I recently installed/configured the Microsoft Teams Add-on in an attempt to ingest call logs and meeting info from Microsoft Teams. I have run into an issue I was hoping someone could help with or shed some light on.
Add-On Version: 1.02
Splunk Version: 7.3.4
App is installed on a HF.
I have followed the instructions on the setup and have the Subscription, User Reports, Call Reports and Webhook all setup in the inputs section of the app. It appears though the only thing working is the User Reports. I have granted all of the required permissions in Teams\Azure per the documentation.
The _internal logs don't give a whole lot of information indicating what the issue might be even with DEBUG logging enabled for the app.
The only thing I am seeing in the logs indicating an issue was this:
127.0.0.1 - splunk-system-user [30/Jun/2020:09:05:36.213 -0500] "GET /servicesNS/nobody/TA_MS_Teams/properties/TA_MS_Teams HTTP/1.1" 404 144 - - - 0ms
2020-06-30 09:25:43,189 ERROR pid=107176 tid=MainThread file=base_modinput.py:log_error:309 | Could not create subscription: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/subscriptions
The documentation also mentions a webook which I am a little confused as to where that webhook resides. Is it in Teams itself or where the app is installed? It seems like the webook is in the app on the HF based on how the documentation reads?
Any help would be greatly appreciated.
Having literally just gone through this, I'll try to help! What was broken for me (and giving the same headache) sounds like exactly what you're seeing.
If you're getting user reports then your app is correct and the permissions are correct. What is broken is your either your subscription, webhook, or CDR. For me, it was the webhook/subscription because they both are interconnected.
First, the Webhook. The webook has to live on the HF where the Add-on is installed. The port you give it must be accessible from the public internet (because that's how teams works) and MUST be SSL. Otherwise nothing will work. Easiest way to test is to go to the public IP address (from something on the internet) and test https://<webhookName>:<portdefined> and you should get:
My config looks like this:
When I got my webhook URL (via https, hostname, port) I get a success.
Once that's done, you configure the Subscription to reference the correct webhook URL.
After that, data should start flowing.
Hope this helps, hit me up if you need more help with it!
Thanks for the super helpful information! Definitely puts me on the right path and kinda confirmed my suspicions.
So you used a cert from an external party and NAT'ed that hostname at your FW?