Thank you, Pete, this is very informative. Just FYI, I still had to manually update the TenantID in the playbook URI - for some reason it would not use the TenantId parameter and the connection recreated.
For the parser, some of the fields are not present so the sample queries would fail, I guess one needs some records with different type of Teams events in order to update the schema? Examples: AddOnName_s, Name_s, OldValue_s, NewValue_s. If these are missing (like they do in our case) the adjusted
TeamsData parser would be:
O365API_CL
| where Workload_s == "MicrosoftTeams"
| project TimeGenerated, Workload=Workload_s, Operation=Operation_s, TeamName=TeamName_s, UserId=UserId_s, Members=Members_s, Details=pack("Id", Id_g, "OrganizationId", OrganizationId_g, "UserType", UserType_d, "UserKey", UserKey_g, "TeamGuid", TeamGuid_s)
Also, for the benefit of other readers (I know that the playbook in the article was just a quick example), to avoid the playbook failed runs when there are no records to be retrieved, the playbook can be adjusted with an "if" condition to check for the length of the body of the first HTTP request (if larger than 0, then execute the rest of the actions: Parse json, HTTP request for the actual records and sending the data to Log Analytics).
Microsoft