AGI Meeting Assistant Architecture and Security
Assistant components
UI Component of the Virtual Assistant
Meeting Content page
A page in the portal showing all Video and Transcripts of meetings and the status of the insights they have in such as tasks, summary and sentiments :
A meeting can have either:
Video without transcript
Video with Transcript
Transcript without video
Each meeting has only 1 Transcript file and can have multiple videos.
If there are multiple videos and 1 transcript - the same transcript is show for all videos.
In this pave each line is either a video or a Transcript. When line is Video, the attributes of AI are not relevant and are shown NULL (empty)
Meeting Assistant App
A page showing list of meeting with the number of tasks in each meeting and link to Assistant insights page.
This page is used by both Monday widget and Teams Meeting app and has a separate site (separate from the portal) hosting it.
It is managed here in Asana https://app.asana.com/0/1202413461416060/list
The App location is:
\fs\Build Versions\Test\MeetingAssistantApp
The meeting Assistant App includes an API that exposes a list of meetings per user and the tasks in each meeting.
The Assistant App can be published as a widget on Monday (under iFrame) or as a Teams app (under a tab).
In Teams it will apear like this:
In monday.com it will apear like this:
Meeting Assistant insights page
A page in the Portal that is used to show all the insights of a meeting.
Monday Widget
The widget is configure in a dashboard showing the meeting Assistant App
The widget shows the page in an iFrame.
See here info on how to configure it:https://agatsoftware.atlassian.net/wiki/spaces/SKYP/pages/2574417978/Monday.com+integration
Teams meeting assistant Azure app
In MS Teams there is a meeting assistant application that can be added by admin to all users. It shows the meeting Assistant App in a tab.
This app is managed in the Teams admin center.
It is defined using a config file which is managed as part of the code of the Assistant App and is located here: \\fs\Build Versions\Test\MeetingAssistantApp\Teams App Manifests
In addition, there is an Azure app that is responsible for passing authentication between Teams client and Teams Meeting assistant app. The Azure app name is Meeting Assistant Authentication app.
The Azure app has the following permissions:
Smart Text engine - how it works
Task detection flow using Smart Text analyser
The Assistant has a configuration file setting phrases / words to trigger insights such as Tasks, Summary, Agenda and more.
The config includes 3 level of confident:
High- when detecting open triggers indicating speaking to the Assistant such as “OK Agi” or “Agi please”. These are defined in the config in the section of Open triggers.
Medium- Words that most likely indicate insights such as “Create a task” or “Create a summary”
Low- Words that might imply of insights.
When the system detects a High level open trigger, it will include all lower level words to understand what is the insights / Action item.
When setting in the portal sensitivity level - the system will only check of the level set and above. For example if set to High, only phrases starting with an open trigger will be detected.
If close triggers are found, the system will mark the confident level as higher that just Open trigger.
Dataflow
Once the service has identified a new meeting that needs to be analyzed, it will download the recording into the database.
The Assistant Business Logic will then send the transcript for inspection.
Detailed
Security
Authenticating into the portal is done by using the Azure OAuth token prompting an MS authentication window
In general, only the admin should have access to the portal.
You can also allow specific groups to access specific reports/sections of the portal if needed.
Authenticating into the Meeting Assistant App is done by Single Sign On (SSO).
The server receives a JWT token of the user from the client-provider. In our case, the client-provider can be Microsoft Teams or monday.com. The JWT token is passed to our web services in the Authentication header through an SSL connection, and on the server side, we are verifying the user’s JWT token signature by a key of Microsoft Teams/monday.com, and we are validating the claims like audience/tenant id, etc., then we return the result of this user just if the validation is succeeded.
This authentication method protects our web services from unwanted access.
In the following image, you can see how our SSO works on Microsoft teams:
For more information, please click here.
Azure Assistant App Required Permissions
Production
The information below covers the permissions needed by our released Azure applications
AGI for Meetings
This application retrieves meeting recordings and transcriptions from users' OneDrive drives.
This application does not apply to chat and channel messages.
API/Permissions Name | Type | Dsecription | Admin Consent required | Explanation |
---|---|---|---|---|
Microsoft Graph | ||||
CallRecords.Read.All | Application | Read all call records | Yes | Allows the app to read call records for all calls and online meetings without a signed-in user. |
TeamsTab.Read.All | Application | Read tabs in Microsoft Teams. | Yes | Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
TeamsTab.ReadWrite.All | Application | Read and write tabs in Microsoft Teams. | Yes | Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
TeamsTab.ReadWriteForChat.All | Application | Allow the Teams app to manage all tabs for all chats | Yes | Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user. |
TeamsTab.ReadWriteSelfForChat.All | Application | Allow the Teams app to manage only its own tabs for all chats | Yes | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user. |
User.Read | Delegated | Sign in and read user profile | No | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. |
User.Read.All | Application | Read all users' full profiles | Yes | Allows the app to read user profiles without a signed in user. |
Sites.Read.All | Application |
| Yes | Allows the app to read the org site URL |
SharePoint | ||||
Sites.Read.All | Application | Read items in all site collections | Yes | Allows the app to read documents and list items in all site collections without a signed in user. |
AGI for Meetings + Chat
This application retrieves meeting recordings and transcriptions from users' OneDrive drives and chat and channel messages.
It can also send notifications when it has user credentials and create an insights tab in meeting chats.
API/Permissions Name | Type | Dsecription | Admin Consent required | Explanation |
---|---|---|---|---|
Microsoft Graph | ||||
CallRecords.Read.All | Application | Read all call records | Yes | Allows the app to read call records for all calls and online meetings without a signed-in user. |
ChannelMessage.Read.All | Application | Read all channel messages | Yes | Allows the app to read all channel messages in Microsoft Teams |
Chat.Create | Application | Create chats | Yes | Allows the app to create chats without a signed-in user. |
Chat.ReadBasic.All | Application | Read names and members of all chat threads | Yes | Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user. |
Chat.ReadWrite.All | Application | Read and write all chat messages | Yes | Allows an app to read and write all chat messages in Microsoft Teams, without a signed-in user. |
ChatMessage.Read.All | Application | Read all chat messages | Yes | Allows the app to read all one-to-one and group chats messages in Microsoft Teams, without a signed-in user. |
Group.Read.All | Application | Read all groups | Yes | Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user. |
TeamsTab.Read.All | Application | Read tabs in Microsoft Teams. | Yes | Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
TeamsTab.ReadWrite.All | Application | Read and write tabs in Microsoft Teams. | Yes | Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
TeamsTab.ReadWriteForChat.All | Application | Allow the Teams app to manage all tabs for all chats | Yes | Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user. |
TeamsTab.ReadWriteSelfForChat.All | Application | Allow the Teams app to manage only its own tabs for all chats | Yes | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user. |
User.Read | Delegated | Sign in and read user profile | No | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. |
User.Read.All | Application | Read all users' full profiles | Yes | Allows the app to read user profiles without a signed in user. |
Sites.Read.All | Application |
| Yes | Allows the app to read the org site URL |
SharePoint | ||||
Sites.Read.All | Application | Read items in all site collections | Yes | Allows the app to read documents and list items in all site collections without a signed in user. |
AGAT CASB API - AGI for Meetings Minimal
For companies with compliance requirements, AGAT offers a solution requiring limited permissions, while still allowing use of the core functionality of AGI.
This application retrieves meeting recordings and transcriptions from users' OneDrive drives.
This application does not apply to chat and channel messages, which means tasks will not be identified by AGI based on your Teams' chat messages.
To restrict access to specific meetings that the user would like to analyze, the customer is required to define an “application user” (e.g. agi@yourCompany.com). Only the meetings where AGI was added by one of the participants and that was recorded will be analyzed.
API/Permissions Name | Type | Dsecription | Admin Consent required | Explanation |
---|---|---|---|---|
Microsoft Graph | ||||
CallRecords.Read.All | Application | Read all call records | Yes | Allows the app to read call records for all calls and online meetings without a signed-in user. |
User.Read | Delegated | Sign in and read user profile | No | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. |
User.Read.All | Application | Read all users' full profiles | Yes | Allows the app to read user profiles without a signed in user. |
Sites.Read.All | Application |
| Yes | Allows the app to read the org site URL |
SharePoint | ||||
Sites.Read.All | Application | Read items in all site collections | Yes | Allows the app to read documents and list items in all site collections without a signed in user. |
AGAT CASB API - Minimal AGI for Meetings
This application retrieves meeting recordings and transcriptions from users' OneDrive drives.
This application does not apply to chat and channel messages.
It is possible to configure a user for AGI and define that only meetings that AGI participated in will be processed.
API/Permissions Name | Type | Dsecription | Admin Consent required | Explanation |
---|---|---|---|---|
Microsoft Graph | ||||
CallRecords.Read.All | Application | Read all call records | Yes | Allows the app to read call records for all calls and online meetings without a signed-in user. |
User.Read | Delegated | Sign in and read user profile | No | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. |
User.Read.All | Application | Read all users' full profiles | Yes | Allows the app to read user profiles without a signed in user. |
Sites.Read.All | Application |
| Yes | Allows the app to read the org site URL |
SharePoint | ||||
Sites.Read.All | Application | Read items in all site collections | Yes | Allows the app to read documents and list items in all site collections without a signed in user. |
User Delegation solutions
The deployment options below assume AGI is added manually to every meeting the user would like to be inspected.
This approach gives the user control over which meetings should be analyzed and which should not be analyzed.
The apps below are Delegated, which means that the app only has access to the users that have installed it and not to the whole company.
Delegate (user-based) - Recordings+Transcripts Option
AGI will download both the recording and transcript for each meeting.
This app allows AGI only to access users' meetings that have given content to this app.
These apps are in the process of certification for the Microsoft Teams marketplace.
Permissions | Description | Type |
|
|
---|---|---|---|---|
User.Read | Reading user profile | Delegate |
|
|
AllSites.Read (Sharepoint scope) | Reading user sites to download recording + transcript | Delegate |
|
|
Sites.Read.All | Reading user site URL | Delegate |
|
|
Delegate (user-based) - Transcripts Only Option
AGI will only download the transcript. The limitation of this solution is that you must invite AGI to the meeting before it starts in the calendar and can’t add her to the meeting inside the meeting after starting.
This app allows AGI only to access users' meetings that have given content to this app.
Permissions | Description | Type |
---|---|---|
User.Read | Reading user profile | Delegate |
Calendars.Read | Reading user calendar (detecting events) | Delegate |
OnlineMeetingTranscript.Read.All | Download transcripts of the user | Delegate(Admin consent is required) |
OnlineMeetings.Read | Fetching meeting id to download transcript later | Delegate |