Managing Microsoft Teams Phone Policies

November 2, 2019 by · 23 Comments 

As Microsoft and their certified device partners gear up to bring more native Microsoft Teams IP Phones to the market the management and customization of the device experience is also being expanded upon.  This article introduces the current capabilities of a new PowerShell cmdlet created specifically to manage the user experience of these devices.

For some time the Set-CsIPPhonePolicy cmdlet has been available in the Skype for Business Online PowerShell module, which initially only applied to Lync Phone Edition, but was later also used with 3PIP-qualified devices (like VVX phones).  That cmdlet only controls a single globally-applicable set of parameters though, so it was not possible to create different sets of behaviors which could be applied to different groupings of phones.

With Microsoft Teams a new cmdlet named Set-CsTeamsIPPhonePolicy has been introduced, which is still included in the Skype for Business Online PowerShell module alongside all other Teams platform administrative cmdlets.  At the time of posting this article Microsoft has not yet published any official documentation for this cmdlet, but the functionality is already present in Office 365 tenants.

The most obvious change between the Skype IP Phone functionality and the what now exists for Teams devices is there is also a New-CsTeamsIPPhonePolicy cmdlet which allows the creation of custom policies in addition to the default global policy (which can be modified if desired).  This addresses a long overdue customer request to assign unique parameter values to different categories of phones, be it by location, department, use-case, etc.  Alongside this cmdlet is the requisite Grant-CsTeamsIPPhonePolicy cmdlet which is used to assign

Currently there is a very limited set of parameters available to actually control phone behavior, but the groundwork has been laid to start defining unique policies and then assigning these polices to user accounts to control their IP phone experiences.

Investigating the New Cmdlets

To take a closer look at this new capability launch PowerShell and import the Skype for Business Online module (if installed) as outlined in numerous articles like this.  Then list out the available cmdlets in the imported module that match the ‘TeamsIPPhone’ naming scheme.

  • Launch PowerShell and connect to Skype for Business Online using an account which sufficient administrative rights in the desired tenant.

Import-Module SkypeOnlineConnector
$sfbo = New-CsOnlineSession -UserName jeff@msteams.net
Import-PSSession $sfbo

  • Enter the following command to list all available cmdlets matching the desired string.  Take note that the name of the module is dynamic and will be unique for every imported session, so use the name shown after successfully importing the Skype module (e.g. tmp_iwwu1ido.jpc).

Get-Command -Module tmp_iwwu1ido.jpc | Where-Object {$_.Name -like “*TeamsIPPhone*”}

The results should look like the following:

image

The five new cmdlets could logically be grouped as:

  • [Get|Set]-CsTeamsIPPhonePolicy – used to review and modify the parameters of an existing global or user policy.
  • [New|Remove]-CsTeamsIPPhonePolicy – used to create and delete user policies.
  • Grant-CsTeamsIPPhonePolicy – used to assign users to a specific user policy which will override the Global policy’s behavior.

Notice that there is no companion cmdlet for the ‘Grant-’ cmdlet.  This is because, like all other Skype and Teams policy-related cmdlets, the process to remove a user from an assigned user policy is simply to run the same cmdlet again, but instead assign the user to a $null policy.  Users can only be assigned to user policies and cannot explicitly be assigned to a global policy; assigning them to a null policy will return them to the default behavior of adhering to the global policy.

The next step into investigating the configuration would be to take a look at the default Global policy.

  • Run the Get-CsTeamsIPPhonePolicy cmdlet to list all defined policies and their current settings.

Get-CsTeamsIPPhonePolicy

image

The default configuration in all Office 365 tenants should simply return a single Global policy with the parameters shown above.  As previously mentioned, the list of configurable parameters in these policies are currently quite limited.  In fact, at the time this article was written there are only two behaviors which can be controlled: the primary client experience via the sign in mode, and the inclusion of the Search function on Common Area Phones.

As best practices typically dictate it is generically recommended to leave the default global parameters as they are and create new user policies to customize any behavior.  Be aware that the only available policy types here are global and user, so if there is a behavior which would be deemed desirable for all users then it would be easier to manage this change at the global level then having to manually add every new user account in the tenant to a specific user policy.  This would likely become more applicable if/when future parameters are added here that make sense to modify at a tenant-wide level, as the available settings are not really good candidates for a tenant-wide change.

Now that some parameter values have been discovered the piece to uncover is what are the possible configuration options for these settings?  A simple way to find that out in PowerShell is to attempt to set a parameter to an obviously invalid value and when the cmdlet fails the error response will return the list of accepted values.

  • Run the Set-CsTeamsIPPhonePolicy cmdlet using a bogus value (e.g. NotARealParameterValue) for the SignInMode parameter

Set-CsTeamsIPPhonePolicy -SignInMode “NotARealParameterValue”

image

This invalid command has returned a list of possible values for the parameter which includes UserSignIn, CommonAreaPhoneSignIn, and MeetingSignIn.

  • Run the same command as above, but against the SearchOnCommonAreaPhoneMode parameter.

Set-CsTeamsIPPhonePolicy -SearchOnCommonAreaPhoneMode “NotARealParameterValue”

image

This parameter is a simple ‘on/off’ switch as the only possible values are Enabled or Disabled.

Sign In Mode

What the SignInMode parameter controls is essentially the overall user experience on the Teams device Android client.  There are three different options which provide three unique interfaces targeted at three specific, common use-cases: regular users, shared meeting rooms, and common areas.  The available parameter values are as follows:

UserSignIn

The UserSignIn setting provides the full client experience which is typically targeted for regular phone users.  Unless any changes are applied to the tenant using the cmdlets and guidance in this article then all user accounts signing into all Teams IP phones will receive this experience as the default global policy is set to this value.

The latest phone software no longer prompts the user during sign-in to select if they want a Personal or Shared experience (as outlined in a past article).  The account type which is signing into the phone does not matter, so whether it is a user mailbox or room mailbox or if it has been enabled in Skype for Business using the CsMeetingRoom cmdlet set is irrelevant.  Additionally, the type of Office 365 license applied to the account has no effect here either.  Thus, an account configured as a room mailbox and assigned a Common Area Phone license (which is a bad idea for other reasons) will still show the full client experience when signing into a Teams phone in this example tenant based on the fact that only the single global policy exists which is set to UserSignIn mode.  In short, the overall client experience is controlled only by this PowerShell policy, and nothing else.

This mode provides the full client experience which includes the Calls, Calendar, and Voicemail screens, the Search button, the Call Park button, and the New Meeting/New Call buttons, as shown in the following screenshots from a Poly CCX 600 phone.

Calls

image

Calendar

image

Voicemail

image

Note that the screenshots above are using the Dark Theme option, which is not the default appearance. Once a user signs into a phone then they can enable Dark Theme directly from within the client’s Settings menu; this is not a setting which is currently controllable by an administrator.

MeetingSignIn

This setting is meant to be used on phones which are located in conference rooms where the primary use case is joining scheduled meetings.  In order to utilize this mode on a phone a new user policy must be created so that it can be assigned to the user account which will be signed into the phone.

  • Using the New-CsTeamsIPPohnePolicy cmdlet create a new user policy and configure the sign in mode for meeting devices.

New-CsTeamsIPPhonePolicy -Identity “MR” -Description “Meeting Room Phone User Policy” -SignInMode MeetingSignIn

image

  • Assign the new meeting room policy to the desired user account.

Grant-CsTeamsIPPhonePolicy -PolicyName “MR” -Identity “trio8500@msteams.net”

When logging into a Teams phone using this account the interface will default to showing only the Calendar view, and the Dial button if the account is Enterprise Voice enabled with the requisite Phone System licensing.  Some of the available options in the client are hidden from the user, like the Sign Out menu item has been relocated to the Settings > Device Settings > Admin Only menu which is password-protected.  The Search button is still available, but the Call Park button has been removed.

The following screenshots where taken from a Poly Trio 8500 using the account which was added to the Meeting Room policy in the previous steps.  For comparison’s sake images from both the default theme and dark theme are shown below.

image     image

CommonAreaPhoneSignIn

This setting provides to most restrictive user experience intended for phones in common areas which may even be placed in public area.  In order to utilize this mode on a phone another new user policy should be created so that it can be assigned to other user accounts.

  • Using the New-CsTeamsIPPohnePolicy cmdlet create a new user policy and configure the sign in mode for common area devices.

New-CsTeamsIPPhonePolicy -Identity “CAP” -Description “Common Area Phone User Policy” -SignInMode CommonAreaPhoneSignIn –SearchOnCommonAreaPhoneMode Disabled

image

The SearchOnCommonAreaPhoneMode parameter can be set to either Enabled or Disabled, whichever is preferred.

  • Assign the new common area policy to the desired user account.

Grant-CsTeamsIPPhonePolicy -PolicyName “CAP” -Identity “ccx400@msteams.net”

When logging into a Teams phone using this account the only the dial pad will be displayed along with the Call Park button. The Search function can selective be hidden or shown via the other setting in the policy.

image     image

  • To allow the Search function to be used on Common Area Phones simply modify the newly created user policy to enable that feature.

Set-CsTeamsIPPhonePolicy -Identity CAP -SearchOnCommonAreaPhoneMode Enabled

Once the policy change is picked up by the phone it should display the Search button.

image     image

Review Configuration

  • To view the existing policy configuration simply run the Get-CsTeamsIPPhonePolicy cmdlet to list all defined policies and their current parameter values.

Get-CsTeamsIPPhonePolicy

image

  • To quickly check which users have been assigned to a user policy run the following command to list all users in the tenant, showing only the User Principal Name (UPN) and TeamsIPPhonePolicy parameters.  (Users with no value set for the phone policy will adhere to the Global policy.)

Get-CsOnlineUser | ft UserPrincipalName, TeamsIPPhonePolicy

image

About Jeff Schertz
Site Administrator

Comments

23 Responses to “Managing Microsoft Teams Phone Policies”
  1. Tyrone says:

    Hi Jeff

    Thank you once again.

  2. Ray says:

    Thank you Jeff for the detailed information! One question, when trying to grant the CsTeamsIPPhonePolicy to a room resource it doesn’t seem to take as the phone (Trio 8500) keeps defaulting to “UserSignIn” experience. When running the below nothing shows up for the CsTeamsIPPhonePolicy.

    Get-CsOnlineUser -Filter {DisplayName -eq “Resource Name”} | Select-Object DisplayName, UserPrincipalName, CsTeamsIPPhonePolicy

    • Jeff Schertz says:

      The object name is “TeamsIPPhonePolicy”, so you need to remove the ‘Cs’ from in front of it in your Select-Object cmdlet. The policy will apply to the account during sign-in regardless of whether it’s configured with a user mailbox or resource mailbox.

  3. Jennifer says:

    So this has answered so many questions about the latest firmware for the Poly Trios. However, after setting this policy on a specific account and restarting the phone, the Shared experience is not what is set. What else has to be done? I’ve waited almost 2 hours since applying the policy but no luck so far.

    • Jeff Schertz says:

      As with anything in Teams give it at least overnight before you give up. I’ve seen changes replicate quickly, while others take many hours. That being said I just tested on an account after around 2 hours and the Trio is in Meeting sign-in mode as expected.

  4. Mustafa says:

    You’re a life saver, Jeff, thank you.

    I spent two months with Microsoft and Yealink support reps on why our phones weren’t logging in as Common Area or Meeting Room and this post was the solution. Applied the policy, waited about 3 hours, and finally a phone and account that work as intended.

  5. Kazzan says:

    Should be device assigned Shared Mode (Poly Trio) visible in https://admin.teams.microsoft.com/devices/manage blade?

    • Jeff Schertz says:

      Yes, the Trio should appear under Devices appear in the Teams Admin Center, but this might not be in your tenant yet as the phone management solution is rolling out in Teams.

  6. Philipp says:

    Hi, is there any way to get my exchange365 contacts to the ipphone, to names instead of the numbers?

  7. Qiangsheng Yang says:

    I can’t find a suitable place to inquire about polycom cx600. Polycom cx600 prompts “Poor network conditions are causing audio quality issues”. Based on what standard is this error prompt thrown?

  8. Joel says:

    Is there a way to allow rooms set to use MeetingSignIn to still allow the user to view the meeting comments? We still use Zoom heavily which puts all the dial information in the meeting comments. We’re using Yealink CP960s.

    • Jeff Schertz says:

      Joel, no. It appears that in the Meeting Room view the calendar items cannot be opened like they can in User mode. It seems that only Teams (Join) and Skype (Call) meetings are actionable on the phone. Hopefully Microsoft addresses this an update as it seems a bit crippling.

  9. Niv Dolgin says:

    Awesome write-up! Just a couple questions tho:
    If you assign the MR policies decribed her to a Room account AFTER its setup, will it apply wautomagically, or does each user need to sign out & sign back in.

    Also, are new MR or CAP per-user policies assigned to specific accounts expected to be visible in the Teams Admin Center (Users -> Select Room Account -> Policies Tab -> Assigned Policies -> Team Policy section)? Or can it only be seen via powershell using Get-CsOnlineUser -Identity | ft UserPrincipalName, TeamsIPPhonePolicy

    • Jeff Schertz says:

      They changes should automatically apply after some time, but I’ve had to reboot a phone to seemingly expedite it as well. There’s no documentation on the behavior so it appears to fall into the “just wait longer” category. These policies can only be seen/modified via PowerShell; they are not visible in the Teams Admin Center and I don’t know if there are any plans to do so.

  10. Shane Smith says:

    Hello Jeff,

    I am running Native mode and it requires Microsoft Intune to work. Does your implementation include Intune, and if not how did you bypass that? Also my only issue seems to be getting the Meeting tab up and running, I can only see the magnifying glass in Shared mode and Calls and voicemail in Personal mode. Any help would be appreciated. Great column by the way.

    • Jeff Schertz says:

      I’m not sure what you mean by it requires Intune to work. I’ve used the client to sign into tenants without Intune licensing and with user licenses which do not include the Intune app. Are you receiving a specific error?

  11. Dave says:

    You have no idea how much this single article has saved dozens of hours of experimenting on my end Jeff, thank you very much.

    I have one question which you may or may not be able to answer – when an ipphonepolicy is set to the UserSignIn Sign In Mode, is there any way to restrict someone from accessing the touchpanel of the phone and deleting meetings that that phone/meeting room has been invited to? Want to avoid having to go to the MeetingSignIn Sign In Mode if possible ….

  12. Jim says:

    Jeff this is awesome! thank you! Is there any progress on coming up with better together capabilities for native Teams phones?
    Thanks again!
    -Jim

  13. Jeff Schertz says:

    Yes, this is planned via Bluetooth as communicated by Microsoft here: https://microsoftteams.uservoice.com/forums/555103-public/suggestions/34826992-btoe
    No date yet on when it’s coming though.

Trackbacks

Check out what others are saying about this post...


Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!