Microsoft 365 safe documents configuration

In this post I describe what safe documents in Microsoft 365 are, how you can configure it and why you should enable this in your Microsoft 365 tenant.

If you are not yet familiair with safe attachments and safe links you might want to read my previous post Safe attachments and links to protect your Office 365 collaboration first.

Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/
Source: https://pixabay.com/de/illustrations/sicherheit-sichern-gesperrt-2168233/

What are safe documents?

Safe documents are a Microsoft 365 Advanced Threat Protection (ATP) feature. It protects your users from opening malicious documents which might harm your users data, privacy or even your complete IT infrastructure depending on what malicious document content is opened. ATP checks before opening it and avoids a user to open a document or leave the protected view in case ATP has recognized anything potentially malicious.

Why safe documents?

It adds another valuable layer of security for your users and infrastructure which kicks in even if someone opens a document which was not caught or categorized as malicious before by other security mechanisms. It might be the last barrier and defense if someone (accidentally) opens a document in your company to avoid a security incident with corresponding consequences for your company.

What’s required to use this capability in Microsoft 365?

Safe documents are an advanced security feature which requires the following:

  • Microsoft 365 E5 or Microsoft 365 E5 Security
    Microsoft emphasizes that it is not in Office 365 ATP plans
  • Organization Management or Security Administrator role in M365 (for configuration)
  • Office Version 2004 (12730.x) or later

How to configure it?

If the requirement are met you can configure and test it. By default it is turned off.

Please note configuring this will enable this for your complete Microsoft 365 tenant and therefore for your complete organization.

Enabling it via Admin Center

Screenshot – Go to Security & Compliance Center at https://protection.office.com
Screenshot – Go to Threat management\Policy\ATP Safe Attachments
Screenshot – Tick the checkbox “Turn on Safe Documents for Office clients …”

Maybe DON’T tick the checkbox “Allow people to click through Protected View even if Safe Documents identifies the file as malicious”.

Screenshot – Click Save

That’s it now it’s live.

Enabling it via Shell

Alternatively, you can also enable this using Exchange Online PowerShell. Example: 

#Install Module 
Install-Module -Name ExchangeOnlineManagement
#Check Module availablity on system
Get-Module ExchangeOnlineManagement
#Update Module
Update-Module -Name ExchangeOnlineManagement
#Import Module
Import-Module ExchangeOnlineManagement

#Connect to EXO with MFA enabled
Connect-ExchangeOnline -UserPrincipalName <UPN> -ShowProgress $true

#Enabling safe documents but prevents users from leaving protected view
Set-AtpPolicyForO365 -EnableSafeDocs $true -AllowSafeDocsOpen $false
#Check values
Get-AtpPolicyForO365 | Format-List *SafeDocs*

#Disconnect from EXO
Disconnect-ExchangeOnline

#Uninstall Module
Uninstall-Module -Name ExchangeOnlineManagement

Validating it with Shell

Due to the fact that I’ve configured this in the Admin Center I’m just checking if the settings is set as expected.

Screenshot – Validate / verify settings

And there we go, it’s set.

Conclusion, opinion and summary

It’s very easy to configure however the licensing and client requirements are quite high. In case you met the licensing requirements you can enable it (with previous planning and testing).

Also note, you should check what your antivirus (av) client might do. In case you running a third-party av client. I did not test this having a third-party av client plus this enabled. I’d assume there should be no conflicts but there can be conflicts. So, I would not directly enable this in production without previously testing this maybe in a test tenant and a test client to ensure it works as expected before going live with safe documents.

Additional resources

Safe transfer with Microsoft Teams Calling

In this post I highlight a Microsoft Teams Calling feature to safely transfer calls. Microsoft seems to add safe transfer for calls by Teams Users soon, according to the Microsoft 365 roadmap.

What’s safe transfer with Microsoft Teams?

As the roadmap item says it enables Team Users to get a call back if the Teams User transferred it to another Teams or Skype for Business user which does not answer.

That this works it is required that the user who transfers the call is a Microsoft Teams user and the target must be a Microsoft Teams or Skype for Business user in the same or federated tenant.

Additional resources

Backup Audiocodes Mediant VE on Azure

In this post I describe how you can backup your Audiocodes Mediant VE on Microsoft Azure. Let’s start with some basics before configuring your SBC backup on Azure.

Save config

First of all, if you deploy your Audiocodes Session Border Controller (SBC) for Teams Direct Routing or any other SBC I’d recommend to save the configuration. For instance, on Audiocodes Mediant SBCs you can easily save the configuration file (config.ini) and/or packages.

Screenshot: Saving Audiocodes Mediant Configuration File
Screenshot: Saving Audiocodes Mediant Configuration File and/or Package

Take a (“on-system”) snapshot

Another option is to directly save a snapshot on the Audiocodes SBC which enables you to quickly revert to this “restore point”.

Screenshot: System Snapshot (Setup\Administration\Maintenance)
Screenshot: Create a system snapshot directly on the Mediant
Screenshot: Create a system snapshot directly on the Mediant

Enable Azure Backup for virtual SBC

Hereinafter, I’ll show an example on how you can enable and configure your Audiocodes Mediant VE getting backed up on Azure.

Screenshot: Backup configuration on Azure
Screenshot: Configure backup (Resource group\VM\Backup)
Screenshot: Configure backup policy which fits your requirements

Here you can configure retention, how long which type of backup should be kept.

Screenshot: Configuring backup data retention
Screenshot: (optional) create a separate backup resource group
Screenshot (optional) create a separate backup resource group
Screenshot: check your backup policy settings
Screenshot: Wait for validation to complete successful

After the validation is ok, your done.
You could trigger an ad hoc backup now, to check if it works.

Screenshot: Trigger backup now
Screenshot: Here you can monitor the backup status and progress
Screenshot: Backup process running

If configured you should also restore the system once, to ensure that you know that it works and how to restore a VM.

Conclusion, opinion and summary

To backup your virtual SBC on Azure is a good thing in my opinion. Especially if you maybe want to revert the SBC after a firmware upgrade to an earlier release or just quickly bring back another configuration if you’ve missed to download the config.ini or config package before you made this one big change on the system.

Additional resources

Microsoft Teams Call Quality Dashboard (CQD)

In this post I describe the CQD for Microsoft Teams and provide an high-level overview on its capabilities.

What’s the CQD? The call quality dashboard, short CQD, is a rich dashboard and reporting platform to check and ensure call quality metrics. Furthermore, it helps to analyze and to troubleshoot call quality if you drill down in reports and to figure out where you might have issues. Or you can just see what’s going on in your Microsoft 365 Phone System with Microsoft Teams.

Source: Microsoft Teams CQD (May/June 2020)

In case you need to dig in deep in the depths of the reports you might also want to upload some network details regarding your physical location/s or endpoints. This can help you as well as Microsoft Support to troubleshoot issues, if required. For example, you can upload a CSV including:

column namecolumn formatexample
networkipString10.10.1.0
network nameStringHQ-Stuttgart
networkrangeNumber24
buildingnameStringHQ-Stuttgart-Office
ownershiptypeStringEriksLab
buildingtypeStringIT Operations
buildingofficetypeStringAdministration
cityStringStuttgart
zip codeString71178
countryStringDE
stateStringBaden-Wuerttemberg
regionStringStuttgart
insidecorpBoolean1
expressrouteBoolean0
VPN (optional)Boolean0
CQD Tenant Data Information (CSV) example for buildings
Source: Microsoft Teams CQD (June 2020)

So, depending on your uploaded data you can view the reports either without or with the enriched data input.

Source: Microsoft Teams CQD (June 2020)

Conclusion, opinion and summary

The CQD is a helpful means to support analyzing and troubleshooting call quality-related issues. They reporting data can help to find out what’s not working well and maybe even give you the why to mitigate the issue. E.g. bad connectivity, bad device or else. Additional, depending on your organization’s size and requirements you could also get the data to PowerBI for more customized views and reporting, if needed. The CQD is very powerful and supportive to resolve call quality issue. In case you are utilizing Microsoft Teams especially calling capabilities, I think, it is a very good platform which can support your call quality troubleshooting.

Additional resources

Manage Microsoft Teams Rooms (MTR)

Soon, Microsoft Teams Meeting Rooms (MTRs) will be (remotely) managable via the Teams Admin Center, as described on the Microsoft 365 Roadmap [ID 64022].

  • update settings for Team Room Devices
  • monitor and check health status of Teams Room Devices incl. peripherals (camera, mic)
  • troubleshoot a MTR by remotely restart the devices
  • troubleshoot a MTR by remotely download logs
Source: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=64022

I assume that the admin experience will be similar to what is already available to manage Microsoft Teams Phones and Collaboration Bars.

Source: Microsoft Teams Admin Center (Screenshot)

Additional resources

Create a Microsoft Teams Meeting with Outlook on the web or mobile

Microsoft soon enables you to schedule a Teams (or Skype for Business Online) Meeting by using Outlook on the web, Outlook for iOS or Outlook for Android. As of now, May 2020, it looks like the feature on Outlook on the web is planned for the second quarter (Q2) 2020 and on mobiles (iOS/Android) for June 2020.

At the bottom of this post you can find the links to the user guide on how to create a Teams meeting in Outlook on the web/for iOS/for Android, to start right away scheduling Team meetings, as soon as it becomes available. So, you should, as usual, keep your mobile device and apps up-to-date.

Source: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63383
Source: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63625
Source: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63628

Additional resources

Microsoft Teams Contact Center Integration

This post is about the Contact Center Integration in Microsoft Teams. If you deploy Microsoft Teams calling capabilities to enable your workforce to use Microsoft Teams you might also be interested in the Contact Center integration. In the past I wrote an article about Microsoft Teams Call Queues and Auto Attendants for Direct Routing which describes Teams calling capabilities in regards of automatic call distribution (ACD) and/or interactive voice response (IVRs). Depending on your needs this was and is maybe not yet sufficient for your agents because you have many agents answering loads of incoming calls, transfer calls to maybe other departments/agents and respond to these incoming requests, complaints, remote advisories, incidents or what have you. Maybe 24/7…

Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/
Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/

So, there was a missing piece to bringt Microsoft Teams and more advanced Contact Center solutions together. Until lately. APIs were enhanced and improved which enabled Contact Center solution and service providers to build and use the available integrations based on

  • Direct Routing Connectivity,
  • Microsoft Graph Cloud Communication APIs,
  • Teams platform and extensibility and/or
  • Teams SDKs.

By this Microsoft enables for three integration “depths”:

  • Connect | based on Direct Routing
  • Connect and Extend | mixture of Direct Routing + Graph APIs + Teams apps platform
  • Extend and Power |embedding Teams SDKs into Contact Center App/Solution/Service for native Teams interactions (which works with Direct Routing as well as calling plans)

Now that you want to start to integrate your existing Contact Center solution in Microsoft Teams, note that this works only for certified Contact Center solutions and services, which are listed in the Connected Contact Center for Microsoft Teams Certification Program. Today, there are already very well-known providers offering Microsoft Teams integration (see additional resources).

Conclusion, opinion and summary

This is another step forward to bring in more voice and calling capabilities into Microsoft Teams as it can become the primary client app for Contact Center agents as well. I assume that more is about to come and enable companies to leverage more and more of Microsoft Teams especially enterprises with large contact centers which might still be on Skype for Business Server with Enterprise Voice for these workloads. In the past this was mostly due to the SFB UCMA integration which was often used in these voice deployments and in Teams this integration option was missing. Now, enterprise still running SFB Server and having dependencies in regards of third-party Contact Center solutions based on UCMA might probably soon get rid of SFB Server onprem, migrate (the until now left behind Contact Center agents) to Microsoft Teams and decommission SFB Server infrastructure.

Additional resources

Microsoft Skype for Business Server Updates

In this post I just like to quickly highlight where you can find the latest Microsoft Skype for Business Server updates. Recently Skype for Business Server 2015 May 2020 Cumulative Update (CU) was released. However, the update was only downloadable from the EN-US download page, not from the DE one. On the DE download page for SFB Server 2015 only the August 2019 CU was available. I guess it will just take some time until it is refreshed and also available on the DE download page.

https://pixabay.com/vectors/update-download-icon-icons-3314287/
Source: https://pixabay.com/vectors/update-download-icon-icons-3314287/

In general you can find the most recent CUs on a Microsoft Docs summary page where you can

  • get an update history incl. release date of the update
  • find the link to the respective knowledge base article which provides an overview on the included changes of the according update (release notes)

On the latter, the KB page you can open further links to each mentioned change or fix which the update delivers. There you can read through a more detailed explanation and update description.

First of all, you should read the update’s KB article. Afterwards you can download the package but please do not just download and install the update. To install the update should be a planned task. It might require some preparation and cause a downtime depending on your actual SFB deployment. And don’t forget the update the backend. I’ve often noticed that the backend is not updated although the description of the CU states how this has to be done depending on the SFB deployment (Standardard Edition vs. Enterprise Edition).

Additional resources

Microsoft 365 Virtual Marathon 27.-28.05.2020

Microsoft announced a virtual event called Microsoft 365 Marathon. It will take place online from May 27. – 28., 2020 an it will be 36 hours all about Microsoft 365. More than 300 speakers will present different topics. There’ll be over 400 session. Can it get better, yes, it’s for free. This is really impressive and definitely the suited format given the current circumstances. So, if you want to learn about Microsoft 365, I’d say that this virtual event is the one you should not miss. As far as I’ve seen there are all kind of sessions (depths) from overview to deep dive available, e.g. regarding working remotely, using live events, set up your corporate intranet, security and compliance and many more. You can read some more details and register via the Microsoft SharePoint Blog. Enjoy if you can make it!

Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/
Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/

Additional resources

Konfiguration von Microsoft Teams Direct Routing über das Teams Admin Center

In diesem Beitrag möchte ich aufzeigen, wie Microsoft Teams Direct Routing jetzt auch über das Teams Admin Center konfiguriert werden kann. Ich selbst bevorzuge weiterhin die Anlage mit der PowerShell, aber es ist gut zu wissen, dass diese Funktionen jetzt auch im Admin Center verfügbar sind.

Hinweis: Dieser Beitrag beschreibt einen aktuell verfügbaren Ansatz in Form einer beispielhaften Konfiguration. Wie einen Konfiguration vorgenommen werden muss, kann variieren (je nach Anforderungen) und sich auch jederzeit seitens Microsoft 365, Teams etc. verändern.

How to connect a certified SBC via Teams Admin Center?

Zielsetzung

Microsoft 365 Telefonsystem an einen zertifizierten Session Border Controller (SBC) für Microsoft Teams Direct Routing (TDR) anbinden.

Design und Umfang

In diesem exemplarischen Beitrag zeige ich nur wie die Verbindung vom Microsoft 365 Telefonsystem zum SBC eingerichtet werden kann (gelb). Die Konfiguration eines SBCs, mögliche Anpassungen und Feinjustierungen werden hier nicht weiter beschrieben. Am Ende wird noch ein Cloud-only User Account eine Telefonnummer und die Voice Routing Policy zugewiesen.

Auf Details, was TDR ist, Voraussetzungen und wie zu lizenzieren ist gehe ich hier nicht ein.

How to connect a certified SBC via Teams Admin Center?

Zu konfigurieren sind

  • ein Teams PSTN Gateway (SBC),
  • PSTN Usage,
  • Voice Route,
  • Voice Routing Policy
  • und zuletzt muss die Voice Routing Policy dem User zugewiesen werden.

Lösung (Beispiel)

Wir beginnen im Microsoft Teams Admin Center (https://admin.teams.microsoft.com) als globaler Admin, aber auch schon die Teams-Administrator-Rolle (Teams Service Administrator) reicht hier und berechtigt für die Konfiguration.

Nachstehend zeigen die Screenshots den “Konfigurations-Pfad” und in jedem Screenshot werden die Schritte beginnend mit “1” aufgezeigt.

Teams Admin Center
PSTN Gateway bzw. SBC hinzufügen
SBC im Teams Admin Center konfigurieren (FQDN, aktiviert, Port (SBC Listener), Sessions …)
Einstellungen sichten
PSTN Usage erstellen
PSTN Usage erstellen
Voice Route erstellen
Voice Routing erstellen

Bei “Dialed number pattern” kann ein bestimmter regulärer Ausdruck via RegEx definiert werden, um basierend von Teams ausgehende Anrufe auf einem bestimmten “Muster” zu prüfen, um hier eine Routing-Entscheidung für diese oder eine mögliche andere Route zu treffen. Ich lasse dies hier mal absichtlich leer. Wenn User komplett E.164 (also mit +49… ) wählen sollen oder einfach alles akzeptiert werden soll, kann hier z. B. .$ (any) o.ä. verwendet werden. Je nach Bedarf.

Voice Route erstellen
Voice Route und Priorität prüfen
Voice Routing Policy für die Zuweisung an User erstellen
PSTN Usage in Voice Routing Policy hinzufügen
Voice Routing Policy einem User zuweisen
Voice Routing Policy einem User zuweisen

Nach dem die Voice Routing Policy zugewiesen wurde, kann es eine Weile* dauern bis, in diesem Beispiel James, telefonieren kann. Natürlich muss hierfür der SBC bereits konfiguriert und funktionsfähig sein. Auch die richtigen Lizenzen und Policies (Calling Policies) dürfen für die User nicht fehlen. Nicht zu vergessen, dass der oder die Benutzer noch eine Telefonnummer zugewiesen benötigt.

*eine Weile kann von ein paar Minuten bis hin zu mehreren Stunden sein. Ich habe schon unterschiedlich lange Bereitstellungszeiten festgestellt.

Letzteres geht aktuell leider (noch?) nicht via Teams Admin Center. Dazu benötigt es noch die SFB Online PowerShell außer ich habe SFB Server (Hybrid) und meine Rufnummern werden noch vom onpremise Server via AAD Connect übertragen (msRTCSip-LineURI…). Doch hier gibt’s dann noch ein paar weitere Aspekte zu beachten.

Zuweisung der Telefonnummer und Voice Routing Policy via PowerShell

Die Zuweisung der Voice Routing Policy und Telefonnummer kann per PowerShell erfolgen (via SFB Online Connector), nach dem das SFBO PowerShell Modul heruntergeladen, installiert und verbunden wurde. Wenn man das nachstehende etwas umbaut, kann hieraus einfach über ein CSV-Import und eine foreach-Schleife ein Anlage und Zuweisung von Benutzern im größeren Stil erfolgen.

#Verbindung zu SFBO aufbauen (mit MFA)
Import-Module "C:\Program Files\Common Files\Skype for Business Online\Modules\SkypeOnlineConnector\SkypeOnlineConnector.psd1"
#Import-Module SkypeOnlineConnector
$SFBOSESSION = New-CsOnlineSession
Import-PSSession $SFBOSESSION
#Voice Routing Policy zuweisen
Grant-CsOnlineVoiceRoutingPolicy -Identity "James" -PolicyName "VoiceRoutingPolicy-Germany-Stuttgart”
#Telefonnummer zuweisen
Set-CsUser -Identity "james@...domain.de" -OnPremLineURI tel:+497119874563219 -EnterpriseVoiceEnabled $true -HostedVoiceMail $true
#Verbindung trennen
Remove-PSSession $SFBOSESSION

Zusammenfassung

Ich finde es praktisch, dass ich jetzt einen zertifizierten SBC auch über das Teams Admin Center verbinden kann. Wieso ich aber Usern noch keine (TDR) Telefonnummer auch über das Teams Admin Center zuweisen kann, ist mir ein Rätsel. Hierfür muss ich wieder in die PowerShell wechseln. Das finde ich etwas umständlich. Dann mache ich es aktuell doch lieber noch per Shell, da ich mit der PowerShell die Ansichten nicht wechseln brauche.

Ich hoffe, der Beitrag gibt eine grobe Übersicht, wie (aktuell Mai 2020) ein SBC für TDR an das Microsoft 365 Telefonsystem angebunden werden kann.

Zusätzliche Ressourcen