← Overview

Microsoft 365 setup · technical

Technical setup

Everything your administrator needs — the recommended one-tool path, the full permission list, and a manual click-through with identical results.

Global Administratorsingle tenantread-only~20 min + propagation

Before you start

A two-minute readiness check so nothing blocks you midway.

Who runs it
A Global Administrator — or someone with both Application Administrator and Teams Administrator roles.
Time
About 20 minutes of active work, plus up to ~30 minutes of Microsoft propagation you don’t have to wait at your desk for.
Have ready
A Microsoft 365 tenant with Teams, and at least one licensed user whose meetings you want captured for the pilot.
Cost
None on the Microsoft side — the transcript APIs are not metered.

The recommended path — one tool

A single audited script performs the technical steps and prints everything it does. Prefer to click through it? See the manual appendix below.

The easiest way is Azure Cloud Shell, which runs in your browser as you, with nothing to install. Open shell.azure.com, choose PowerShell, and run the command your Trace contact provides:

.\trace-tenant-onboard.ps1 -PolicyUsers alice@yourfirm.com -TestUser alice@yourfirm.com -EnableTranscription

Replace the email with the person whose meetings you want captured first (you can add more later). The optional -EnableTranscription flag turns transcription on in the same run, so there is no separate step for it. The script will:

  • ask you to sign in twice — once for Microsoft Graph, once for Teams (both as your admin account);
  • create the app Trace Evidence Engine (Pilot), request the permissions below, and record your admin consent;
  • set the access policy naming the people you listed, and turn on transcription if you asked;
  • finish with a self-test that confirms it can obtain a token.

Nothing hidden

The script only configures access — it never reads a meeting, calendar, or file. Every grant is visible afterwards under App registrations and Enterprise applications in the Entra admin center, and every one is reversible. It is idempotent — safe to re-run.

One normal quirk

The “whose meetings” policy can take up to ~30 minutes to spread across Microsoft’s systems. If the closing self-test shows a permission warning right after running, that’s expected — it clears itself shortly.

Send three values back to Trace

The script prints these; copy them into whatever secure channel you and your Trace contact agreed (a password-manager share, or two channels — IDs by email, secret by phone):

  • Directory (tenant) ID
  • Application (client) ID
  • Client secret — a one-time password for the app you created

About the secret

It only unlocks the app registration inside your own directory — an app whose reach you have already capped to named meetings. You can revoke or roll it at any moment from the app’s Certificates & secrets page, and that instantly cuts Trace off.

That’s the last thing needed from you. Trace stores those values securely, points the service at your tenant, runs the same checklist end to end, and arms capture for a single test meeting. You’ll be told when it’s live.

Every permission, in plain terms

The complete list the script requests — nothing is requested that isn't here.

PermissionWhat it lets Trace doWhat it does not allow
OnlineMeetingTranscript.Read.AllRead meeting transcriptsRead the text of Teams meetings — only for the people named in your access policy.No meetings outside your list; nothing at all if transcription wasn't turned on.
OnlineMeetingRecording.Read.AllSee recording metadataKnow that a cloud recording exists, to link it to the right meeting.Does not pull the recording's audio or video content.
Calendars.ReadRead meeting titles & timesMatch each transcript to its meeting so it's filed correctly.Not used to mine calendars; can be limited to the same named users on request.
Sites.SelectedSharePoint — off by defaultNothing yet — the ability to be granted one named site later, if you choose.Zero SharePoint access until you explicitly grant a specific site.
openid · profile · emailSign in with MicrosoftLet your people sign in to Trace with their Microsoft account.Identity only — no access to any content.

Explicitly not requested: email/mailbox access, Teams chat messages, directory export, or any write permission. Trace cannot create, modify, delete, or send anything in your tenant.

The manual click-path

For security teams that would rather click through it than run a script. The result and safeguards are identical.

1 · Register the application

entra.microsoft.comIdentity → Applications → App registrations → + New registration. Name it Trace Evidence Engine (Pilot); set account types to this organizational directory only; leave the redirect URI blank. Register. On the Overview page, copy the Application (client) ID and Directory (tenant) ID.

2 · Create a client secret

In the app → Certificates & secrets → + New client secret. Description trace-pilot, expiry 180 days or 12 months. Copy the Value immediately (not “Secret ID”) — it’s shown only once.

3 · Add the permissions and grant consent

In the app → API permissions → + Add a permission → Microsoft Graph → Application permissions. Tick OnlineMeetingTranscript.Read.All, OnlineMeetingRecording.Read.All, Sites.Selected, Calendars.Read → Add permissions. Then Grant admin consent so all four rows show a green check.

4 · Allow transcript reading (Teams access policy)

In PowerShell, replacing <CLIENT-ID>:

Install-Module -Name MicrosoftTeams -Scope CurrentUser
Connect-MicrosoftTeams
New-CsApplicationAccessPolicy -Identity "Trace-Transcript-Access" `
  -AppIds "<CLIENT-ID>" -Description "Trace transcript access (pilot)"
Grant-CsApplicationAccessPolicy -PolicyName "Trace-Transcript-Access" `
  -Identity alice@yourfirm.com

Use -Global instead of -Identity to apply tenant-wide. Only meetings organized by covered users are readable. Allow up to ~30 minutes to propagate.

5 · Turn on meeting transcription

admin.teams.microsoft.comMeetings → Meeting policies → Global → set Transcription = On → Save. If your named users are on a custom meeting policy, enable it there too.

6 · (Optional) Sign in with Microsoft

Reuse the same app: Authentication → + Add a platform → Web, redirect URI https://vthvmgwuzgqqyxwutyky.supabase.co/auth/v1/callback; then API permissions → Microsoft Graph → Delegated permissionsopenid, profile, email → Grant admin consent. Then hand back the three values from steps 1–2.

How to undo everything

Any one of these cuts Trace's access immediately — you never have to call us to turn it off.

Fastest
In Enterprise applications, disable Trace Evidence Engine (Pilot) or delete its permission grants.
Scope only
Remove people from the Teams access policy — capture stops for them, keeps working for anyone still listed.
At the source
Turn Teams transcription off — no transcripts are produced, so there’s nothing to read.
The key
Roll or delete the client secret — the connection dies within the hour, and the secret self-destructs at its expiry date regardless.

Where your data goes

Trace reads transcripts with a top-tier AI model under a strict Zero-Data-Retention arrangement: your content is never used to train any model and is not retained by the AI provider. The evidence base is stored in Canada. Every finding Trace surfaces keeps the speaker’s exact words and a link back to the source, so it is auditable.

Questions your team may ask

Can Trace read every meeting in our organization?+
No. Even though the permission is org-wide in name, the Teams access policy you set is the real limit — Trace can only read meetings organized by the specific people you list.
Is our data used to train AI, and where is it stored?+
Never used for training, not retained by the AI provider (Zero-Data-Retention); the evidence base is stored in Canada.
Whose directory does the app live in?+
Yours. The app registration is created in your own Microsoft 365 tenant, so every switch, grant, and audit trail sits with your administrators.

← Back to the overview·Sign in