Microsoft 365 setup · technical
Everything your administrator needs — the recommended one-tool path, the full permission list, and a manual click-through with identical results.
A two-minute readiness check so nothing blocks you midway.
A single audited script performs the technical steps and prints everything it does. Prefer to click through it? See the manual appendix below.
The easiest way is Azure Cloud Shell, which runs in your browser as you, with nothing to install. Open shell.azure.com, choose PowerShell, and run the command your Trace contact provides:
.\trace-tenant-onboard.ps1 -PolicyUsers alice@yourfirm.com -TestUser alice@yourfirm.com -EnableTranscriptionReplace the email with the person whose meetings you want captured first (you can add more later). The optional -EnableTranscription flag turns transcription on in the same run, so there is no separate step for it. The script will:
Trace Evidence Engine (Pilot), request the permissions below, and record your admin consent;Nothing hidden
One normal quirk
The script prints these; copy them into whatever secure channel you and your Trace contact agreed (a password-manager share, or two channels — IDs by email, secret by phone):
About the secret
That’s the last thing needed from you. Trace stores those values securely, points the service at your tenant, runs the same checklist end to end, and arms capture for a single test meeting. You’ll be told when it’s live.
The complete list the script requests — nothing is requested that isn't here.
| Permission | What it lets Trace do | What it does not allow |
|---|---|---|
| OnlineMeetingTranscript.Read.AllRead meeting transcripts | Read the text of Teams meetings — only for the people named in your access policy. | No meetings outside your list; nothing at all if transcription wasn't turned on. |
| OnlineMeetingRecording.Read.AllSee recording metadata | Know that a cloud recording exists, to link it to the right meeting. | Does not pull the recording's audio or video content. |
| Calendars.ReadRead meeting titles & times | Match each transcript to its meeting so it's filed correctly. | Not used to mine calendars; can be limited to the same named users on request. |
| Sites.SelectedSharePoint — off by default | Nothing yet — the ability to be granted one named site later, if you choose. | Zero SharePoint access until you explicitly grant a specific site. |
| openid · profile · emailSign in with Microsoft | Let your people sign in to Trace with their Microsoft account. | Identity only — no access to any content. |
Explicitly not requested: email/mailbox access, Teams chat messages, directory export, or any write permission. Trace cannot create, modify, delete, or send anything in your tenant.
For security teams that would rather click through it than run a script. The result and safeguards are identical.
entra.microsoft.com → Identity → Applications → App registrations → + New registration. Name it Trace Evidence Engine (Pilot); set account types to this organizational directory only; leave the redirect URI blank. Register. On the Overview page, copy the Application (client) ID and Directory (tenant) ID.
In the app → Certificates & secrets → + New client secret. Description trace-pilot, expiry 180 days or 12 months. Copy the Value immediately (not “Secret ID”) — it’s shown only once.
In the app → API permissions → + Add a permission → Microsoft Graph → Application permissions. Tick OnlineMeetingTranscript.Read.All, OnlineMeetingRecording.Read.All, Sites.Selected, Calendars.Read → Add permissions. Then Grant admin consent so all four rows show a green check.
In PowerShell, replacing <CLIENT-ID>:
Install-Module -Name MicrosoftTeams -Scope CurrentUser
Connect-MicrosoftTeams
New-CsApplicationAccessPolicy -Identity "Trace-Transcript-Access" `
-AppIds "<CLIENT-ID>" -Description "Trace transcript access (pilot)"
Grant-CsApplicationAccessPolicy -PolicyName "Trace-Transcript-Access" `
-Identity alice@yourfirm.comUse -Global instead of -Identity to apply tenant-wide. Only meetings organized by covered users are readable. Allow up to ~30 minutes to propagate.
admin.teams.microsoft.com → Meetings → Meeting policies → Global → set Transcription = On → Save. If your named users are on a custom meeting policy, enable it there too.
Reuse the same app: Authentication → + Add a platform → Web, redirect URI https://vthvmgwuzgqqyxwutyky.supabase.co/auth/v1/callback; then API permissions → Microsoft Graph → Delegated permissions → openid, profile, email → Grant admin consent. Then hand back the three values from steps 1–2.
Any one of these cuts Trace's access immediately — you never have to call us to turn it off.
Trace reads transcripts with a top-tier AI model under a strict Zero-Data-Retention arrangement: your content is never used to train any model and is not retained by the AI provider. The evidence base is stored in Canada. Every finding Trace surfaces keeps the speaker’s exact words and a link back to the source, so it is auditable.