory (documentation):

New-CsOnlineApplicationInstance `
    -UserPrincipalName $RecorderUPN `
    -DisplayName $RecorderDisplayName `
    -ApplicationId $RecorderAppID

This command should return the ObjectId of the created registration.

New-CsOnlineApplicationInstance

Obtain the ObjectID of the created registration with the following command:

# Get Recording Application ObjectId
$RecorderObjectId = Get-CsOnlineApplicationInstance `
    | Where-Object {$_.ApplicationId -Match "$RecorderAppID"} `
    | Select-Object -ExpandProperty ObjectId

# Print to the console
echo $RecorderObjectId

Step 2. Create a Compliance Recording Policy

Create a new Teams recording policy for governing automatic policy-based recording in your tenant (documentation):

# Define variables
$PolicyDesc = "MiaRec Recording Policy"
$PolicyName = "MiaRecRecording"

# Create policy
New-CsTeamsComplianceRecordingPolicy `
    -Enabled $true `
    -Description $PolicyDesc `
    -Identity $PolicyName `
    -WarnUserOnRemoval $false

Optional parameters for this command:

  • -RecordReroutedcalls. Setting this attribute to true enables compliance recording for calls that have been re-routed from a compliance recording-enabled user. Supported call scenarios include forward, transfer, delegation, call groups, and simultaneous ring.
  • -DisableComplianceRecordingAudioNotificationForCalls. Setting this attribute to true disables recording audio notifications for 1:1 calls that are under compliance recording.

Step 3. Assign recording application to a Compliance Recording Policy

Create a new association between an application instance and a Compliance Recording Policy that were created in the previous steps (documentation).

New-CsTeamsComplianceRecordingApplication `
    -Parent $PolicyName `
    -Id $RecorderObjectID `
    -RequiredBeforeCallEstablishment $false `
    -RequiredBeforeMeetingJoin $false `
    -RequiredDuringCall $false `
    -RequiredDuringMeeting $false

Step 4. Assign policy to users

In Microsoft Teams, it is possible to [assign]a Compliance Recording Policy to:

  • A whole organization (global policy)
  • Group(s)
  • User(s)

See documentation for Grant-CsTeamsComplianceRecordingPolicy command.

Option 1. Enable recording globally for a whole organization

Grant-CsTeamsComplianceRecordingPolicy `
    -Global `
    -PolicyName $PolicyName

Option 2. Enable recording for individual groups

You can assign a recording policy to either a security group or a distribution list (documentation).

You can assign the recording policy to any group in your Microsoft account. But we recommend creating a dedicated group like "Recorded Users".

Create such a group in the Microsoft 365 admin center at admin.microsoft.com. Make sure you assign such a group a unique UPN, like recorded_users@yourdomain.com.

When you add users to this group, a recording will be activated automatically because of group recording policy.

# Set the following variable to UPN of the group that will be assigned a recording policy
$RecordedUsersGroup = "recorded_users@YOUR_DOMAIN.com"

New-CsGroupPolicyAssignment `
    -GroupId $RecordedUsersGroup `
    -PolicyType TeamsComplianceRecordingPolicy `
    -PolicyName $PolicyName `
    -Rank 1

Multiple group policies

When creating a group policy assignment, you can specify a rank, which indicates the precedence of that assignment relative to any other group assignments for the same policy type that may exist. The assignment will be applied to users in the group for any user that does not have a direct policy assignment, provided the user does not have any higher ranking assignments from other groups for the same policy type.

The group policy assignment rank is set at the time a policy is assigned to a group and it is relative to other group policy assignments of the same policy type. For example, if there are two groups, each assigned a Teams Meeting policy, then one of the group assignments will be rank 1 while the other will be rank 2. It's helpful to think of rank as determining the position of each policy assignment in an ordered list, from highest rank to lowest rank. In fact, rank can be specified as any number, but these are converted into sequential values 1, 2, 3, etc. with 1 being the highest rank. When assigning a policy to a group, set the rank to be the position in the list where you want the new group policy assignment to be. If a rank is not specified, the policy assignment will be given the lowest rank, corresponding to the end of the list.

Time for changes to propagate

Once a group policy assignment is created, the policy assignment will be propagated to the members of the group, including users that are added to the group after the assignment was created. Propagation time of the initial policy assignments to members of the group varies based on the number of users in the group. Propagation time for subsequent group membership changes also varies based on the number of users being added or removed from the group. For large groups, propagation to all members may take 24 hours or more. When using group policy assignment, the recommended maximum group membership size is 50,000 users per group.

How to update group policy?

Microsoft Teams doesn't provide PowerShell command for updating group policy.

In case you need to change, for example, rank in the group policy, you need to remove the group policy assignment (with Remove-CsGroupPolicyAssignment command) and then re-create it again.

Option 3. Enable recording for individual users

You can assign a recording policy to individual users (documentation).

# Replace USER_EMAIL_ADDRESS with user's email
Grant-CsTeamsComplianceRecordingPolicy `
    -PolicyName $PolicyName `
    -Identity "USER_EMAIL_ADDRESS"

Review Microsoft Teams configuration

List all application instances

The following command will show all the registered applications in your Teams account (documentation).

Get-CsOnlineApplicationInstance

Example output:

Get-CsOnlineApplicationInstance

List all Compliance Recording Policies

Get-CsTeamsComplianceRecordingPolicy

The global recording policy, if enabled, will be show at the top in the output.

Example output:

Get-CsTeamsComplianceRecordingPolicy

List all recording applications associated with policies

Get-CsTeamsComplianceRecordingApplication

Example output:

Get-CsTeamsComplianceRecordingApplication

List all users with the directly assigned recording policy

To list all users that have been assigned any Compliance Recording Policy, run:

Get-CsOnlineUser `
    | Where-Object {$_.TeamsComplianceRecordingPolicy  -ne $Null} `
    | ft UserPrincipalName,TeamsComplianceRecordingPolicy

To list all users that have been assigned certain Compliance Recording Policy, run:

# Set your policy name below
$PolicyName = "MiaRecRecording"

Get-CsOnlineUser `
    | Where-Object {$_.TeamsComplianceRecordingPolicy  -eq $PolicyName} `
    | ft UserPrincipalName,TeamsComplianceRecordingPolicy

Example output:

Get-CsOnlineUser

List all groups with the assigned recording policy

To list all groups that have been assigned any recording policy, run the command:

Get-CsGroupPolicyAssignment -PolicyType TeamsComplianceRecordingPolicy

Example output:

Get-CsGroupPolicyAssignment

Note

The Get-CsGroupPolicyAssignment shows Group ID instead of human-friendly Group Name or UPN.

To find a name for the group id, you need to use AzureAD PowerShell cmdlet.

Install it and connect to Azure AD with:

Install-Module AzureAD
Import-Module AzureAD
Connect-AzureAD

Then, you can list all groups with the command:

Get-AzureADGroup

Or, you can see details of individual group by its ID:

Get-AzureADGroup -ObjectId YOUR_GROUP_ID

List both direct and group policies assigned to user

To list all policies assigned to individual users, either directly or indirectly via group policy, run:

Get-CsUserPolicyAssignment -Identity "USER_EMAIL_ADDRESS" `
    | select -ExpandProperty PolicySource

Example output:

Get-CsUserPolicyAssignment