Tagged: Teams
Teams Meeting Recording button greyed out
In this post I want to write up how you can enable to store meeting recordings when the recording button for meetings is greyed out. As of now, if your Microsoft 365 tenant with its Teams data is located in a Microsoft data center region – where the Microsoft Stream service is not running – you cannot or you were unable to record meetings in Teams. Due to the fact that this is very unhandy Microsoft recognized this constrained and added an option to enable recordings if the Teams and Stream data location is not alike. The Teams data location, you can check in your Microsoft 365 Admin Center\Settings\Org-wide settings\Organisation Profile\Data Location.
So, to fix the greyed out meeting recording button you have to use PowerShell to enable AllowRecordingStorageOutsideRegion. Please note, that you must have completed all the other prerequisites, too, e.g. correct license assigned to user/s, correct policy with meeting recordings enabled assigned etc.
#Teams Meeting Recording
#Enable meeting recordings if Teams and Stream data are not alike
#Example code
#Still using the old SFBO module you can also use the new way/Teams module for this
Import-Module SkypeOnlineConnector
#Login
if ($cred -eq $null) {$cred = Get-Credential}
#W/O MFA:
$sfbosession = New-CsOnlineSession -Credential $cred
#WITH MFA:
#$SFBOsession= New-CsOnlineSession ADMIN-UPN
#Import module
Import-PSSession -Session $sfbosession -AllowClobber
Set-CsTeamsMeetingPolicy -Identity Global – AllowCloudRecording $true -AllowRecordingStorageOutsideRegion $true
<#Please note
although it's set quickly it can take quite some time till it is really applied.
#>
Remove-PsSession $sfbosession
I hope this helps.
Additional resources
Reverse Number Lookup Enhancements in Microsoft Teams Calling
This post is about enhancements in Microsoft Teams Calling regarding the reverse number lookup (RNL). It’s an incredibly important and small feature with high impact on usability for Teams calling capabilities.
In general, RNL resolves a caller’s phone number to contact information (for instance the contact’s display name). E.g. if +49 711 987654321 is calling me and this number is stored in my contacts as Anna it will tell me that she called me in my journal etc.
Microsoft’s 365 roadmap says that the following aspects are improved:
- Display name in your Activity Feed
- Display name in your Call History
- Display name in your Voicemail
Conclusion, opinion and summary
As far as I could see, it’s already live in my tenant. Still, obviously not the full display name is shown in the activity feed. It looks like it is trimmed to the first word of the display name.
I’m hoping to see the full name there, too, or a changed order, e.g. the last word of the display name (last name, usually). The latter is helpful especially if you receive many calls a day from people outside your organization. For what I can say, here in Germany, it’s more common to talk to someone using his/her last name except you already know the person for a longer period and/or agreed on a more informal form to talk to each other using “Du” instead of “Sie”. That’s why it would be nice to see the full name directly in the activity feed, too, in case you directly call back the caller listed in your activity feed as missed called.
Additional resources
Sensitivity labels in Teams, SharePoint sites and Microsoft 365 groups
This post is about protecting information in your Teams, SharePoint, and Microsoft 365 group data by using Microsoft Information Protection (MIP) sensitivity labels. In July 2020 sensitivity labels were announced GA by Microsoft. It provides an answer on How to protect information in Teams, SharePoint Online and Microsoft 365 groups. In this post I walk through the configuration.
What are sensitivity labels?
Sensitivity labels are some kind of persistent data or information labels to protect sensitiv and business-critical information. The following security measures are available with sensitivity labels, in general:
- Enforce encryption or watermarks
- Cross platform/device content protection
- Third-party app and service content protection to detect, classify, label and protect content with Microsoft Cloud App Security, e.g. SalesForce, Box, DropBox
- Third-party app and service extensibility by using Microsoft Information Protection SDK
- Classify content (without protection)
Policy scoping or association options
For Microsoft Teams, 365 Groups and SharePoint Online you can decide or configure options/actions/exclusions based on
- privacy
- external user membership
- unmanaged device access
For instance, any Team, SharePoint Online Site, or M365 group created with a certain label can be forced to be a private one. In consequence, the owner is not allowed and cannot add external users plus users utilizing unmanaged devices can only access the contents via web access.
Requirements
Licensing
I’m not going into details regarding licensing requirements, therefore you can find a link at the bottom of this post. Please note, that there is a difference in license requirements depending on manual vs. automatic labeling. For the latter you need Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2.
Permissions/roles
To manage/create sensitivity label you must be assigned one of the following roles:
- Global Administrator
- Compliance Data Administrator
- Compliance Administrator
- Security Administrator
Enable sensitivity labels on Azure AD
To use sensitivity labels, you need to enable it first in Azure AD by using PowerShell, for example:
#https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels
Import-Module AzureADPreview
Connect-AzureAD
#Check if settings object exists or needs to be created first (that's missing in Microsoft Docs)
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
#Enable Microsoft Information Protection (MIP) labels
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.Values
$Setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
Disconnect-AzureAD
How to create and publish labels?
In this section I walk through and show some settings based on screenshots, this is not yet for Microsoft Teams, SharePoint Online and Microsoft 365 Groups. A bit more down in this post you find a section showing the part and options for sensitivity labels in Teams. Nevertheless, the process, is similar for Teams, SharePoint, and groups.
To create labels you need to start in the Microsoft 365 security center.
Example – create a label
Be cautious about encryption settings because this can have make a big impact.
Finish this and repeat the above steps as often as required to have as much labels as required.
Example – Publish labels and create a label policy
Depending on the labels you’ve created and your security requirements regarding information protections and groups you can also repeat the above steps for different sensitivity label policies in case you need to differentiate between certain user groups and therefore different information/sensitivity labels and respective label policy assignments.
Example – Create sensitivity label for Teams, SharePoint Online Site and M365 group
For Microsoft Teams etc. the process is similar but as you can see in the following screenshots, you can edit already created labels to add the capabilities for Teams if there were labels already in place.
Here you must not forget to also configure SharePoint Online for this to cope with unmanaged device access to make it work.
Also, if you haven’t yet published labels, you’ll have to publish the newly created labels.
Please note, that it can take several hours for this to appear, I’d recommend waiting approx. up 24 hours.
Usage
The sensitivity label for Teams, SharePoint Online Sites and Microsoft 365 groups can than be applied/selected in the creation process in case you assigned the sensitivity label policy to the users which should be able to apply it.
Conclusion, opinion and summary
Sensitive labels are another good concept and means for your holistic security architecture concept to protection your organization’s information. It’s a central aspect for your Microsoft 365 service and information protection. However, the entry barrier is high because of the license requirements to use this advanced security capabilities.
Additional resources
- General Availability: Microsoft Information Protection sensitivity labels in Teams/SharePoint sites
- New capabilities for Teams Management | July 2020
- Learn about sensitivity labels
- Microsoft Information Protection [Licensing requirements]
- Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory
Team Templates for Microsoft Teams
This post is about Team templates for Microsoft Teams and how it can help you as an admin to deploy a Teams Team quicker and more standardized.
If you go to your Teams Admin Center (TAC), open the Teams section on the left hand navigation, you’ll see a new menu called Teams templates. That’s were you’ll find a list of pre-defined templates as well as the option to add your own and customized template based on your requirements.
The following screenshots show you how you can create a Team template by using the TAC.
At first you can decide to create a brand new template, build a new template based on an existing one or use / modify an existing one.
In this example I create a new customized template for the department research and development. Therefore I’ll prefix the template name with “template” (optional, maybe not ideal because it reduces readability by users if they are enabled to create a Team). Below you provide a short and long description that users will know what the template is for in detail as well as the language/locale.
In case you know what apps are used typically and what channels are needed usually, you can create and add it as needed. To me, it makes sense to talk to someone from the department, e.g. team lead, department lead or else to figure out what’s needed if unclear.
In case you are busy and want to start with it you could either talk to the members of the team/department or you could, for instance, use Microsoft Forms and Power Automate to create some kind of survey to send it out and ask what certain users would like to have as template, if there is a reference team or else.
After saving it, the template will be listed in the template’s list. Please note, it can take some time till your users and you’ll be able to select templates in your Teams client for creation of a new [Teams] Team based on a template.
Limitations
At the time of writing this post there are some limitations regarding Team templates. I could not yet pre-configure the following:
- Team membership
- Team picture
- Channel settings
- Connectors
- Files and content
Conclusion, opinion and summary
Using templates is a good way to get a Team in Teams more standardized and deliver what’s needed anyway by certain teams/departments/… The process to create a template is easy and one of many options to establish some [Teams] team baselines which can be further customized if needed by Team Owners. The biggest advantage I see is that users which need to create a team in Teams, e.g. for a project, but don’t do this regularly are supported by this feature or users which do this regularly will be more effective in creating teams in Teams because of the pre-configured templates available to them.
So stay tuned, Microsoft is planning to add more capabilities here as the documentation says. I’m personally looking forward to add files and contents in a template which might allow to add a “readme”, although it is probably better to create a app for this, e.g. learning pathways or a SharePoint site with some adoption contents as well as a Teams etiquette etc.
Additional resources
Microsoft Teams features by platform
Microsoft recently published a very comprehensive support articel which describes which platform supports what features. You can read about activity feed, notifications, calendar, calls, files, meetings, live events, messaging, search, shifts, status, Teams and channels, Teams for Education.
Conclusion, opinion and summary
Although the site exist the pace of change is fast, i.e. it makes sense to always watch out Microsoft 365 status updates, follow the common Microsoft Tech Blogs as well as monitor the Microsoft 365 roadmap.
Additional resources
Microsoft Teams Sessions @Microsoft Ignite 2020
On September 22 – 24, 2020 Microsoft Ignite takes places online. There are as usual hundreds of sessions. We can expect that there will be something for everyone. And everything without travelling. Is it great?
For Microsoft Teams there are also many sessions, i.e. featured sessions, digital breakouts and ask the experts. The latter provides you the opportunity to engage with Teams product and engineering experts. For these sessions you need to book your virtual seat in and so you should book as soon as possible because the space is limited. For details check out the links at the bottom. Enjoy Ignite 2020!
Additional resources
Enable resource account for outbound call in Microsoft Teams Call Queues and Auto Attendants
In this post I describe how you can configure call forwarding to external PSTN phone numbers for a call queue or auto attendant in a Microsoft Teams Direct Routing configuration. Microsoft released the capability to forward phone calls via a Teams Auto Attendant and via a Teams Call Queue to a phone number. Also, the operator can have a (external/PSTN) phone number.
In the past this was not feasible this way, therefore you had to implement a workaround by configuring a “forwarding user” to reach the goal. This is no longer necessary. I’ll show you some screenshots to depict what you’ve got now with Teams Calling and Microsoft 365 Phone System.
Teams Auto Attendant – Operator – External Phone Number Option
Teams Auto Attendant – Call Flow – External Phone Number Option
Teams Call Queue – Call Flow – Externa Phone Number Option/s
Within call queues you have two options to forward a call to a phone number. The first option helps to deal with more as the maximum set amount of concurrent calls in a queue. The second option helps to deal with calls waiting in a queue for a certain amount of time.
What do I have to do to make this work with Teams Direct Routing?
Easy, you have to do two things:
- assign a Virtual Phone System User license (!!!) (if not done yet) to the Teams Resource Account (also note the docs.microsoft.com statement saying, “Phone System licenses aren’t supported”, so assigning a E3 + phone system license might not work)
- assign an Online Voice Routing Policy to the resource account which is assigned to the call queue or auto attendant [with PowerShell]
- Wait for some time (as I was testing this, I configured this in the late afternoon and the next morning it was working as expected, this might be different and I’m not aware of a default duration till it is applied and will work)
I’ll not explain how to get and assign the license, I’ll explain the assignment of the Online Voice Routing Policy because at the time of writing this post, you have to assign the policy by using PowerShell.
Assign an Online Voice Routing Policy to a resource account
#Teams Direct Routing
#Enable resource account for outbound call in Microsoft Teams Call Queues and Auto Attendants
#Example code
Import-Module SkypeOnlineConnector
#Login
if ($cred -eq $null) {$cred = Get-Credential}
#W/O MFA:
$sfbosession = New-CsOnlineSession -Credential $cred
#WITH MFA:
#$SFBOsession= New-CsOnlineSession ADMIN-UPN
#Import module
Import-PSSession -Session $sfbosession -AllowClobber
#List Online Voice Routing Policies
Get-CsOnlineVoiceRoutingPolicy
#Assign Online Voice Routing Policy to Microsoft Teams Resource Account for Teams Direct Routing
$user = "teams-resource-account@domain.tld"
$userovrp = "teams-direct-routing-online-voice-routing-policy"
Grant-CsOnlineVoiceRoutingPolicy -Identity $user -PolicyName $userovrp
#Get a cup or some more cups of coffee and wait!!!
#Check assignment
Get-CsOnlineUser $user | select OnlineVoiceRoutingPolicy
<#Please note
although it's set quickly it can take quite some time till it is really applied, you can see this on the SBC SIP traces which still points to Teams phone system which is rejecting the referred call with a "403 Forbidden", it detail it states some like that there is no viable outbound route.
#>
Remove-PsSession $sfbosession
Conclusion, opinion and summary
I’ve been waiting for this for some time by now, and now that the feature is available, without creating a workaround, I like it. Especially, because you can also do some automation by using PowerShell for your cloud hotlines based on Microsoft Teams call queues and auto attendants.
Additional resources
Microsoft Teams Security and Compliance Video Playlist
In this post I like to reference to a comprehensive video playlist regarding Microsoft Teams Security and Compliance. It contains eight short videos covering different and important topics for your collaboration security focusing on Microsoft Teams. The author of the YouTube videos is Matt Soseman, Security Architect at Microsoft.
Basically, Microsoft 365 services are secure by design, however there are settings and configuration aspects which might not yet be enabled by default. That’s why it is important to know what’s available to set it up to make your collaboration even more secure. Please find the link at the bottom Security & Compliance in Microsoft Teams [YouTube Playlist].
The following Teams related topics are covered in the the playlist:
- Identity and access management
- Advanced Threat Protection (ATP)
- Intune Mobile Application
- Data Loss Prevention (DLP)
- (Windows) Information Protection
- Cloud App Security and third party storage
- Cloud App Security and Azure Active Directory (AAD)
- Unified SecOps w/ Microsoft Threat Protection
Conclusion, opinion and summary
The duration for each video is below six minutes although the most important aspects are mentioned. These videos are an impressive summary for security and compliance capabilities related to Microsoft Teams and Microsoft 365.
In my opinion the videos are very good to get an overview on what security capabilities are available and to get a glimpse on how it works to help you.
Additional resources
- Security & Compliance in Microsoft Teams [YouTube Playlist]
- Matt Sosemann on YouTube [YouTube Channel]
- Security and compliance in Microsoft Teams [docs.microsoft.com]
Assign Teams policies by group
In this post I show how you can use (Azure) AD security groups or Microsoft 365 groups to assign Microsoft Teams Policies within the Teams Admin Center. This is handy to manage bulk or many different policy assignments via GUI. So, you don’t have to use and run your PowerShell scripts which might does the magic in larger environments with more versatile requirements regarding Microsoft Teams permissions.
Which policy is applied for a user?
Bascially, there are two types to assign a policy to a user: direct vs. indirect. Depending on how you assign a policy it is applied in a specific order as follows:
- directly assigned policy (no inheritance of a policy of from a group)
- no direct assigned policy (group policy with highest rank)
- no direct nor indirect assigned policy –> global (Org-wide default)
Quick start
In this section I list the steps you and things you need to do.
- Create Azure AD group/groups
- Add users to the group/groups
- Create custom policy/policies in Teams Admin Center, e.g. a custom meeting or messaging policy
- Assign the Azure AD group / groups to the custom policy/policies
Azure AD Group creation example
To assign policies to a group of users you need to create or have a group in Azure AD. Either a security or Microsoft 365 group. In this example, I prefer a security group because in this case I don’t want to have the Microsoft 365 group overhead for assigning permissions. Also, I create a static/assigned group and no dynamic group.
Don’t forget to add users to the group.
Group policy assignment via Teams Admin Center
In different areas in the Teams Admin Center you can create and assign policies, e.g. for meetings. As you can see in the below depicted screenshot there is also a further sub-menu or -register where you can click on “Group policy assignment”. The following screenshots will walk you through the assignment process.
That’s actually it.
But how to verify that the policies are assigned?
Well, Microsoft also provides a log showing the policy assignment status for the last 30 days.
Check policy assignment status for the last 30 days
- Teams admin center dashboard
- activity log
- view details
- view all policy assignment/s which you can also filter (not started, in progress, completed)
PowerShell code snippet for policy assignment (example)
#Example code snippet for Teams Batch Policy Assignment
#20200816 Erik Kleefeldt
#Required permissions: Teams service admin, a Teams communication admin, or Global Administrator
#Currently supported policy types (subject to change at any time): CallingLineIdentity, ExternalAccessPolicy, OnlineVoiceRoutingPolicy, TeamsAppSetupPolicy, TeamsAppPermissionPolicy, TeamsCallingPolicy, TeamsCallParkPolicy, TeamsChannelsPolicy, TeamsEducationAssignmentsAppPolicy, TeamsEmergencyCallingPolicy, TeamsMeetingBroadcastPolicy, TeamsEmergencyCallRoutingPolicy, TeamsMeetingPolicy, TeamsMessagingPolicy, TeamsUpdateManagementPolicy, TeamsUpgradePolicy, TeamsVerticalPackagePolicy, TeamsVideoInteropServicePolicy, TenantDialPlan
#Note: Policy assignments are updated if a user is added/removed
#Use at your own risk, this is just an example code snippet
#For further details/reference please see https://docs.microsoft.com/en-us/microsoftteams/assign-policies
#Install modules
Install-Module -Name AzureAD
Install-Module -Name MicrosoftTeams
#Connect services
Connect-MicrosoftTeams
Connect-AzureAD
#Get users
$AzureUsers = Get-AzureADUser
#Assign policy to a group
#Soft limit: 50 000 users per group
Get-AzureADGroup -SearchString "SEC-EUDE*"
New-CsGroupPolicyAssignment -GroupId <object id of AAD group> -PolicyType TeamsMeetingPolicy -PolicyName "Meeting-StandardUser" -Rank 1
#Check assignment for group/s
Get-CsGroupPolicyAssignment -GroupId <object id of AAD group>
#Get all groups with assigned Teams Meeting policies type
Get-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy
#Remove assignment to a group for a meeting policy
Remove-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy -GroupId <object id of AAD group>
#Batch job
#Limit: < 5000 users per batch
#Assign meeting policy batch
New-CsBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName "Meeting-StandardUser" -Identity $users.SipProxyAddress -OperationName "20200816-AssignStandardMeetingUserPolicy"
#Check batch operation status
Get-CsBatchPolicyAssignmentOperation -OperationId <ID shown after New-CsBatchPolicyAssignmentOperation is executed> | fl
#Check batch operation status for users
Get-CsBatchPolicyAssignmentOperation -OperationId <ID shown after New-CsBatchPolicyAssignmentOperation is executed> | Select -ExpandProperty UserState
#Disconnect services
Disconnect-MicrosoftTeams
Disconnect-AzureAD
Conclusion, opinion and summary
Assigning policies to AAD/AD user objects is a very common activity. It eases the daily business and AAD/AD user life cycle and permission management. This is something which should, actually must, be automated in every IT organization. It’s a no-brainer to automate permission assignements based on groups during the creation or change process of an AAD/AD user object. Now, that this is already available for some time in Teams you might want to use it, too, to enhance the grade of your AAD/AD user management process a little more.
In case you already implemented a Teams policy assignment process before the above methods were available, you might review your as-is and transition to the new methodes available. I assume the new methods are more sophisticated than using just combinations of AD groups, PowerShell scripts for direct Teams policy assignment/s.
Additional resources
Call loops after enabling busy on busy for Microsoft Teams Calling with Audiocodes Mediant
In this post I describe how you can fix a call loop and cause code issue with busy on busy enabled in Microsoft Teams Direct Routing in conjunction with a Audiocodes Mediant Session Border Controller. In one of my recent Teams Direct Routing deployments I came across an issue as soon as I enabled Busy on Busy in the Microsoft Teams Admin Center, as described in one of my previous blog posts, here.
Scenario
- Microsoft Teams Direct Routing
- Audiocodes Mediant VE Session Border Controller (SBC) V 7.20A.256.721
- PSTN SIP Trunk Provider
- Microsoft Teams Busy on busy (BoB) enabled for the user/s
Issue
Enabling busy on busy on Teams caused call loops, many missed calles shown in the call history in the Teams client.
Usual calls incoming, outgoing, call forwarding etc. worked fine but after assignment of the policy including the enabled busy on busy the caller caused a “call loop” and many missed calls in the call history while the callee was still on a call with someone else.
Actually the above SIP flow looks ok but why on earth is the second caller’s number showing up that often? That’s the loop we get and the many missed calls as long as the called person is still busy on another call.
Solution
Usually, 486 Busy Here should be ok towards the PSTN SIP Trunk provider because this says “busy”. However, it did not really say “busy” or provide the “busy” tone to the second caller.
After some research I came across an helpful blog post from Luca Vitali describing a similar issue with the difference that he’s seeing this in a TDR deployment with a TDM PSTN trunk and a different cause code sent by Microsoft 365 Phone System.
So, I checked the SIP reason header in more detail for the “486 Busy Here”. Viewing the SIP message logs by using the SysLog Viewer I found REASON: Q.850;cause=34;text=”171015b7-8b51-4fca-b9c0-d5f052823334;User is busy and currently active on another call.” There I noticed “cause=34” which means “no circuit available”. Is this not ok? That could be the possible issue because Microsoft 365 Phone System sends the above in a BoB scenario and probably the PSTN SIP Trunk provider looks not only on the “486 Busy Here” but also in the details of the Reason including the Q.850 cause codes which does not include the right code for “busy”.
So, just set up a message manipulation rule on the Audiocodes SBC to change the cause in the SIP reason line.
Example of the message manipulation rule to change the Header Reason Cause Code:
[ MessageManipulations ] FORMAT Index = ManipulationName, ManSetID, MessageType, Condition, ActionSubject, ActionType, ActionValue, RowRole; MessageManipulations 2 = "MM-Teams-486BusyHere-34-17", 1, "Any", "Header.Reason.Reason.Cause == '34'", "Header.Reason.Reason.Cause", 2, "'17'", 0; [ \MessageManipulations ]
This message manipulation rule is based on the message manipulation set id assigned to the IP Group for Teams as an inbound message manipulation.
Please note that the above is just provided as-is and might require adjustments for your deployment. Also, the above manipulation of the cause code might be adjusted if Microsoft Phone System was changed and it sends out another cause code in the Reason Header. I thought of using “…!= ’17′” to always change the cause code in the Reason Header but that’s no good idea because it can cause other issues.
After the message manipulation was implemented I successfully re-tried.
And also the SBC SIP flow is now fine, no more loops due to BoB and the second caller gets his regularly busy tone.
UPDATE 01.08.2020
It’s also an option to remove the reason header instead of changing the Header.Reason.Reason.Cause.
