Forum Discussion
Zoom logs into Sentinel
hi Analyst110 You're not alone—Zoom integration with Microsoft Sentinel via the native Zoom data connector has been problematic, especially around the Audio Conferencing Plan error, even for users who have active plans.
Let’s walk through a practical troubleshooting and setup guide that others in the community have used successfully, along with some critical gotchas.
Common Error: Account has not audio conference plan
What It Means
- Sentinel’s Zoom data connector script makes calls to all API endpoints, including ones like /metrics/zoomroom or /report/telephone.
- These endpoints are only accessible if your Zoom account has specific add-ons, like:
- Audio Conferencing Plan
- Zoom Rooms
- Large Meetings or Webinars (in some templates)
Even if you do not need those logs, the default script calls them anyway, and fails the invocation.
How to Fix or Work Around It
Option 1: Edit the Azure Function to Skip Failing Calls
- Go into your Function App > ZoomFunctionApp > ZoomLogs > Code + Test
- Look for the block that pulls logs from /report/telephone or /metrics/zoomroom
Comment out or modify that section, e.g.:
# Skip audio logs if not needed or failing
# audio_logs = get_audio_logs(...)
# send_to_sentinel(audio_logs)
⚠️ You may need to clone the GitHub repo and redeploy it to fully customize this. Official repo: https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/Zoom
Option 2: Use the Community-Supported Version
Some users in GitHub issues and forums have created cleaned-up versions of the Zoom-Sentinel connector that:
- Remove unused API calls
- Add better error handling (try/catch around each API)
Reach out in this GitHub issue:
👉 Zoom Sentinel connector error tracking
Option 3: Check Zoom App Scopes
Make sure your Zoom app has scopes enabled for only the logs you care about (e.g., meeting:read:admin, recording:read:admin), and remove scopes for things like telephony:read:admin if you don’t have that service.
Retry Logic Tip
In the Azure Function logs:
- Look for entries like Zoom API request failed or status 403/404
- These can be benign if you're skipping unsupported services — adjust your ingestion logic accordingly.
Recommendation
Since you're blocked for 2 months, I highly recommend forking the Zoom connector repo, removing unsupported API calls, and redeploying. This has been the only consistently successful method reported by users dealing with the exact same issue.
Hi Surya,
Thank you so much for the detailed response. Highly appreciated.
One thing that I understand from your respone please do correct me if I take it wrong. We have to leave the connector APP and work with the GitHub one
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZoomReports/readme.md
Yes, use the GitHub version (ZoomReports Function App) instead of just relying on the Sentinel UI connector if you're facing issues or need more control, debugging. let me know the outcome.
The Sentinel UI-based connector is essentially a wrapper that automates the deployment of the GitHub-based ZoomReports Azure Function App. But when you face advanced issues (like the Audio Conference Plan error), you get limited visibility and flexibility in the UI-deployed version.
And as you can see under the Invocation the result is Success no failure.
And from this github link I deployed zoom fun app
https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/ZoomHi Surya
I hope you are doing well.
as you said I deployed the Github Function App by provided Arm template but facing a different error, I am sharing with you may be you might face this or can better understand than me.