Microsoft recently published a very comprehensive support articel which describes which platform supports what features. You can read about activity feed, notifications, calendar, calls, files, meetings, live events, messaging, search, shifts, status, Teams and channels, Teams for Education.
Although the site exist the pace of change is fast, i.e. it makes sense to always watch out Microsoft 365 status updates, follow the common Microsoft Tech Blogs as well as monitor the Microsoft 365 roadmap.
On September 22 – 24, 2020 Microsoft Ignite takes places online. There are as usual hundreds of sessions. We can expect that there will be something for everyone. And everything without travelling. Is it great?
For Microsoft Teams there are also many sessions, i.e. featured sessions, digital breakouts and ask the experts. The latter provides you the opportunity to engage with Teams product and engineering experts. For these sessions you need to book your virtual seat in and so you should book as soon as possible because the space is limited. For details check out the links at the bottom. Enjoy Ignite 2020!
In this post I describe how you can configure call forwarding to external PSTN phone numbers for a call queue or auto attendant in a Microsoft Teams Direct Routing configuration. Microsoft released the capability to forward phone calls via a Teams Auto Attendant and via a Teams Call Queue to a phone number. Also, the operator can have a (external/PSTN) phone number.
In the past this was not feasible this way, therefore you had to implement a workaround by configuring a “forwarding user” to reach the goal. This is no longer necessary. I’ll show you some screenshots to depict what you’ve got now with Teams Calling and Microsoft 365 Phone System.
Teams Auto Attendant – Operator – External Phone Number Option
Teams Auto Attendant – Operator – External Phone Number Option
Teams Auto Attendant – Call Flow – External Phone Number Option
Teams Auto Attendant – Call Flow – External Phone Number Option
Teams Call Queue – Call Flow – Externa Phone Number Option/s
Within call queues you have two options to forward a call to a phone number. The first option helps to deal with more as the maximum set amount of concurrent calls in a queue. The second option helps to deal with calls waiting in a queue for a certain amount of time.
Teams Call Queue – Call Flow – Externa Phone Number Option/s
What do I have to do to make this work with Teams Direct Routing?
Easy, you have to do two things:
assign a Virtual Phone System User license (!!!) (if not done yet) to the Teams Resource Account (also note the docs.microsoft.com statement saying, “Phone System licenses aren’t supported”, so assigning a E3 + phone system license might not work)
assign an Online Voice Routing Policy to the resource account which is assigned to the call queue or auto attendant [with PowerShell]
Wait for some time (as I was testing this, I configured this in the late afternoon and the next morning it was working as expected, this might be different and I’m not aware of a default duration till it is applied and will work)
I’ll not explain how to get and assign the license, I’ll explain the assignment of the Online Voice Routing Policy because at the time of writing this post, you have to assign the policy by using PowerShell.
Assign an Online Voice Routing Policy to a resource account
#Teams Direct Routing
#Enable resource account for outbound call in Microsoft Teams Call Queues and Auto Attendants
#Example code
Import-Module SkypeOnlineConnector
#Login
if ($cred -eq $null) {$cred = Get-Credential}
#W/O MFA:
$sfbosession = New-CsOnlineSession -Credential $cred
#WITH MFA:
#$SFBOsession= New-CsOnlineSession ADMIN-UPN
#Import module
Import-PSSession -Session $sfbosession -AllowClobber
#List Online Voice Routing Policies
Get-CsOnlineVoiceRoutingPolicy
#Assign Online Voice Routing Policy to Microsoft Teams Resource Account for Teams Direct Routing
$user = "teams-resource-account@domain.tld"
$userovrp = "teams-direct-routing-online-voice-routing-policy"
Grant-CsOnlineVoiceRoutingPolicy -Identity $user -PolicyName $userovrp
#Get a cup or some more cups of coffee and wait!!!
#Check assignment
Get-CsOnlineUser $user | select OnlineVoiceRoutingPolicy
<#Please note
although it's set quickly it can take quite some time till it is really applied, you can see this on the SBC SIP traces which still points to Teams phone system which is rejecting the referred call with a "403 Forbidden", it detail it states some like that there is no viable outbound route.
#>
Remove-PsSession $sfbosession
Conclusion, opinion and summary
I’ve been waiting for this for some time by now, and now that the feature is available, without creating a workaround, I like it. Especially, because you can also do some automation by using PowerShell for your cloud hotlines based on Microsoft Teams call queues and auto attendants.
In this post I like to reference to a comprehensive video playlist regarding Microsoft Teams Security and Compliance. It contains eight short videos covering different and important topics for your collaboration security focusing on Microsoft Teams. The author of the YouTube videos is Matt Soseman, Security Architect at Microsoft.
Basically, Microsoft 365 services are secure by design, however there are settings and configuration aspects which might not yet be enabled by default. That’s why it is important to know what’s available to set it up to make your collaboration even more secure. Please find the link at the bottom Security & Compliance in Microsoft Teams [YouTube Playlist].
The following Teams related topics are covered in the the playlist:
Identity and access management
Advanced Threat Protection (ATP)
Intune Mobile Application
Data Loss Prevention (DLP)
(Windows) Information Protection
Cloud App Security and third party storage
Cloud App Security and Azure Active Directory (AAD)
Unified SecOps w/ Microsoft Threat Protection
Conclusion, opinion and summary
The duration for each video is below six minutes although the most important aspects are mentioned. These videos are an impressive summary for security and compliance capabilities related to Microsoft Teams and Microsoft 365.
In my opinion the videos are very good to get an overview on what security capabilities are available and to get a glimpse on how it works to help you.
In this post I describe what Microsoft Outlook Spaces (Preview) aka Project Moca is and how to enable the preview of it. Recently, Microsoft made Outlook Spaces available as preview.
To enable Outlook Spaces you can connect to Exchange Online by using PowerShell and enable the feature for the default or better a certain OwaMailboxPolicy.
Please note: In case you want to test this you might want to create a new OwaMailboxPolicy and assign to a test user (group) and enable it than. I recommend to test this in your test environment first.
After enabling the preview it can take some time until you are able to test it. So, if you open Outlook Spaces you might see “Under construction”, which means that you need to be patient and check it again later.
In this post I like to describe the Modern Collaboration Architecture (MOCA) and how it can help to embrace adoption of Microsoft 365 services for collaboration.
Can I drink it? No, it’s not mocca, the coffee which you might have heard of. Sorry, it does not mean that coffee boosts user adoption. MOCA is short for Modern Collaboration Architecture and it is intended to support in the question “Which tool when” based on Microsoft 365. MOCA is thought to be one part of a Modern Collaboration Practice in the business transformation to change the culture and mindset towards a digital business and organization. The Modern Collaboration Practice consists of four components:
Attention | “Helping employees manage their attention”
MOCA | “Using the right tool for the right job”
Communications | “How communications flow in an organization”
Customers | “Customer stories”
MOCA describes the dynamic of how we collaborate as individual, as part of a team, as part of a community and as part of an organization. The whitepaper explains this in more detail. Although MOCA points out what tool you can use when but it also says that this is not enough. On the contrary, it might cause an information overload for users just because there is so much (irrelevant) information and tools available.
To improve productivity the right tool must be available but also the mindset and culture in an organization must be ready for this. All the Microsoft 365 collaboration services and tools will definitely not solve all problems by itself, no, it provides the tool-set for users to be more productive and deliver business outcomes but to achieve this goal a organization must endeavor a cultural change towards a modern and digital organization.
Conclusion, opinion and summary
To sum it up, MOCA is a guiding approach for Microsoft 365 collaboration to learn “what use when” but it is incomplete. It’s supportive but the organizational change process must be triggered and initiated as well. The latter is something which is a long term goal and journey, which you probably heard before many times if not already working on it.
In this post I show how you can use (Azure) AD security groups or Microsoft 365 groups to assign Microsoft Teams Policies within the Teams Admin Center. This is handy to manage bulk or many different policy assignments via GUI. So, you don’t have to use and run your PowerShell scripts which might does the magic in larger environments with more versatile requirements regarding Microsoft Teams permissions.
Bascially, there are two types to assign a policy to a user: direct vs. indirect. Depending on how you assign a policy it is applied in a specific order as follows:
directly assigned policy (no inheritance of a policy of from a group)
no direct assigned policy (group policy with highest rank)
no direct nor indirect assigned policy –> global (Org-wide default)
Quick start
In this section I list the steps you and things you need to do.
Create Azure AD group/groups
Add users to the group/groups
Create custom policy/policies in Teams Admin Center, e.g. a custom meeting or messaging policy
Assign the Azure AD group / groups to the custom policy/policies
Azure AD Group creation example
To assign policies to a group of users you need to create or have a group in Azure AD. Either a security or Microsoft 365 group. In this example, I prefer a security group because in this case I don’t want to have the Microsoft 365 group overhead for assigning permissions. Also, I create a static/assigned group and no dynamic group.
Screenshot – Azure AD \ Groups \ Create a group
Don’t forget to add users to the group.
Group policy assignment via Teams Admin Center
In different areas in the Teams Admin Center you can create and assign policies, e.g. for meetings. As you can see in the below depicted screenshot there is also a further sub-menu or -register where you can click on “Group policy assignment”. The following screenshots will walk you through the assignment process.
Screenshot – Teams Admin Center \ Meetings \ Meeting policiesScreenshot – Teams Admin Center \ Meetings \ Meeting policies \ Group policy assignment 1Screenshot – Teams Admin Center \ Meetings \ Meeting policies \ Group policy assignment 2Screenshot – Teams Admin Center \ Meetings \ Meeting policies \ Group policy assignment 3
That’s actually it.
But how to verify that the policies are assigned? Well, Microsoft also provides a log showing the policy assignment status for the last 30 days.
Check policy assignment status for the last 30 days
Teams admin center dashboard
activity log
view details
view all policy assignment/s which you can also filter (not started, in progress, completed)
PowerShell code snippet for policy assignment (example)
#Example code snippet for Teams Batch Policy Assignment
#20200816 Erik Kleefeldt
#Required permissions: Teams service admin, a Teams communication admin, or Global Administrator
#Currently supported policy types (subject to change at any time): CallingLineIdentity, ExternalAccessPolicy, OnlineVoiceRoutingPolicy, TeamsAppSetupPolicy, TeamsAppPermissionPolicy, TeamsCallingPolicy, TeamsCallParkPolicy, TeamsChannelsPolicy, TeamsEducationAssignmentsAppPolicy, TeamsEmergencyCallingPolicy, TeamsMeetingBroadcastPolicy, TeamsEmergencyCallRoutingPolicy, TeamsMeetingPolicy, TeamsMessagingPolicy, TeamsUpdateManagementPolicy, TeamsUpgradePolicy, TeamsVerticalPackagePolicy, TeamsVideoInteropServicePolicy, TenantDialPlan
#Note: Policy assignments are updated if a user is added/removed
#Use at your own risk, this is just an example code snippet
#For further details/reference please see https://docs.microsoft.com/en-us/microsoftteams/assign-policies
#Install modules
Install-Module -Name AzureAD
Install-Module -Name MicrosoftTeams
#Connect services
Connect-MicrosoftTeams
Connect-AzureAD
#Get users
$AzureUsers = Get-AzureADUser
#Assign policy to a group
#Soft limit: 50 000 users per group
Get-AzureADGroup -SearchString "SEC-EUDE*"
New-CsGroupPolicyAssignment -GroupId <object id of AAD group> -PolicyType TeamsMeetingPolicy -PolicyName "Meeting-StandardUser" -Rank 1
#Check assignment for group/s
Get-CsGroupPolicyAssignment -GroupId <object id of AAD group>
#Get all groups with assigned Teams Meeting policies type
Get-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy
#Remove assignment to a group for a meeting policy
Remove-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy -GroupId <object id of AAD group>
#Batch job
#Limit: < 5000 users per batch
#Assign meeting policy batch
New-CsBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName "Meeting-StandardUser" -Identity $users.SipProxyAddress -OperationName "20200816-AssignStandardMeetingUserPolicy"
#Check batch operation status
Get-CsBatchPolicyAssignmentOperation -OperationId <ID shown after New-CsBatchPolicyAssignmentOperation is executed> | fl
#Check batch operation status for users
Get-CsBatchPolicyAssignmentOperation -OperationId <ID shown after New-CsBatchPolicyAssignmentOperation is executed> | Select -ExpandProperty UserState
#Disconnect services
Disconnect-MicrosoftTeams
Disconnect-AzureAD
Conclusion, opinion and summary
Assigning policies to AAD/AD user objects is a very common activity. It eases the daily business and AAD/AD user life cycle and permission management. This is something which should, actually must, be automated in every IT organization. It’s a no-brainer to automate permission assignements based on groups during the creation or change process of an AAD/AD user object. Now, that this is already available for some time in Teams you might want to use it, too, to enhance the grade of your AAD/AD user management process a little more.
In case you already implemented a Teams policy assignment process before the above methods were available, you might review your as-is and transition to the new methodes available. I assume the new methods are more sophisticated than using just combinations of AD groups, PowerShell scripts for direct Teams policy assignment/s.
In this post I like to highlight a long awaited calling feature for Microsoft Teams Telphony. As of now, you can make and receive several PSTN calls in Microsoft Teams but not merge them.
Let’s draft the following call scenario: If you are on a PSTN call with person A and person B is calling you, too. Given the situation that you now want to discuss a related topic all together, ad hoc, you might like to bring together the person A, person B and yourself in the held and ongoing call. Today, you cannot just merge the calls, you would need to start a meeting to bring them together. This is unhandy in some situations.
Microsoft added an new item to its M365 roadmap and announced Call Merge which enables end users to
In this post I describe how you can enable, configure or disable direct end user communication by Microsoft 365. Microsoft 365 provides a bit hidden service supporting user adoption and training. It’s called “Microsoft communication to users” and can be found in the Microsoft 365 admin center. By default it’s on but not sending out mails because it is not defined by default what kind of training mails should be send out to users.
In the following screenshots I’ll show you where you can enable, configure or disable the service.
First you’ll need to go to https://admin.microsoft.com and open the settings area in the left-hand navigation pane, as depicted below. There you can navigate to
Org settings
Services
Microsoft communication to users
Screenshot – Microsoft communication to users
At this page you can decide how to proceed, to leave it enabled and configure it (7) or disable it by ticking off the box (6).
In case you want to enable it you can configure what’s relevant for your users.
Screenshot – Microsoft 365 training topic selection
You can choose several training topics:
Microsoft Office 365
Microsoft Office apps
New Office 365 training
Outlook anywhere
OneDrive
Microsoft Teams
Screenshot – Audience and approval process
After you’ve selected what topics are of interest you’ll get asked if you want to get a preview mail for approval before mails will be send to users. To approve end user mails each time with this approval mail process you need to tick the checkbox below the audience type.
Screenshot – Definition of recipients
Further, you can select who should receive the communication. At this stage you can select certain users or a group.
What if there are certain users which might not want to receive this communication?
Users can unsubscribe if they don’t want to receive the contents.
Conclusion, opinion and summary
The idea behind this is good. However, often companies create and provide their own customized content or user trainings which allows users to easily find what’s provided for them. At least that’s my experience. More and more companies establish a change management practice and have internal/external staff which take care of user training and adoption. Some organizations, they have already internal platforms for training purposes, not only for Microsoft 365. That’s why they tend to provide contents on an existing learning platforms and way instead of pushing out standardized mails directly from the vendor. The latter could also conflict with org wide settings, let’s say, something is not turned on in an org’s tenant and users get training content regarding this, it might cause irritations. Therefore, it’s relevant that you elaborate if you can use “Microsoft communication for users” or if it might collide with your existing learning concepts. In case there is no learning/adoption/training concept, you could consider “Microsoft communication for users” as an option to educate your users regarding Microsoft 365 related topics.
In this post I describe how you can fix a call loop and cause code issue with busy on busy enabled in Microsoft Teams Direct Routing in conjunction with a Audiocodes Mediant Session Border Controller. In one of my recent Teams Direct Routing deployments I came across an issue as soon as I enabled Busy on Busy in the Microsoft Teams Admin Center, as described in one of my previous blog posts, here.
Scenario
Microsoft Teams Direct Routing
Audiocodes Mediant VE Session Border Controller (SBC) V 7.20A.256.721
PSTN SIP Trunk Provider
Microsoft Teams Busy on busy (BoB) enabled for the user/s
Issue
Enabling busy on busy on Teams caused call loops, many missed calles shown in the call history in the Teams client.
Screenshot – Teams Call History for a user enabled for BoB
Usual calls incoming, outgoing, call forwarding etc. worked fine but after assignment of the policy including the enabled busy on busy the caller caused a “call loop” and many missed calls in the call history while the callee was still on a call with someone else.
Screenshot – SysLog with BoB enabled
Actually the above SIP flow looks ok but why on earth is the second caller’s number showing up that often? That’s the loop we get and the many missed calls as long as the called person is still busy on another call.
Solution
Usually, 486 Busy Here should be ok towards the PSTN SIP Trunk provider because this says “busy”. However, it did not really say “busy” or provide the “busy” tone to the second caller.
After some research I came across an helpful blog post from Luca Vitali describing a similar issue with the difference that he’s seeing this in a TDR deployment with a TDM PSTN trunk and a different cause code sent by Microsoft 365 Phone System.
Screenshot – SysLog – Reason Header Analysis – Cause 34 is sent in a 486 Busy Here
So, I checked the SIP reason header in more detail for the “486 Busy Here”. Viewing the SIP message logs by using the SysLog Viewer I found REASON: Q.850;cause=34;text=”171015b7-8b51-4fca-b9c0-d5f052823334;User is busy and currently active on another call.” There I noticed “cause=34” which means “no circuit available”. Is this not ok? That could be the possible issue because Microsoft 365 Phone System sends the above in a BoB scenario and probably the PSTN SIP Trunk provider looks not only on the “486 Busy Here” but also in the details of the Reason including the Q.850 cause codes which does not include the right code for “busy”.
So, just set up a message manipulation rule on the Audiocodes SBC to change the cause in the SIP reason line.
This message manipulation rule is based on the message manipulation set id assigned to the IP Group for Teams as an inbound message manipulation.
Please note that the above is just provided as-is and might require adjustments for your deployment. Also, the above manipulation of the cause code might be adjusted if Microsoft Phone System was changed and it sends out another cause code in the Reason Header. I thought of using “…!= ’17′” to always change the cause code in the Reason Header but that’s no good idea because it can cause other issues.
After the message manipulation was implemented I successfully re-tried.
Screenshot – Microsoft Teams Call History (after the msg. manipulation was live)
And also the SBC SIP flow is now fine, no more loops due to BoB and the second caller gets his regularly busy tone.
Screenshot – SIP Message Flow – 486 Busy Here adjusted Q.850 cause code
UPDATE 01.08.2020
It’s also an option to remove the reason header instead of changing the Header.Reason.Reason.Cause.
