Description
Veritas Alta™ SaaS Protection (ASP) now supports protecting Teams messages from user chats and channel conversations using Microsoft Graph Export API for Teams.
Microsoft no longer supports the earlier method of using EWS API to access Teams data from mailboxes. Once the EWS API access to Teams data is blocked, you would see errors like ErrorItemNotFound during backup and connectors won't be able to backup Teams chats using EWS API thereafter.
An email notification was sent to ASP customers on or about Friday 2023-03-31 with subject "Microsoft Changes Affecting Teams Chat Connectors - Update & Action Required " advising of this change:
Microsoft Changes Affecting Teams Chat Connectors - Update & Action Required This communication is an update to Veritas approach for handling the changes that Microsoft are introducing to the licensing model for their MS Teams APIs that will impact customers’ costs when using Veritas AltaTM SaaS Protection. What are the changes Microsoft is introducing?Microsoft is stopping access to an existing API (application programming interface) used to access data from MS Teams. If third-party SaaS backup vendors like Veritas want to support MS Teams data, they must transition to and use Microsoft’s new Teams Export API. The deadline for moving to the new API was the end of January 2023; however, Microsoft has provided an extension to Veritas until the end of March 2023. At the same time, Microsoft is introducing new license charges that will enable Microsoft to monetize the use of the new API and for Veritas Alta SaaS Protection its charge is the following:
What is the effect for Veritas Alta SaaS Protection for existing customers?These new charges are not imposed by Veritas; they are Microsoft charges that will be incurred directly by the end-user when using the Veritas tools to access MS Teams data and passed through customer’s Azure subscription. For a typical enterprise of 8,000 users on a M365, we estimate that the new Microsoft license charges from Microsoft will add approximately $13,000 on top of the typical monthly Azure costs for supporting a Veritas-hosted offering of M365. Please note the following advantages and requirements for using new Teams Export API:
What should you do at this point as an existing customer?Please review the KB article below to enable Teams Export API usage with Microsoft immediately. The process will include creating an app registration and acknowledging a consent form with Microsoft. The consent approval process typically takes 7 – 10 business days to approve by Microsoft. Link to KB article: Who do I contact at Microsoft about concerns with this?Veritas is working with Microsoft to provide a contact and/or forum to raise concerns about this charge by Microsoft. However, this could take some time, so in the interim please reach out to your Microsoft rep directly for questions and concerns. |
Here is a Microsoft site listing the costs: Payment models and licensing requirements for Microsoft Teams APIs
The following are the steps to configure Teams chat connector to make use of Export API:
Application registration
- Register an Azure AD application in the tenant to be protected with the following set of permissions. Refer 100055529 for more details.
Application permissions |
Microsoft Graph |
|
Directory.Read.All |
|
Chat.Read.All |
|
ChatMember.Read.All |
|
ChannelMessage.Read.All |
|
ChannelMember.Read.All |
|
TeamMember.Read.All |
- Note down the application Id, tenant Id, client secret for the application registered in previous step.
Protected API Access
As Teams Export APIs are considered protected APIs because of the sensitive nature of the data they access, Microsoft requires users of these APIs to submit form to request access to protected APIs.
The protected APIs request form can be submitted at https://aka.ms/teamsgraph/requestaccess.
Following are the fields that need to be filled in before submitting the request:
1. Your email address and any others you want to list as an owner (semicolon separated):
Email address of person submitting the request or/and email address of persons to be listed as owners.
2. Publisher name:
Veritas Technologies LLC
3. Application name:
Veritas Alta™ SaaS Protection
4. Application ID(s) to enable permissions/subscription for (GUID, semicolon separated):
Enter the ID of the application registered in earlier steps.
5. Which category best describes your application (select one):
Select “Backup/restore” option.
6. Why does your application need read access to all messages in the tenant?
To create a backup copy of messages.
7. Data retention (select one):
Select “It is obvious to any admin installing this app that it will make a copy of Microsoft Teams messages.”
8. What are the tenant ID's where your application needs to run?
Enter the tenant ID noted earlier while registering application. This will be the tenant from where Teams messages will be read.
9. Does your organization own all those tenants?
Select Yes.
10. May we contact you about your app's use of non-protected APIs?
Select Yes.
11. I have read and agree to the Terms and Conditions for Licensing and payment requirements that apply to these APIs (Service Specific Terms in the link below).
Select Yes.
- Click Submit.
- Save/print a copy of request form for your reference.
- Microsoft takes 7-10 days to review and approve protected APIs access requests.
- Once the requests are approved, you will be notified by Microsoft over email.
Associating Azure AD application with Azure Subscription
Export API is a metered API, so any applications calling this API will be charged. To enable an application to use metered APIs and services in Microsoft Graph, it must be associated with an Azure subscription. Once you register an Azure AD application to invoke Export API as per the steps mentioned above, please link the application with an Azure subscription.
Follow these steps to link the application with your Azure subscription. The API usage will be billed to this subscription.
Configuring the Teams chat connector to use Export API
For Existing Teams chat connector:
- On the connector configuration page in Connector Service UI, select Advanced tab.
- Check the “Use Export API” option.
- In the Microsoft Graph Authentication tab, set the Graph API authentication mode to “Modern/OAuth”.
- Enter the tenant ID, client ID and client secret.
- Click Ok to save the configuration changes.
- If you do not have access to connector configuration, work with Veritas support to update the connector configuration.
- Once the configuration is saved, the connector will start using Teams Export API for reading Teams messages.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.