Setting Up the New Microsoft Teams Add-on for Splunk

What is the Microsoft Teams Add-on for Splunk?

Microsoft Teams Add-on for Splunk is an add-on that makes it easy to get Microsoft Teams call record data into Splunk. Microsoft provides Teams call record data via the Microsoft Graph API, and this add-on periodically retrieves this data to be ingested into Splunk. Teams call record data not only includes basic information such as the meeting participants, the devices used, and the duration of the call, but it also includes call quality data, such as data related to audio and video jitters that may have occurred. Prompted by Microsoft’s update to their API, this add-on also underwent a major update (version 2.0.0) and was released on Splunkbase in March 2025 by our Partner Field CTO Jason Conger.

Key Changes after the Add-on’s Major Update

The key changes to the add-on after its major update to version 2.0.0 are as follows:

1. The add-on has a simpler initial setup
2. The number of API permissions that must be granted to the add-on via Microsoft Entra ID is reduced
3. Historical call record data can be retrieved

With the previous versions of the add-on, multiple components had to be configured and tested for the add-on to work properly. Components included a subscription object that defined the settings for receiving call record headers, a specialized webhook that actually handled the reception of call record headers, and a REST client that retrieved the full Teams call record data. Now with the add-on’s major update, these components have been consolidated into a single component, making the initial setup much easier.

Furthermore, the reduction of components led to the reduction of API permissions that this add-on needs; now it only needs 1 API permission to be granted on the Microsoft Entra ID side for the add-on to retrieve Teams call record data.

Improvements to the add-on’s capability has also been made with this major update. Now, the add-on can retrieve historical call record data by looking back in time up to 30 days.

Setup Instructions for Microsoft Teams Add-on for Splunk

Before you begin setting up the actual add-on in Splunk, there are a few things you need to do on the Microsoft Azure portal. First, register the add-on as an application in Microsoft Entra ID. When it’s successfully registered, the Application ID (aka Client ID) and the Directory ID (aka Tenant ID) will be displayed. Keep them handy since you will need them later. Also, generate a client secret for the application: you will need its value later as well.

Note: The value of the client secret is displayed only immediately after the client secret is generated, so if you left for another page before copying down the value, you’ll need to generate another client secret. Also note that the value of the client secret is not the string listed under “Secret ID”, but it is the string listed under “Value”.

Once you have generated the client secret, grant the following Microsoft Graph permission to your created application:

• (Application permissions) CallRecords.Read.All

Note: After adding the API permission, an administrator’s consent is required to grant access to the application.

Now we will move over to the Splunk environment. Follow the steps below to set up the add-on:

1. Install the Microsoft Teams Add-on for Splunk in your Splunk environment
   
2. Open the Add-on. On the [Configuration] page, select the [Account] tab and click [Add]
   
3. Fill out the “Add Account” form and click [Add]
   
   Description of fields in the form
   • Account name: The name for this account object. It can be any unique value
   • Client ID: The Application ID (aka Client ID) which was displayed when the application was registered in Microsoft Entra ID
   • Client Secret: The value of the client secret which was displayed when the client secret was generated
4. On the [Inputs] page, click [Create New Input] > [Teams Call Record (New)]
   Note: Make sure NOT to select a similar option [Create New Input] > [Teams Call Record (Deprecated)]
   
5. Fill out the “Add Teams Call Record (New)” form and click [Add]
   
   Description of fields in the form
   • Name: The name for this component. It can be any unique value
   • Interval: The frequency at which the add-on checks for new Teams calls (unit: seconds)
   • Index: The index where Teams call record data will be stored (If necessary, create a new index in advance)
   • Global Account: The account object to be used for Microsoft Graph API (Select the account object created in Step 3)
   • Tenant ID: The Directory ID (aka Tenant ID) which was displayed when the application was registered in Microsoft Entra ID
   • Environment: The type of Microsoft 365 environment used
   • Exclude Null Values: Option to exclude null values for indexing (Check this box if you do not want Splunk to index fields with null values)
   • Start Date: The date and time at which you want to start retrieving historical call record data (If no value is specified, the add-on will begin retrieving historical data 7 days in the past. You can specify to retrieve up to 30 days in the past)
   • Endpoint: The type of Microsoft Graph API endpoint

This completes the initial setup! If you are retrieving historical call record data, search your index to confirm that Teams call record data were ingested into Splunk.

Sample SPL if you specified the default index (main) as the destination index for your Teams call record data

Unset
index=main sourcetype="m365:teams:callRecord"

Troubleshooting Tips

If you do not see your Teams call record data ingested into Splunk, check the internal logs to see if there are any errors or warnings thrown by the add-on.

Sample SPL to search internal logs for errors or warnings related to the add-on

Unset
index=_internal sourcetype="*teams*" (log_level=ERROR OR log_level=WARN)

A common error message that users may see is: “_Splunk_ Could not get access token”. This suggests that at least one of the values for Client ID, Client Secret, Tenant ID, or Environment is invalid. Double check your account object and your Teams Call Record input to make sure that the values provided are correct.

Last Remarks

The new Microsoft Teams Add-on for Splunk automates the periodic retrieval of Teams call record data from Microsoft Graph API, greatly simplifying the process of getting data in. Once the data is ingested into Splunk, not only is it readily available for analysis, but when used with the Microsoft 365 App for Splunk, it can be visualized on prebuilt dashboards right out of the box. Happy Splunking!