Creating Microsoft Teams Rooms Accounts

February 3, 2019 by · 2 Comments 

This article revisits the topic of creating accounts which are used by Microsoft Teams Rooms (MTR), formerly known as the Skype Room System (SRS) v2 platform.  The guidance in this article is applicable to creating online accounts for any natively supported device, from Polycom VVX and Trio phones, to the various Skype Room System offerings from Logitech, Crestron, Polycom, HP, and others.

The directions in this article are performed with an Office 365 tenant utilizing Exchange Online, Skype for Business Online, and Microsoft Teams.  For Server or Hybrid scenarios where the account and/or mailbox is stored on-premises a slightly different process will need to be utilized which is essentially the same as what has been used since the advent of the original Lync Room System platform.

Account Configuration

The majority of the configuration is performed in PowerShell in order to create and modify the account.  While the account configuration for meeting room devices is unique, these are still at the core an Active Directory User Object which has been mailbox-enabled in Exchange as a Room type of resource mailbox.  These are not new concepts and the underlying configuration has followed this arrangement for a long time.

Connect PowerShell

For more details on using Windows PowerShell to connect to and manage the various Office 365 services online refer to this previous article.  The installation steps in that article must be first be to prepare a Windows workstation with the proper software and modules to connect to each online service remotely via PowerShell.  Once that installation has been completed, or if it has previously been taken care of on the workstation then continue on with the following steps.

  • Search for and launch the previously installed Microsoft Exchange Online Powershell Module.

image

  • Execute each of the following cmdlets to connect to each service required to complete the account configuration.  Enter the credentials of an account with administrative rights to the Office 365 tenant when prompted by each service.  (Note that all five lines below can be copied and pasted into the PowerShell window at once.)

Connect-EXOPSSession
Connect-MsolService
Import-Module SkypeOnlineConnector
$skype = New-CsOnlineSession
Import-PSSession $skype

image

Select Account License

When creating a new account via PowerShell the desired location and licensing information will need to be provided.  If this information is already known then this step can be skipped.

  • Execute the following Get-MsolAccountSku cmdlet to list all available licenses in the current tenant.

Get-MsolAccountSku

image

Record the desired AccountSkuId parameter value (e.g. jschertz:ENTERPRISEPREMIUM) for the desired primary license to be assigned to the room system account.  As discussed in past articles the license assigned to this account will need to include at minimum Skype for Business Online Plan 2 and/or Microsoft Teams, but often Business Premium or Enterprise plans are used.  In December 2018 Microsoft introduced a new Meeting Room Office 365 license subscription specifically for devices, so these licenses are ideal for devices like Microsoft Teams Rooms.

In this article the Meeting Room license (e.g. jschertz:MEETING_ROOM) will be used.  Also take note that this tenant includes Calling Plan add-on licenses (jschertz:MCOPSTN2) which will be assigned to the account.  This is an optional step but provides additional functionality to the room systems by allowing PSTN calls to and from the room.  Because the new Meeting Room license

Define Variables

In order to streamline this process by allowing for a simple copy/paste of most cmdlets then the next step is to define a host of variables which will be used throughout the various steps.  Enter the following lines to set the variables to the desired value for each item.

  • Set the desired identity (User Principal Name (UPN), SMTP address, SIP URI, etc.) of the new account as the $newRoom variable.
  • Select an appropriate display name for the account as the $name variable.
  • Define a new, valid password as the $pwd variable.
  • Enter the desired license name which was discovered in the previous section as the $license variable.
  • Enter the valid 2-letter country code for the appropriate location where this account will be used as the $location variable.

$newRoom="mtr@msteams.net"
$name="Microsoft Teams Room"
$pwd="Password!23"
$license="jschertz:MEETING_ROOM"
$location="US"

image

Create New Account

This step will create a new account in Azure Active Directory and simultaneously mailbox-enable the account in Exchange Online as a Room resource mailbox.  It also sets the password defined in the previous section and then enables the account for authentication.

  • Run the following New-Mailbox cmdlet to create the new account.

New-Mailbox -MicrosoftOnlineServicesID $newRoom -Name $name -Room -RoomMailboxPassword (ConvertTo-SecureString -String $pwd -AsPlainText -Force) -EnableRoomMailboxAccount $true

image

It is recommended to wait about 30 seconds after the mailbox has successfully been created before attempting to run the commands in the next section, otherwise errors may occur.

Configure Account

The following steps will be used to configure the additional requisite and recommended options on the account and mailbox.

  • After waiting 30 seconds run the following Set-MsolUser cmdlet to disable password expiration and set the UsageLocation.

Set-MsolUser -UserPrincipalName $newRoom -PasswordNeverExpires $true -UsageLocation $location

image

  • Run the following Set-MsolUserLicense cmdlet to assign the appropriate Office 365 license to the new account.

Set-MsolUserLicense -UserPrincipalName $newRoom -AddLicenses $license

image

  • Run the following Set-Mailbox cmdlet to set the Outlook MailTip which appears when sending meeting invitations to the room mailbox.

Set-Mailbox -Identity $newRoom -MailTip "This room is equipped to support Teams and Skype Meetings"

image

  • Run the following Set-CalendarProcessing cmdlet to configure how meeting invitations are processed by Exchange for this mailbox. 

Set-CalendarProcessing -Identity $newRoom -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -RemovePrivateProperty $false -DeleteComments $false -DeleteSubject $false -AddAdditionalResponse $true -AdditionalResponse "Your meeting is now scheduled and if it was enabled as a Teams or Skype Meeting will provide a seamless click-to-join experience from the conference room." 

image

It is especially important that the -DeleteComments and -DeleteSubject settings are applied correctly, otherwise invitations may appear on the meeting room device but without the "Join" button needed to connect to the meeting.  These two parameters are set to $true by default when creating a room mailbox through normal methods, thus they must be manually set to $false as shown here.

Enable Meeting Room

These steps are required to enable the account for use with Skype for Business and/or Microsoft Teams.  It is recommended to wait at least 5 minutes after initially creating the account before attempting to enable the account as a meeting room in Skype for Business Online, due to replication intervals.  Sometimes it can take even longer (have seen up to 15 minutes) before this step will successfully complete.

  • Run the following Get-CsOnlineUser cmdlet to list the assigned SIP registrar(s) for all Skype-enabled accounts in the tenant.

Get-CsOnlineUser |ft RegistrarPool

image

The results above indicate that all accounts in the tenant are in the same pool (e.g. sippoolblu2a05.infra.lync.com). 

  • After waiting several minutes run the following Enable-CsMeetingRoom cmdlet, replacing the RegistrarPool value with the FQDN returned in the previous step to enable the new room account.

Enable-CsMeetingRoom -Identity $newRoom -SipAddressType "EmailAddress" -RegistrarPool "sippoolblu2a05.infra.lync.com"

image

If the previous cmdlet returns an error of "Management object not found for identity" then the account enablement has not yet been completed in the cloud.  Wait a few more minutes before attempting to run this cmdlet again.

Configure Enterprise Voice

If the room account will also require PBX and PSTN capabilities then the following steps can be used to enable the account appropriately.  For Microsoft Teams either Direct Routing or Calling Plans can be utilized to provide PSTN services to the account.  The tenant in this example currently has an available Calling Plan license which will be used for this purpose.

  • Run the following Set-CsMeetingRoom cmdlet to enable the account for Enterprise Voice

Set-CsMeetingRoom -Identity $newRoom -EnterpriseVoiceEnabled $true

image

  • Assign the appropriate Microsoft Calling Plan license (.e.g MCOPSTN2) to the room account using the following cmdlet.

Set-MsolUserLicense -UserPrincipalName $newRoom –AddLicenses "jschertz:MCOPSTN2"

image

At this point the account configuration is complete and can be used with a meeting room device.

Device Configuration

For the purposes of this article the Polycom + HP SRS Microsoft Teams Room solution will be used to test the account configuration, but these instructions are identical for any of they qualified solutions available today from various Microsoft partners.

The account information can be added to a Microsoft Teams Room device either during the initial setup process by simply booting up the device and following the setup screens, or by selecting the Settings icon in the lower-right corner of the control interface’s default screen.

  • If performing first-time setup then accept the Microsoft Software License Terms and select Next.

image

After accepting the license, or if performing the configuration on a previously configured system, then the User Account screen will appear.

image

  • In the Skype sign-in address field enter the identity selected for the room account which was created (e.g. mtr@msteams.net) and then complete the Password fields.

image

The Exchange address field will have automatically populated with the same value entered above and should not be changed given the account configured for this unit has the same value for its account name, SIP URI, and SMTP address.

The Domain\username (optional) field should be left blank.  This field is only needed in the event that the account’s SIP URI does not match the account’s UPN and/or legacy account name.  In those situations this field should be used to provide UPN (username@domain.com) or the legacy account name (DOMAIN\username).

  • In the Supported meeting mode menu select the Skype for Business and Microsoft Teams (default) option.

The Supported meeting mode setting is a newer setting which was added last year once support for Microsoft Teams was introduced to the product.  This setting essentially controls which meeting platform(s) can be used as well as which will be used as the default.  The available options are:

  1. Skype for Business only
  2. Skype for Business and Microsoft Teams (default)
  3. Skype for Business (default) and Microsoft Teams

This platform currently defaults to the Skype for Business only option which means that calls and meetings with Microsoft Teams users will not work and the interface will not provide a "Join" button for any Microsoft Teams meetings seen on the device’s calendar.  To enable support for Microsoft Teams meetings then either of the other two settings must be selected.  The difference in the other two options is that while they both support joining Skype and Teams meeting invitations the "(default)" portion in the name indicates which platform will be used when the New Meeting and Dial Pad options on the home interface.

The Bluetooth Beaconing setting is also enabled by default, although at the time of posting this article that capability has not yet been made generally available to Microsoft Teams users.  While the beaconing setting and functionality has been appearing in the Microsoft Teams Room software for several release at the point the pairing functionally is not yet available in the desktop or mobile Microsoft Teams clients.  This capability is due to be available soon though so it can be left in the default On state.

  • Once the User Account configuration is correct then select Next and advance through the remaining screens by modifying any desired Features or Theming options, or select Save and Exit if simply reconfiguring the account on an existing system.

The system will return to its ready state and the interface should appear similar to the following image.  Note that until the new account is invited to a meeting the interface will not show any calendaring information along the left-hand side.

image

This new account was immediately invited to both a scheduled Skype Meeting as a Teams Meeting as indicated by the small Skype and Teams icons on associated calendar entry.

Also, because the account in this example was enabled with a base license which includes a Phone System add-on license as well as the proper Enterprise Voice configuration then the Dial Pad option is shown.  The New Meeting option will trigger the creation of a new Microsoft Teams meeting when inviting another participant based on the previous selection of Skype for Business and Microsoft Teams (default) as the Supported Meeting mode setting.

Polycom OTD Service with Cisco Endpoints

January 26, 2019 by · Leave a Comment 

This article about the Polycom One Touch Dial (OTD) service is another in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.

Before performing any configuration steps in this article it is recommended to first review the Polycom One Touch Dial Service article to gain an understanding of how the services work and why the configuration differs between Polycom and Cisco endpoints.

Exchange Configuration

This section will walk through creating a new service account, followed by the initial OTD service portal configuration.  Then a Cloud Relay server will need to be deployed (covered in a separate article) and a single Cisco endpoint added to the OTD portal.  By contrast this configuration is more involved than the basic configuration for Polycom endpoints due to the Cisco endpoint not acting like a native Exchange calendaring client.

Prepare PowerShell

The following environment preparation steps are performed using Windows PowerShell to connect to multiple online modules.  The workstation used to perform these commands may need to have some initial setup steps performed to access these modules.  Only the Exchange Online PowerShell and MSOnline modules needs to be installed to support the cmdlets in this article.

  • Follow the steps in the Managing Office 365 with PowerShell article and then connect to both Exchange Online and the MSOnline modules as instructed.  (There is no need to connect to the AzureAD or Skype for Business modules.)

Connect-EXOPSSession
Connect-MsolService

image

Create Mailbox

This step may not be required as typically a mailbox already exists for a conferencing room space that is represented in Outlook to book as a resource.  If a new mailbox needs to be created for a specific VTC then the following steps can be used to create an Exchange Room Mailbox using PowerShell.

For this article a new resource mailbox will be created for use with a single Cisco endpoint.

  • Run the following New-Mailbox command to create a new resource mailbox of Room type, updating the red text with the desired unique ID, Alias, Name, and Password.

New-Mailbox -MicrosoftOnlineServicesID vtc2@msteams.net -Alias "vtc2" -Name "VTC 2 (Cisco)" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "P@s5w04d" -AsPlainText -Force)

image

If a replication failure warning appears it can safely be ignored as it is just reporting that the new mailbox will take some time to be created and replicated within Exchange Online.  The following configuration steps can be performed immediately.

If needed, repeat this process to create a room mailbox for every Cisco VTC which will be used with OTD service.

Configure Mailbox

With either the new mailbox created above or an existing mailbox the following commands will ensure that the mailbox is correctly configured.  Depending on how existing resource mailboxes were created these parameters may already be set correctly, but sometimes the existing settings will purge the meeting invitation contents to save on mailbox storage.  Without that data included in the room’s copy of the invite then OTD has no information to process and then no ‘Join’ button would appear on the invited VTC.

  • Run the following Set-CalendarProcessing command against the new mailbox as identified by the Identity parameter.  Leave all other parameters at the documented vales, aside from the -AdditionalResponse setting which can be customized to include any message.

Set-CalendarProcessing -Identity vtc2@msteams.net -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -AllowConflicts $false -DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is enabled for One Touch Dial with Polycom RealConnect"

image

If needed, repeat this process for every room mailbox (new or existing) that is (or will be) associated with a supported VTC to leverage OTD.

Create Service Account

For environments leveraging Exchange Online this account will require an appropriate Office 365 license.  At minimum an Exchange Online Kiosk license is the lowest-cost option that provides the necessary mailbox, but any Exchange Online, Business, or Enterprise license is more than adequate.  This service account must have a mailbox even though its own mailbox is never actually used throughout the OTD process.  Exchange can only delegate mailbox permission to other mailbox-enabled accounts, hence the need for a license.

  • Using the same process as outlined in the first section connect to both Exchange Online and the MSOnline PowerShell modules and then execute the Get-MsolAccountSku cmdlet to list all available license options currently applied to the Office 365 tenant.

Get-MsolAccountSku

image

The example tenant in this article has available Enterprise E5 licenses (ENTERPRISEPREMIUM), which is clearly overkill for this requirement.  As suggested above a less expensive option of Exchange Online Kiosk (EXCHANGEDESKLESS) can be used instead. 

  • Run the following New-MsolUser command to create a new user account which will be used by the OTD service to connect to Exchange over Exchange Web Services.  Update the red text in the example below with the desired Display Name, User Principal Name, Usage Location (appropriate two-letter country code), License Assignment, and Password.

New-MsolUser -DisplayName "OTD Service Account" -UserPrincipalName "otd@msteams.net" -UsageLocation "US" -LicenseAssignment "jschertz:EXCHANGEDESKLESS" -Password "P@s5w04d" -PasswordNeverExpires $true -ForceChangePassword $false

image

Delegate Mailbox Permissions

In order to use the new service account to access each and every resource mailbox it will need to be delegated the appropriate permissions to each mailbox.  The only rights this account requires is Read access to just the Calendar folder in each mailbox.

  • Run the Add-MailboxPermission command by providing the Identity of the desired source mailbox, as well as the User Principal Name of the newly created service account.

Add-MailboxFolderPermission -Identity "vtc2@msteams.net:\Calendar” -User “otd@msteams.net” -AccessRights “Reviewer”

image 

If needed, repeat this process to delegate permissions for each room mailbox’s Calendar to the single service account.

Verify Mailbox Permissions

Once all mailboxes are configured the following optional cmdlet can be used to report which mailboxes in the entire organization the service account has access to.

Run the following command to query every mailbox in the organization to verify if the service account has the needed Reviewer permissions to the Calendar folders of the room mailbox.

Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\Calendar" -User "otd@msteams.net" -ErrorAction SilentlyContinue |ft Identity,FolderName,User,AccessRights}

image

Cloud Relay Deployment

As the Cloud Relay server is used by various services and it not meant only for providing One Touch Dial to Cisco endpoints located on private networks then this portion warrants a separate, complete article.

  • Refer to the Polycom Cloud Relay article to complete the installation and successful pairing of at least one Cloud Relay virtual server in the same routable private network as where the desired Cisco VTC is located.

Service Provisioning

This section covers the service-side configuration for connecting the OTD service to the target Exchange environment.

Configure One Touch Dial Service

To begin the provisioning process the Polycom One Touch Dial portal will need to be utilized.  As explained in the first article of this series the overall RealConnect service order/trial process would have included providing the email address of an administrative contact.  That supplied email address will have been specifically enabled by Polycom to access the OTP portal for the specific tenant enabled for the service.

image

  • Click the Sign in with Microsoft button and then enter the credentials of the account which was originally whitelisted for access to the OTD portal (e.g. jeff@msteams.net).

image

The first time that an authorized user signs into the portal a prompt will appear requesting permission for the Polycom app to sign in on behalf of and read the user’s profile information and data.

  • Review the requested permissions and then click the Accept button.  (If the "Consent on behalf of your organization" option appears it can be ignored as each user account authorized for the OTD portal will receive this same one-time prompt.  If desired, an administrator can select this option now and other accounts will not receive this prompt when they first sign in.  The behavior of the service is not impacted either way.)

image

If this is the first time the portal has been accessed it may report that no devices have been configured.

image

Endpoint Configuration

Now that the OTD service has been connected to the Exchange environment with the service account the first Cisco VTC can be configured.

  • Connect to the Cisco endpoint’s web management interface and verify that XMLAPI Mode is enabled.  This is required in order for the service to push the meeting invitations directly to the VTC.

image

  • Return to the One Touch Dial portal, select the Devices menu, and then click on the Connect a Device button.

image

  • Select the desired Cisco device option from the list (e.g. C SX DX EX MX Models).

image

  • In the General Information section enter a descriptive Name for the device (e.g. VTC2).
  • In the Calendaring section enter the VTC’s associated resource mailbox in the Calendaring Email field (e.g. vtc2@msteams.net).

  • In the Connection section select the appropriate configuration option.  If the Cisco VTC is assigned a public IP address and is directly reachable from the Internet (an unlikely and not recommended scenario) then select the Directly to Polycom One Touch Dial option.  For the typical use-case of the VTC being located on an internal network with a private IP address select the Via Polycom Cloud Relay option and enter the IP address of the Cisco endpoint (e.g. 172.31.16.76).

  • In the Credentials section enter an administrator username and password for the Cisco endpoint (e.g. admin).

image

  • Click Connect to save the configuration and then note the reported status will likely initially show as Pending.

image

  • Select the Devices menu and wait for the status to update to Connected.

image

At this point the Cisco VTC should show any meetings which have been scheduled on the room mailbox.  The Join button will be displayed prior to the scheduled meeting and trigger a call to the RealConnect service to join a Skype or Teams meeting.

image

Polycom Cloud Relay

December 1, 2018 by · Leave a Comment 

This article is the third in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.

  1. RealConnect Service for Skype and Teams – introduces the overall solution and the steps to activate the service for use with Skype for Business Online meetings and/or Teams meetings.  (A future article will cover the additional configuration steps required to support Skype for Business Server or Hybrid deployments with the service.)
         
  2. Polycom One Touch Dial Service – explains what this ancillary service is, how it works, and provides detailed configuration steps for using it with Polycom VTCs.  (A future article will cover the configuration for Cisco VTCs.)      
         
  3. Polycom Cloud Relay – outlines the purpose of this component, how it works, and then walks through the steps for deploying a Cloud Relay virtual server on-premises.  This on-premises server is an optional component to the RealConnect service, only needing to be deployed when using Skype for Business Server and/or supporting Cisco endpoints with the One Touch Dial service.

The Polycom Cloud Relay is a relatively new component which was born out of the need to provide a lightweight server to handle various supportive tasks for multiple cloud services needs.  Essentially, when moving a solution or workflow from an on-premises server into a hosted service across the public Internet some capabilities may not be able to function entirely in the cloud.  To address this sometimes an on-premises relay may be required to facilitate some forms of communication.

This server’s primary function is to sit inside enterprise firewalls and open secure outbound connections to various Polycom services running in Microsoft Azure datacenters, meanwhile relaying messages from the cloud over to certain local resources.  The Cloud Relay thus must sit on the private internal network like most other internal servers and not in a perimeter network to perform its duties.  This component is a lightweight virtual machine based on Cent OS which is provided free of charge to Polycom customers in both VMware (.OVA)  and HyperV (.VHD) formats.  By itself the server is useless as it must be paired with a customer tenant utilizing one or more licensed Polycom services.

Background

Understand that the Cloud Relay in and of itself really does nothing other than ‘phone home’ and wait for instructions.  When it is first brought online and configured on the local network it will then immediately attempt to connect to a handful of hardcoded Fully Qualified Domain Names (FQDNs) which point to several services running across multiple Azure datacenters.  If these connections are successfully established then the new relay will then sit indefinitely in a holding pen, waiting to be manually integrated into a specific Polycom cloud tenant.  Once this pairing step is completed by an administrator then the correct relay will be permanently linked to that tenant and begin pulling down any provisioned services which have already configured in the tenant.  This includes the automatic download of any apps associated to the configuration, which are essentially docked into the Cloud Relay.

So in short, this relay is something that is simply brought online the first time using the local console and then from that point forward all management and configuration is performed through the appropriate Polycom cloud portal.  Configuration changes and even software updates to the individual apps are all automatic.  Currently the Cloud Relay itself is not updated so when new versions of the server image are released it would require the deployment of a new image, or replacement of the existing.  But the majority of the various Polycom service offering’s features and functionality comes from the individual apps which are automatically updated as stated.

Once these apps have been pushed down to the relay then it can start to perform its duties, whatever those may be.  Currently the Cloud Relay is used to perform several functions, most of which are applicable to the RealConnect service, but not all.  For example the Polycom Device Management Service (PDMS) cloud offering leverages the Cloud Relay for some optional device management capabilities.  But as this series of CVI articles is focused on the RealConnect service then the two applicable roles that the Cloud Relay serves is:

  1. To relay meeting invitations originating from Exchange Online or Exchange Server resource mailboxes that the Polycom One Touch Dial service needs to process and deliver to Cisco endpoints.  Obviously if a Cisco VTC is sitting on an internal private network then it would not be possible to open a connection from the cloud directly to that endpoint without establishing a 1:1 static NAT through a corporate firewall, which is a poor and an unused practice.  So the Cloud Relay is used to receive that invitation from the cloud service and then establish a local connection directly to the Cisco endpoint to relay the message.
  2. To relay signaling messages from the Polycom RealConnect service to an on-premises Skype for Business Front End Server/Pool to establish the required connectivity to support RealConnect meetings in the cloud.  This communications path is used by the cloud service to identify and locate the proper Skype Meeting URI for a given scheduled Skype meeting.  The cloud service will then establish a media cascade to the meeting running on the Skype for Business Server through the normal media route via the Skype Edge Server/Pool.  Note that the Cloud Relay only relays signaling, absolutely no media traverses the relay so the processing and bandwidth requirements are very little.

For high-availability and redundancy multiple relays can be deployed and integrated with the same tenant.  The majority of communications are from the cloud to the relay so resiliency is inherent and failover is automatic as the service will communicate to all available relays.  For the few scenarios where any messages originate from a customer’s network the redundancy behavior can be controlled by the local configurations options like Round Robin DNS, Geo-DNS, or DNS Load Balancing.

Workflow

While the Cloud Relay is handling multiple functions the main portion of its communications are always the same.  It will attempt to securely open several outbound connections to Polycom services in Azure, all over two ports: 443 and 5671.  In many environments outbound access to the Internet over 443 is open from any trusted network to untrusted networks and the majority of the traffic transverses here.  But the less-common Advanced Messaging Queueing Protocol (AMQP) traffic leveraged by the Microsoft Azure Service Bus over port 5671 can often be blocked by corporate firewalls and will need to be allowed outbound.

image

Communications from the Cloud Relay to the various Polycom Services are based on establishing secure connections to hardcoded FQDNs which, based on geography, will be directed to the nearest Azure datacenter where the services happen to be resident.

As outlined in the official documentation the Cloud Relay will resolve and then attempt to connect to the following FQDNs via TCP over port 443:

  • api-global.plcm.cloud
  • api-orion.plcm.cloud
  • logging.plcm.vc
  • aquadevacr-plcm365.azurecr.io

Additionally the Cloud Relay will need to establish connectivity to the Azure Service Bus via TCP over port 5671:

  • servicebus.plcm.vc

All of these connections are established outbound and no ports need to be opened for inbound connections.  (The official documentation does reference opening TCP 22 inbound from the Internet but that is only for remote SSH connectivity in the event that Polycom support needs to connect directly to the Cloud Relay console during a support call.  Do not actually open this port during deployment.)

The role of the Cloud Relay is to provide a  two-way communication path with the cloud services by opening the outbound connection and then keeping that connection open for the cloud to send information down as needed.  In the event that outbound connections to the Internet are limited by firewall policy then there are two configuration options typically leveraged. Firstly the FQDNs above can be entered into firewall policies to allow the outbound traffic.  But often domain names are not allowed in firewall policies and only IP addresses and subnetworks may be allowed via defined IT policies.  As service in Azure can sometimes change IP address or subnetworks it is recommended to subscribe to service alerts in the case that any IP addresses will be changed in future upgrades or maintenance routines.

With the prerequisite communications to the cloud successfully established the Cloud Relay will download the configuration and apps needed to further establish local communications with any on-premises Skype for Business Servers, Cisco VTCs, or (in the case of PDMS) Polycom IP phones like the VVX and Trio.

  • For communications with a Skype for Business Front End Server/Pool the Cloud Relay will need to be able to open a connection over TLS 5061 using an assigned server certificate .  The additional configuration for this outside of the prerequisite Cloud Relay deployment is covered in a separate article in this series, which is mentioned at the top of this article.
  • For communications with a Cisco VTC the Cloud Relay will need to be able to open a connection to the Cisco device over port 443 (or 80).  This additional configuration is also provided in a separate article describe at the start of this article.

The remainder of this article will walk through the deployment of a single Cloud Relay into an existing VMware ESXi server.


Management Portal

Before attempting to deploy the Cloud Relay it is necessary to access the associated Polycom management portal, if that has not already been done.  This article assumes that the portal has not yet been accessed for the tenant, so if it already has then simply skip to the next section.

The Cloud Relay is managed inside of the Polycom Cloud Service Administration portal which is a web portal hosted in Azure.  After purchasing licenses or requesting a trial license the administrative contact email provided in the order will have automatically been sent two emails.  One email includes the license number for the order (which was covered in this article) and the other email includes instructions to activate the account’s access to the management portal.

  • Locate the email originally sent by cloud-service-team@polycom.com entitled "Welcome to Polycom Cloud Service Administration".

image

  • Click the Activate Your Account button in the body of the email.

image

Unless this link is utilized shortly after first receiving the email the invitation will likely have expired by now.  If that is the case this connection attempt will have triggered a new automated email to be sent with a fresh activation link, as explained in the following screenshot.

image

  • Return to the same account’s mailbox and look for a new email from the same sender and with the same subject line.  Click the Activate Your Account link in this new message.
  • This time the Activate Account screen should appear asking to define a password for this account. Enter the name associated with the email address, create a new password, and then click Submit.

image

This has created a new Enterprise administrator account locally within the Polycom management portal’s database.  It is recommended to add at least one additional administrator account, but instead of creating more local accounts it is recommended to enable authentication with Office 365.

  • Enter the new password which was just created and click Sign In.

image

  • Select the Administration section at the portal’s home screen.

image

  • From the navigation menu select Authentication Providers and then click the Office 365 option under Built-In Authentication Providers.

image

  • Click Enable under the Create Provider section.

image

The Office 365 option will now be shown in color to indicate that it has been enabled.

image

  • From the navigation menu select Users.

image

Note that the current administrator’s Sign In Account is shown as "Enterprise and Local".  This indicates that if that local account matches the User Principal Name of a valid Office 365 account then that account can also be used now to sign into the portal.  Essentially there are two separate accounts with the same name available to use: one that is stored in the service’s own database (Local) and one that is available via Office 365 authentication (Enterprise).  This is important to understand that if the two accounts have the same password then signing into the portal may seem transparent, but if different passwords are used then it could be confusing.  This is why it is recommended to simply use Office 365 authentication from this point forward, both for the original account and any others which are added.

The following steps are optional and can be skipped over if adding a second administrator account is not desired.

  • Click Add to add another existing Office 365 account in the tenant as an administrator.

image

  • Enter the desired user’s User Principal Name (e.g. steve@msteams.net) and select the appropriate User Role options.  Having a spare full administrator account is recommended, so select all roles, but leave the Sign In Account set to Enterprise Only and then click Save.

image

At this point access to the management portal has been enabled and secured.  After deploying the Cloud Relay server this portal will be used again to complete the configuration.

Deploy Cloud Relay

The next series of steps will include downloading the Cloud Relay software from the Polycom Support site, importing the virtual machine in ESXi, and then configuring the Cloud Relay.  As mentioned earlier this Cloud Relay will be setup on a VMware ESXi server, but these steps may differ based on the virtual server platform and version.  As this section will be familiar to anyone accustomed to managing virtual server systems then the directions in this section will be brief.

Download Software

  • Go to the Polycom Cloud Relay support page and download the current version of the desired software (e.g. OVA Image for HyperV).

image

  • Save the file locally on the same workstation where the ESXi management console will be opened.

Import Virtual Machine

  • Connect to the ESXi server using the web management console and sign in.
  • Select Virtual Machines from the Navigator and then click Create/Register VM.
  • Select the option to Deploy a virtual Machine from an OVF or OVA file.
  • Enter a name for the virtual machine (e.g. CloudRelay1) and then click the select files option and locate the .OVA file previously downloaded to the local computer (e.g. polycom-cloud-relay-1.1.2-64805.ova).
  • Select the desired Datastore, Network Mapping, and Disk Provisioning options.
  • Review the selections and then click Finish to start the process of uploading the OVA file and establishing the virtual machine.

Configure Virtual Machine

  • Once the import process has completed successfully select the new virtual machine in the management console and verify that it has been started.  If not, start the VM.
  • Open the Console and then login into the Cloud Relay using the default username ‘polycom‘ and password ‘polycom‘.

The OS will require that a new password is created.  Pay close attention to the prompts as the existing password will be requested again before asking for the new password.

  • Re-enter the default password of ‘polycom‘ one more time and then enter a new password and confirm the new password.

image

  • Accept the End User License Agreement to advance to the management console’s main menu.

image

  • Select the Configure menu.

image

  • Choose the Configure Network menu and then select the eth0 interface.
  • Select Static address setup and then enter the appropriate IP Address, Network Mask, and Default Gateway and then select OK.

image

  • Once the network server finishes restarting verify the correct settings are displayed onscreen and then select Change Host Name and enter the desired host name for the Cloud Relay (e.g. cloudrelay1).

image

  • Select Configure DNS and enter the appropriate DNS settings for the local network.

image

  • Select Configure NTP and enter the appropriate NTP settings for the local network.

image

  • Exit to the main menu and select Tools.

image

  • Select the Connectivity option.

image

  • Review the connectivity test results to verify that each individual test results in a SUCCESS status and no errors are reported.

image

Note that the 61% value shown in the screenshot above does not mean that only 61% of the tests passed successfully.  This is simply the ASCII interface indicating that only 61% of the results are currently shown on the screen.

  • Use the down-arrow to scroll through the remainder of the results.

image

As mentioned earlier in the article pass special attention to the last connectivity check to the service bus (polycom-nimbus.servicebus.windows.net) over port 5671 which might be blocked by a firewall.  If all tests have passed successfully then move on to the next step, otherwise check any local DNS configuration or firewall policies to resolve any outbound connectivity issues to the Azure datacenter.

Integrate Cloud Relay

    • Return to the main menu and select the Integrate option.

image

The cloud connector services will be started and then a Registration Code will be displayed on the screen.  Record this code and play close attention as due to the console font the zeros (0) and eights (8) can look similar.  For example, the following code is 03777724 but at first glance almost appears to start with an 8.

image

image

    Because the Office 365 authentication integration was configured in the first section of this article there is now a new sign-in option available.

    image 

    • Click the Sign in with Microsoft Office 365 button and, if prompted, select Accept on the permissions request from Polycom Cloud Service Authentication app.

    image

    • Select the Register Devices section.

    image

    • Select the Cloud Relay option and then click Add.

    image

    • In the Registration Code field enter the code provided by the Cloud Relay in the earlier step (e.g. 03777724) and then enter the Device Name (e.g. CloudRelay1) and then click Save.

    image

    The Cloud Relay should now appear in the list, but notice that the Status icon will initially be displayed in gray.

    image

    Wait for a few second and if the deployment was performed correctly then the status should automatically update to a green icon to indicate a successful pairing of the Cloud Relay to this tenant.

    image

    • Return to the Cloud Relay console and select the Application Status option from the main menu.

    image

    At this point the individual components should all be listed as running with no errors reported.

    image

    Additionally the Tools > Application Logs menu can be used to view diagnostic logs for the various components.

    image

    Now that a Cloud Relay has successfully been deployed any additional configuration to support One Touch Dial for Cisco endpoints or RealConnect with Skype for Business Server can be completed.

    Polycom One Touch Dial Service

    November 28, 2018 by · 10 Comments 

    This article is the second in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.

    1. RealConnect Service for Skype and Teams – introduces the overall solution and the steps to activate the service for use with Skype for Business Online meetings and/or Teams meetings.  (A future article will cover the additional configuration steps required to support Skype for Business Server or Hybrid deployments with the service.)
           
    2. Polycom One Touch Dial Service – explains what this ancillary service is, how it works, and provides detailed configuration steps for using it with Polycom VTCs.  (A future article will cover the configuration for Cisco VTCs.)      
           
    3. Polycom Cloud Relay – outlines the purpose of this component, how it works, and then walks through the steps for deploying a Cloud Relay virtual server on-premises.  This on-premises server is an optional component to the RealConnect service, only needing to be deployed when using Skype for Business Server and/or supporting Cisco endpoints with the One Touch Dial service.

    The specific term "One Touch Dial" (or its initialism "OTD") is not new.  It has been used for several years to describe various concepts throughout Polycom solutions: a workflow, an action, a server, an application, and now a service.  To offer some clarity, OTD started as an application which provided a simple meeting joining experience to Polycom and Cisco VTCs for on-premises RealConnect meetings.  This application is one of several custom applications which runs on an a dedicated on-premises server called the Polycom Workflow Server.  This server is used only with the traditional RealConnect deployment model which utilizes on-premises Polycom MCUs.

    More recently the OTD functionality was put into Microsoft Azure for use with the RealConnect service.  Yet, not 100% of what OTD does can be put into the cloud.  The on-premises version of OTD essentially operates as both a Microsoft Exchange Web Services (EWS) proxy and an emulator of the Cisco Telepresence Management Suite (TMS), at a Calendaring level only.  Each of those roles are needed to support both Polycom and Cisco endpoints.  Polycom endpoints (like the Group Series, HDX, Trio, etc) all operate as native EWS clients and will automatically retrieve meeting invitations by routinely polling the appropriate Exchange Server or Exchange Online, which is essentially a ‘pull’ operation.  So regardless of the location of the endpoint it is easy for these devices to open a new connection to a server over HTTPS 443.

    On the other hand, Cisco endpoints that natively support One Button To Push (OBTP) do not operate using the same approach.  These endpoints are effectively dumb and rely on another server (TMS) to retrieve meeting invitation emails on their behalf, which are then relayed to the endpoint.  Given that this ‘push’ operation can not typically be performed from an Internet-based service down to a host sitting on a private network behind firewalls then the relay would need to also exist within the same routed internal network. Thus, the Polycom Cloud Relay is utilized as this relay.  Meaning that while most of the operation of the original OTD application was placed into Azure as a service, the TMS emulator portion is provided as an applet which resides on the on-premises Cloud Relay virtual server.

    Workflow Explained

    This simple diagram depicts how the OTD service works for both types of supported endpoints.

    image

    The OTD service acts as an EWS proxy and will fetch the mailbox contents on behalf of the endpoint.  This middle-man step is required as OTD’s primary function is to scan the invitation, looking for RealConnect-enabled meeting invitations.  When am applicable Skype for Business or Teams meeting invitation is found then it reformats the outgoing copy to match what the associated endpoint expects to see to enable the ‘Join’ button to appear and operate correctly on the endpoint.  As the required formatting is different between Polycom and Cisco endpoints then OTD will handle this accordingly.

    • Polycom VTCs communicate directly with the OTD service currently hosted in Microsoft Azure, so when the endpoint performs a routine mailbox check it will connect to the OTD service to trigger the process.  OTD processes the messages and then passes it on to the Polycom endpoint.  To the endpoint this process is transparent and looks like a regular EWS message exchange.
    • Cisco VTCs do not initiate this process though; the environment configuration drives this.  The OTD service itself will monitor mailboxes associated with Cisco endpoints and routinely check for new messages. If any are found then it will push the message down to the Cloud Relay (which has previously established an ongoing secure two-way connection to the OTD service) and then the Cloud Relay will act as a TMS Calendaring service and relay the message to the target Cisco VTC over the local network.  The connection from the relay to the VTC is first attempted securely via HTTPS, but if connectivity over TCP 443 is not available then it will failback to attempting to connect via HTTP over TCP 80.

    Note that while the diagram above depicts Exchange Online as the mailbox location the OTD service also supports on-premises Exchange Server environments.  As long as Exchange Web Services has been published externally in a deployment then the service can leverage the external EWS FQDN to connect to the server and access the required mailboxes.

    image

    Thus the OTD service can be used with Exchange Server, Hybrid, or Online topologies.  For the articles in this series a standard Microsoft Office 365 tenant is being used so Exchange Online mailboxes will be leveraged for all configuration steps.

    Overview

    There are several different configuration options available to provide One Touch Dial capabilities to Skype for Business Server, Online, and Teams meetings which are enabled for RealConnect.  Polycom endpoints support multiple options, but to support Cisco endpoints there is only one possible configuration.

    Pass-Through Authentication

    Polycom endpoints can by default simply leverage pass-through authentication via the OTD service to access the requested mailbox in Exchange.  The required credentials are stored on the endpoint and are used to authenticate through the OTD service (as a proxy) into Exchange. Pass-through authentication can be used with the actual mailbox account’s credentials or a shared service account if desired.

    This method of using the mailbox’s own credentials on the endpoint configuration is the easiest and requires no configuration in the OTD portal, but it may not be possible in environments where resource mailboxes are disabled in Active Directory.  An alternative approach is to utilize a service account to authenticate to Exchange in the event that the resource mailboxes themselves are not enabled for authentication, which is common (and the default) behavior for Exchange resource mailboxes.  The service account model can be configured to use either pass-through or proxy authentication models.

    • With pass-through authentication a single service account is created and then delegated permissions to all applicable resource mailboxes.  The service account credentials are entered in each endpoint alongside the SMTP address of the desired resource mailbox for a given endpoint. The same service credentials are used on every endpoint for accessing each unique resource mailbox.

    image_thumb[16]

    Proxy Authentication

    The OTD service must first be configured to leverage this model as a service account is used alongside manual endpoint configuration in the portal.  To provide One Touch Dial to any supported Cisco endpoints this option is required; pass-through authentication is not applicable.  Polycom endpoints can also use this option if the credentials of the service account are to be known and managed only by IT staff with access to the OTD portal while a different set of local credentials which are known by support staff will be used on the endpoints themselves.  This is a less common approach but does offer flexibility in larger deployments with separate teams managing different components of the overall solution.

    • For proxy authentication the same service account is created and then delegated permissions to all applicable resource mailboxes but is instead stored directly in the OTD portal configuration.  Then unique credentials are manually generated in the OTD portal for each newly configured device, to be used for that endpoint’s local configuration.  The OTD service will act as an authentication proxy, using the local set of credentials for connections from endpoint to the OTD service, and the service account for all communications between itself and Exchange.

    image_thumb[19]

    This remainder of this article covers the multiple configuration options available to Polycom VTCs. A separate article outlines the configuration for Cisco VTCs which require additional steps and as well as the deployment of a Cloud Relay server on-premises.


    There are two general configuration models available for One Touch Dial:

    1. The first is a standard configuration which leverages autodiscovery to locate resource mailboxes stored in Exchange Online that have been correctly configured to allow authentication using their own credentials.  This approach does not require any configuration on the One Touch Dial portal.  As stated, this model only works with Exchange Online mailboxes.  For Exchange Hybrid environments as long as the VTC’s mailbox is stored in Exchange Online this configuration can be used.
    2. The second, more complex configuration option is required when accessing room mailboxes stored on an Exchange Server as a service account will be required alongside configuration of the One Touch Dial portal to connect to the external Exchange Web Services using that service account.  This model is also required when using the proxy authentication model with Exchange Online mailboxes.

    Standard Configuration

    This section will walk through creating or validating the required Exchange mailbox and then configuring a single Polycom Group Series endpoint to leverage the OTD service.  For this method to be viable the resource mailbox (new or existing) will need to be hosted in Exchange Online and enabled for authentication.  If that is not possible or not allowed by enterprise policies then skip to the next section covering the Service Account Configuration methods.

    As explained earlier, there is no need to first sign in to the One Touch Dial portal and perform any service configuration steps when using Polycom endpoints.  The service will automatically leverage Exchange Autodiscover to locate the source mailbox in Exchange Online.

    Prepare PowerShell

    The following environment preparation steps are performed using Windows PowerShell to connect to multiple online modules.  The workstation used to perform these commands may need to have some initial setup steps performed to access these modules.  Only the Exchange Online PowerShell and MSOnline modules needs to be installed to support the cmdlets in this article.

    • Follow the steps in the Managing Office 365 with PowerShell article and then connect to both Exchange Online and the MSOnline modules as instructed.  (There is no need to connect to the AzureAD or Skype for Business modules.)

    image

    Create Mailbox

    This step may not be required as typically a mailbox already exists for a conferencing room space that is represented in Outlook to book as a resource.  If a new mailbox needs to be created for a specific VTC then the following steps can be used to create an Exchange Room Mailbox using PowerShell.

    For this article a new resource mailbox will be created for use with a single Polycom Group Series endpoint.

    • Run the following New-Mailbox command to create a new resource mailbox of Room type, updating the red text with the desired unique ID, Alias, Name, and Password.

    New-Mailbox -MicrosoftOnlineServicesID "vtc1@msteams.net" -Alias "vtc1" -Name "VTC 1 (Polycom)" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "P@s5w04d" -AsPlainText -Force)

    image

    If a replication failure warning appears it can safely be ignored as it is just reporting that the new mailbox will take some time to be created and replicated within Exchange Online.  The following configuration steps can be performed immediately.

    If needed, repeat this process to create a room mailbox for every Polycom endpoint which will be used with OTD service.

    Configure Mailbox

    Using either the new mailbox created above or an existing mailbox the following commands will ensure that the mailbox is correctly configured.  Depending on how existing resource mailboxes were created these parameters may already be set correctly, but sometimes the existing settings will purge the meeting invitation contents to save on mailbox storage.  Without that data included in the room’s copy of the invite then OTD has no information to process and then no ‘Join’ button would appear on the invited VTC.

    • Run the following Set-CalendarProcessing command against the new mailbox as identified by the Identity parameter.  Leave all other parameters at the documented vales, aside from the -AdditionalResponse setting which can be customized to include any message.

    Set-CalendarProcessing -Identity "vtc1@msteams.net" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -AllowConflicts $false -DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is enabled for One Touch Dial with Polycom RealConnect"

    image

    If needed, repeat this process for every room mailbox (new or existing) that is (or will be) associated with a supported VTC to leverage OTD.

    Configure Endpoint

    The following steps are used to perform the calendar setup directly on the Polycom Group Series with the newly created and configured resource mailbox.

    • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.
    • If not already enabled click the checkbox next to Enable Calendar Service.

    • Enter the Email address (e.g. vtc1@msteams.net), User Name (e.g. vtc1@msteams.net), and Password for the desired resource mailbox.  (Leave the Domain field blank as the User Principal Name format is used in the User Name field which already includes the domain name.)

    image

    • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

    image

    After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

    image

    If the mailbox has been invited to any scheduled meetings then the connected endpoint will now display those invitations on the calendar.

    image

    Furthermore, If any of those meetings are Skype for Business or Teams meetings scheduled by a user enabled for the RealConnect service then the Join button will be displayed, providing the simple One Touch Dial experience used to connect the endpoint directly into the scheduled meeting.  The following Call Statistics details from the Group Series show a successful H.323 video call into the RealConnect for Microsoft Teams service (as denoted by the t.plcm.vc domain name in the call string).

    image

    At this point the standard setup is complete for any Polycom endpoints which are not natively registered to Skype for Business.  In fact the Group Series used in this article was reset to factory defaults just prior to this configuration and the meeting was successfully joined simply by placing an H.323 video call after configuring the calendar.


    Service Account Configurations

    The configuration above simply uses the service’s default capabilities to automatically locate the source mailbox in Exchange Online via standard autodiscover processes.  The mailbox credentials are stored on the endpoint and provided to the OTD service which uses pass-through authentication to connect to the mailbox and then process the invite.  The same automatic process can be used with a service account, given that pass-through authentication is utilized (Option 1).  Yet for proxy authentication (Option 2) some additional configuration is required to create new sets of credentials for each device as well as connect OTD to the Exchange organization and store the service account credentials.

    Create Service Account

    Both options outlined above can utilize the same single service account (e.g. otd@msteams.net), so perform these steps to create the new account and delegate permissions to the resource mailboxes accordingly for either option.

    This service account must have a mailbox even though its own mailbox is never actually used throughout the OTD process.  Exchange can only delegate mailbox permission to other mailbox-enabled accounts, hence the need for the license.

    • Using the same process as outlined in the first section connect to both Exchange Online and the MSOnline PowerShell modules and then execute the Get-MsolAccountSku cmdlet to list all available license options currently applied to the Office 365 tenant.

    Get-MsolAccountSku

    image

    The example tenant in this article has available Enterprise E5 licenses (ENTERPRISEPREMIUM), which is clearly overkill for this requirement.  As suggested above a less expensive option of Exchange Online Kiosk (EXCHANGEDESKLESS) can be used instead.  (As seen above the single Kiosk license in this tenant has already been assigned to another user, so for the purposes of this article one of the free E5 licenses will be used.)

    • Run the following New-MsolUser command to create a new user account which will be used by the OTD service to connect to Exchange over Exchange Web Services.  Update the red text in the example below with the desired Display Name, User Principal Name, Usage Location (appropriate two-letter country code), License Assignment, and Password.

    New-MsolUser -DisplayName "OTD Service Account" -UserPrincipalName "otd@msteams.net" -UsageLocation "US" -LicenseAssignment "jschertz:ENTERPRISEPREMIUM" -Password "P@s5w04d" -PasswordNeverExpires $true -ForceChangePassword $false

    image

    Delegate Mailbox Permissions

    In order to use the new service account to access each and every resource mailbox it will need to be delegated the appropriate permissions to each mailbox.  The only rights this account requires is Read access to just the Calendar folder in each mailbox.

    • Run the Add-MailboxPermission command by providing the Identity of the desired source mailbox, as well as the User Principal Name of the newly created service account.

    Add-MailboxFolderPermission -Identity "vtc1@msteams.net:\Calendar” -User “otd@msteams.net” -AccessRights “Reviewer”

    image

    If needed, repeat this process to delegate permissions for each room mailbox’s Calendar to the single service account.

    Verify Mailbox Permissions

    Once all mailboxes are configured the following optional cmdlet can be used to report which mailboxes in the entire organization the service account has access to.

    Run the following command to query every mailbox in the organization to see all mailboxes the target account has been assigned permissions to.

    Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\Calendar" -User "otd@msteams.net" -ErrorAction SilentlyContinue |ft Identity,FolderName,User,AccessRights}

    image

    This completes the requisite environment configuration and now the One Touch Dial Service can be setup and enabled.

    Option 1: Pass-through Authentication

    The first option available to use the service account requires no additional configuration.  Simply use the service account’s username and password in the endpoint’s calendar configuration while still pointing to the desired.

    • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.
    • Enter the Email address of the associated resource mailbox (e.g. vtc1@msteams.net), but provide the service account’s User Name (e.g. otd@msteams.net), and Password for the desired resource mailbox.  (Leave the Domain field blank as the User Principal Name format should be used in the User Name field which already includes the domain name.)

    • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

    image

    After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

    • Check the endpoint’s calendar to verify any previously scheduled meetings are now displayed, and if any are a Skype for Business or Microsoft Teams meeting created by a RealConnect-licensed scheduler then a Join button should also appear.

    image

    In the example above a daily reoccurring Teams Meetings has been scheduled and the VTC1 mailbox was previously invited.

    • Select the Join button on the Group Series to connect to the scheduled meeting.

    As this example meeting is a Team Meeting hosted in a tenant where the lobby bypass for VTCs has been enabled then the call connected directly into the empty meeting.  Reviewing the call statistics shows the standards-based call (in this case SIP) matches the information shown in the original invitation.

    image

    Option 2: Proxy Authentication

    The second option here will require additional configuration.  The OTD service portal will be leveraged to store the service account credentials as well as define a second set of credentials to be used on the endpoint.  This approach uses two separate accounts for adhering to any IT policies related to knowledge of service account credentials being delineated among different teams. Essentially and administrator can configure the overall solution while help desk personnel can be given only the local credentials which will only function through the proxy.  They cannot be used to access the source mailbox directly in Exchange.

    image

    • Click the Sign in with Microsoft button and then enter the credentials of the account which was enabled for access (e.g. jeff@msteams.net).

    image

    The first time that an authorized user signs into the portal a prompt will appear requesting permission for the Polycom app to sign in on behalf of and read the user’s profile information and data.

    • Review the requested permissions and then click the Accept button.  (If the "Consent on behalf of your organization" option appears it can be ignored as each user account authorized for the OTD portal will receive this same one-time prompt.  If desired, an administrator can select this option now and other accounts will not be prompted when they first sign in.  The behavior of the service is not impacted either way.)

    image

    • Click on the Calendars section and then click Connect next to the appropriate Exchange option.  (Office 365 is used for connectivity to resource mailboxes hosted in Exchange Online and Exchange is used for connectivity to Exchange Server deployments.  As this article is utilizing Exchange Online mailboxes then the Office 365 option will be selected.)

    image

    • Select Connect with Service Account.  (It is not recommended to utilize the Application approach given that permissions to more than just what was specifically delegated would be granted to the OTD service in the selected tenant.)

    image

    When the Connect with Service Account option is selected a Microsoft login window will appear.  This authentication prompt is used to store the service account credentials into the OTD portal so it is important to enter the correct information here.

    • Enter the username and password of the service account which was created earlier (e.g. otd@msteams.net) aa

    image     image

    • Review the requested permissions and then click the Accept button.

    image

    If successful the connection status for Office 365 will display the name of the account currently being used to communicate with Exchange Online.

    image

    • Select Devices from the navigation menu and then click the Connect a Device button.

    image

    • Select the appropriate endpoint; in this example click the RealPresence Group Series button.
    • In the Calendaring Email field enter the email address of the resource mailbox for the desired endpoint (eg. vtc1@msteams.net), enter a descriptive name in the Name field (e.g. VTC1), and then click Create.

    image

    The next window will display a set of automatically generated credentials to use on the associated endpoint to authenticate to the OTD service with.  The username is randomly selected and cannot be changed or customized.  The password can be reset in a later step if desired.

    • Click on the Copy to Clipboard button and then paste the details into a new text file for later use.

    image

      • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.
      • In both the Email and User Name fields enter the email address created by the portal in the previous step (e.g. gsaoclxiohed@otd.plcm.vc).

      • Leave the Domain field blank as it is not used for this configuration.

      • Enter the password as provided in the previous step (e.g. Is1ofyLAv1).

      • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

    image

    After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

    RealConnect Service for Skype and Teams

    October 31, 2018 by · Leave a Comment 

    This article is the first in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.  

    1. RealConnect Service for Skype and Teams – introduces the overall solution and the steps to activate the service for use with Skype for Business Online meetings and/or Teams meetings.  (A future article will cover the additional configuration steps required to support Skype for Business Server or Hybrid deployments with the service.)
           
    2. Polycom One Touch Dial Service – explains what this ancillary service is, how it works, and provides detailed configuration steps for using it with Polycom VTCs.  (A future article will cover the configuration for Cisco VTCs.)      
           
    3. Polycom Cloud Relay – outlines the purpose of this component, how it works, and then walks through the steps for deploying a Cloud Relay virtual server on-premises.  This on-premises server is an optional component to the RealConnect service, only needing to be deployed when using Skype for Business Server and/or supporting Cisco endpoints with the One Touch Dial service.

    This Microsoft partner-provided service, commonly referred to as Cloud Video Interop (CVI), allows various standards-based Video Teleconferencing (VTC) endpoints to join scheduled Skype for Business and Teams meetings. While an earlier article outlined all of the different RealConnect offerings available this series will focus solely on the cloud-based service model of RealConnect.

    The original service offering is referred to as RealConnect for Office 365, but supports Skype for Business Online, Skype for Business Server, and Skype for Business Hybrid environments.  The recently released offering entitled RealConnect for Microsoft Teams added support for Microsoft Teams meetings.  Access to both services are provided together using the same consumption license, meaning that RealConnect can be used with any Skype and Teams meeting scheduled by any user in the organization.  A free 60-day trial license is available today for most Microsoft Office 365 tenants worldwide.  Availability can depend on the tenant type (public multitenancy versus various government clouds) and the region (some countries are not currently able to leverage this service).

    The licensing consumption model is simply based on concurrent usage.  While the trial comes with 5 concurrent licenses nearly any number of licenses can be purchased as needed.  Regardless of the number of Skype and/or Teams meetings occurring at the same time, and regardless of the number of Skype or Teams participants, guests, or PSTN callers, only a VTC connecting into any of these meetings would consume a license and only while the call is active.  So, with a trial license as many as five different VTCs can use the service at one given time to join any number of scheduled Skype or Teams meetings.

    Background

    The heart of a Cloud Video Interop meeting that allows RealConnect to function is a scheduled Skype for Business or Microsoft Teams invitation.  In an organization which has enrolled and provisioned the service an enabled user’s scheduled meetings will natively include additional instructions (seen in the image below) for joining the meeting from any standards-based endpoint.  At minimum the provided calling option can be manually dialed from a VTC, but additional configuration like local speed dials, infrastructure dialing rules, or ideally the Polycom One Touch Dial service can be leveraged to provide a single ‘Join’ button on supported endpoints to place the call.

    image

    The RealConnect service is comprised of a number of Polycom-managed, Microsoft Azure-hosted virtual servers.  These globally deployed services can receive video calls over standards-based SIP or H.323 protocols and the connect that call into a Skype for Business or Teams meeting.  (This service does not connect Skype for Business meetings to Teams meetings.  Those are two completely separate Microsoft meeting platforms.)

    This basic diagram shows two VTCs joining the same scheduled Microsoft Teams meeting.  (RealConnect for Skype for Business functions in the exact same manner.)

    image

    • Each VTC which calls into the service will be routed to the logically closest Azure datacenter where Polycom services are deployed and the call will land on a dedicated transcoding MCU (B). 
    • The RealConnect service will then locate the target meeting, as identified by the Tenant ID, Conference ID and Domain provided in the call string (e.g. 123456.987654321@t.plcm.vc).

    The Tenant ID is a globally unique string assigned to the tenant during service enrollment and is the same on every meeting scheduled by any user in the tenant; it never changes.  The Conference ID is dynamically created by the Microsoft scheduling services and is different for every scheduled meeting.  The Domain name in the call string will be one of three options denoting which of the three flavors of the service the call will be directed to: t.plcm.vc for Microsoft Teams meetings, v.plcm.vc for Skype for Business Online meetings, and h.plcm.vc for Skype for Business Server meetings.  (The original instance of the service was launched for Skype for Business and ‘v’ was used to denote ‘video’.  When support for Skype for Business Server/Hybrid deployments was later added then ‘h’ was used for ‘hybrid’.  As one can guess the ‘t’ refers to Teams in the latest iteration of the service.)

    • Now that the service has located the Microsoft meeting then the Polycom MCU (B) will connect to the Microsoft MCU (A), transcoding all video, audio, and content sharing sessions between standards-based codecs (e.g. H.264 AVC, H.239, BFCP, etc.) into Microsoft codecs (e.g. SVC, RDP, VBSS, etc).
    • When another VTC joins the same call, using the same call string, it will land on a different, dedicated Polycom MCU (C).  That MCU may reside in the same Azure datacenter or a completely different datacenter, depending on the geographical location of that VTC.  Either way, all the cascaded traffic will be routed within Microsoft’s global network to locate the same Teams (or Skype for Business) meeting.

    The remainder of this article details the steps required to enable the service after purchase or enrollment in a trial, and should only be performed once calls into the service have been successfully tested and any optional components like the Cloud Relay have been deployed, or additional configuration like One Touch Dial has been completed.  This is especially important when working with a trial license as the 60-day period can disappear rather quickly when potentially dealing with firewall configuration changes or anything else which may take time to address in a production network.

    So while this is the first article in the series it may very well be the last article used in the actual configuration, depending the timing of events and desired capabilities.  For example, supporting Polycom VTCs can be 100% cloud-based and thus the recommended route is to simply activate the service and then setup the endpoints for One Touch Dial, after validating connectivity to the services.

    But if there are Cisco VTCs which need to leverage One Touch Dial then that service and the Cloud Relay should be dealt with first, before activating the service.  The same guidance goes for supporting Skype fir Business Server or Hybrid deployments. Essentially, any feature or topology which requires the Cloud Relay server means that one should always get that deployed and functioning before activating the service.  Understand that there is no requirement to activate the service first or last, this guidance is simply related to maximizing usability during the trial period.  If this is not a concern then performing the steps in this article to activate and configure the service is typically done first.


    Activate Service

    When service licenses are purchased (or a trial is issued) an automated email will be sent to the primary contact email address provided during the original order.  This email is sent from "licenseadmin@polycom.com" with the title "Polycom License notification email for Polycom for Order No. 0000000/domain.com" and includes a pair of attachments.  Both the .PDF and .TXT attachments include the 16 character license activation key which is tied specifically to the tenant domain for which it was ordered. (Meaning, for example, that if the exact license key shown in this article were to be used by another Office 365 tenant it would fail to apply.)

    • Open the mailbox for the account provided as part of the service order (e.g. jeff@msteams.net) and look for the email described above.  (If this email is not found than the order may not have been processed yet, which could takes 1-2 days.)

    image

    • Download the attached text file (e.g.  1607678.txt) file or simply open the attachment and copy the license key to the clipboard. (The numeric order number is the name of the attachment.)

    image

    image

    • Enter the credentials of a Global Administrator account and then click Yes on the the Stay Signed in prompt which will simplify the configuration as different portals are accessed. (Any account with Global Administrator permissions in the Office 365 tenant can access this portal for service activation.)

    image

    • Click each down arrow to expand the individual permission requests to review the additional details. Leave the Consent on behalf of your organization setting unchecked and then click Accept.

    image

      This step is simply allowing the RealConnect service the rights required to insert service-related information into the tenant during the configuration process managed by the portal.

      Also Microsoft has recently changed these permissions request prompts to include a new option to accept the change on behalf of the entire organization, meaning that other users accessing the portal not receive this prompt.  As only the Global Administrator can access this portal than there is typically no added value in preemptively accepting these permissions for all other Global Administrators accounts which may potentially also decide to sign in to this portal for some reason.  And if another authorized account did sign in it would still be presented with this same prompt.)

      • Once successfully signed in to the portal then the current status should indicate that the account is inactive and no licenses are applied.  Click the Activate New License link.

      image

      • Enter the License Activation Key (e.g. C1937-5846-9980-3352) from the previously downloaded file (or paste it from the clipboard), accept the terms of service request, and then click Submit.

      image

      • If the license key is successfully applied then the page will refresh to display a host of new information.

      image

      As seen above this is a 60-day trial license of which the timer has now started, indicated by the End date.  Also the trial includes a limit of 5 concurrent VTC Call Licenses for use with any number of Skype for Business or Teams meetings at one time.  The remainder of the information above will be broken down in the remaining configuration steps.

      Now that the service has been activated for the tenant it would be a good time sign up for status alerts related to the service availability.

      image.

      image


      Enable RealConnect for Microsoft Teams

      Now that the license has been applied and the service is activated for this Office 365 tenant there are a few required one-time configuration steps to be performed.  The Teams Configuration section on the portal includes links to either perform or explain how to perform each of the required sections.  (If RealConnect will not be used with Microsoft Teams meetings then skip this section and advance to the Skype for Business configuration in the next section.)

      First, consent must be granted to Polycom to operate as a Cloud Video Interop service provider and allow Polycom’s bots used in the solution to join any Teams meetings scheduled by users in this tenant.  Secondly, in order to use the RealConnect service a user’s scheduled Teams meeting invitation must include additional instructions in the invitation for the VTCs to use.  Inclusion of these additional instructions are controlled by a set of PowerShell cmdlets which can be used to enable the functionality on either all users globally or on an individual  user-by-user basis.

      Grant Consent

      image

      • Click the "here" link at the bottom of the page and sign into Office 365 using the same Global Administrator account, if prompted.

      image

      • Click each down arrow to expand the individual permission requests to review the additional details.  Click Accept when ready.

      image

      If successful, then the consent page will refresh to report the results.

      image

      At this point a RealConnect for Microsoft Teams app has been added to the Office 365 tenant, which can be confirmed on the Microsoft Apps page at https://myapps.microsoft.com. Look for the Polycom RealConnect for Microsoft Teams app in the list.

      image

      Prepare PowerShell

      image

      The PowerShell Commands documentation page that opens will include each of the supported cmdlets.  These are not just examples as they include the exact parameters specific to this tenant so they can literally by copied and pasted directly into PowerShell to execute them.  Among the instructions is guidance for connecting to PowerShell Online Modules, enabling the service, enabling users, and controlling specific behaviors of the service.

      As explained in this recent article the Microsoft Teams cmdlets are included in the Skype for Business Online PowerShell Module, so that is the only module required to complete the following configuration steps.

      • Download and install the Skype for Business Online Windows PowerShell Module on the desired Windows workstation.
      • Open a new Windows PowerShell window and then enter the following commands.  These can all be copied and pasted in one single action.  Enter an administrator account’s User Principal Name when prompted in the PowerShell window, and then the password when  prompted in a separate pop-up window.

      Import-Module SkypeOnlineConnector
      $skype = New-CsOnlineSession
      Import-PSSession $skype

      image

      Enable Video Interop Service

      • Copy the command string under the "Configure Your Video Interop Service Policy" section which should match the example below everywhere except for the unique numeric string in the -TenantKey parameter.  Paste the text into PowerShell and execute.

      New-CsVideoInteropServiceProvider -Identity Polycom -AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7 -TenantKey "680450644@t.plcm.vc" -InstructionUri "https://dialin.plcm.vc/teams/?key=680450644&conf={ConfId}"

      image

      What this command has done is enabled Polycom as the Cloud Video Interop Service provider of choice for this tenant, defined the tenant’s unique numeric ID (TenantKey), defined the globally unique AzureAD application ID for the Polycom service bot (AadApplicationIds), and finally set the help URI which will appear on the Teams meeting invite of any enabled users (InstructionUri).

      Note that the -InstructionUri parameter can point to any URL, so if desired a custom-branded webpage can be created and hosted on any publicly available web server.  Simply replace the default URL with the URL of the custom website if this customization is desired, otherwise leave the default entry which points to a dynamic page specific to the tenant.

      Enable Users

      Unlike the Skype for Business configuration which will require an add-on license to be assigned to each user in the environment the Teams solution simply leverages a policy which can be enabled or disabled per user or for the entire tenant.

      The preferred method when testing or rolling out the service is to enable individual users instead of enabling every user at one time.

      • To enable individual user accounts simply use the Grant-CsTeamsVideo cmdlet as shown below, entering the User Principal Name for the desired user account as the target -Identity.  Standard PowerShell scripting can be used to run this command against specific lists of users in bulk in desired.

      Grant-CsTeamsVideoInteropServicePolicy -PolicyName PolycomServiceProviderEnabled -Identity jeff@msteams.net

      • Alternatively, to enable the service for every scheduled Teams meeting created by every user in the organization then simply execute the same cmdlet, but without specifying an identity.

      Grant-CsTeamsVideoInteropServicePolicy -PolicyName PolycomServiceProviderEnabled

        For verification purposes the following cmdlet can be used to list all users in the organization which have the service enabled for their Teams meeting invitations.

        Get-CsOnlineUser -Filter {TeamsVideoInteropServicePolicy -eq "Tag:PolycomServiceProviderEnabled"} | fl UserPrincipalName

        image

        Enable Lobby Bypass

        By default any VTCs joining a Teams meeting by way of RealConnect will automatically be placed directly into the meeting lobby, requiring another Teams attendee to manually admit them.  If this behavior is not desired then all VTCs can be allowed to automatically bypass the lobby and join the meeting directly.  Note that this change has no impact on other guests joining a Teams meeting, it only applies to VTCs joining via the RealConnect service.  Changing this setting will impact the behavior for all VTCs joining all Teams meetings as this is essentially a global on/off switch.

        • Enter the following cmdlet to enable the lobby bypass behavior.

        Set-CsVideoInteropServiceProvider -Identity Polycom -AllowAppGuestJoinsAsAuthenticated $true

        Note that in order for this feature to function the service provider configuration defined in an earlier step must have the correct service bot ID defined (-AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7).  If the provider was initially created without setting this parameter then it can be added to the same cmdlet as shown in the following example.

        Set-CsVideoInteropServiceProvider -Identity Polycom -AllowAppGuestJoinsAsAuthenticated $true -AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7

        Validate Configuration

        To confirm that the configuration was successfully completed sign in to Microsoft Teams using one of the accounts which was assigned to the service policy in the previous steps (e.g. jeff@msteams.net).

        • Create a new Teams Meeting using any supported method (Outlook, the Teams desktop application, a Teams mobile app, or even from Teams running in a web browser).

        Confirm that the resulting meeting invitation now displays the additional section of instructions in the message body pertaining to the video interop service.  Note that this additional video conferencing device details may not immediately appear in new meetings, as the configuration can take several hours (routinely up to 8) to be enabled across Microsoft’s cloud service.  Also make sure to restart both Outlook and the Teams client on the workstation if the details are still not appearing.

          image

          image

          At this point the configuration for Microsoft Teams is complete and the service is ready to be used with the Office 365 tenant.


          Enable RealConnect for Skype for Business Online

          Configuring RealConnect for Skype for Business addresses the same concepts as covered above in the Teams configuration, yet with a completely different methodology for enabling the service and users.  The steps in this section are only applicable to supporting Skype Meetings scheduled by Skype for Business Online users.  (Supporting RealConnect for Skype Meetings scheduled by Skype for Business Server users require a different configuration which is not in the scope of this article.)

          While the required permissions to utilize the service were already granted when first connecting into the portal, Polycom needs to also be established as a Cloud Solution Provider (CSP) via a partner relationship with the Office 365 tenant.  By default Microsoft grants all CSPs full delegated administrative rights to the tenant, which is in no way required (or even desired) for this service.  Thus those rights should be promptly removed, leaving only the Cloud Solutions Provider relationship.

          1. The Partner Relationship is required to insert the needed user licenses into the tenant.
          2. Delegated administrative permissions are not required and should be removed.

          While the Teams functionality leverages a basic policy setting to enable the service per user, the Skype for Business functionality uses the older Office 365 Add-On license model.  The Skype Configuration details below include an additional user license count which is completely separate from the base Call Licenses which are actually measured for concurrent usage of the service.  These additional Skype Outlook Licenses are simply entitlements which can be given to all users so that their Skype Meeting can be populated with the needed VTC details.  These are essentially included free with the service.

          Authorize Cloud Solutions Provider

          image

          • Click Sign In on the Cloud Solution Provider invitation.

          image

          • Select Yes to agree to the terms of delegated administration (this level of permissions is unneeded by the service and will be promptly removed) and then click Authorize CSP.

          image

          If completed successfully the following message will be displayed.

          image

          Otherwise the main page will be displayed with the updated Skype Configuration status now reflecting that the partner relationship has been established.  Note that it should also report "Delegated Admin Permission detected".

          • Click the View Microsoft Partner Relationship link which will open the Microsoft 365 admin center in a new tab and should go directly to the Settings > Partner Relationship menu.

          image

          • Click on the Polycom, Inc. entry to open that partner relationship.  (Note that the Relationship is described as "Cloud Solution Provider and Admin".)

          image

          • Click the Remove delegate admin button and then click Remove when prompted to confirm.

          image

          • Click Close to return to the Partner relationships page.  (Note that the "and Admin" portion is no longer shown in the description.)

          image

          Verify User Licenses

           

          image

          As soon as the licenses are applied to the tenant they will be listed here as "Skype Meeting Video Interop for Skype for Business".  It can take a little as a few minutes to as long as several hours before the licenses are applied to the tenant, so check back later if they do not yet appear.

          Enable Users

          Once the licenses have been assigned to the tenant and appear in the previous step then it is now possible to assign the service capability to specific user’s meetings.

          Note that the amount of Skype Meeting Video Interop licenses which appear in the tenant will exactly match the total number of core Office 365 user licenses currently in the tenant that include Skype for Business Online Plan 2 capabilities.  This essentially means that all Standalone, Business, and/or Enterprise licenses which include to ability for that user to schedule a Skype for Business Online Meeting are added together and an equal amount of video interop licenses are added to the tenant.  For example, a tenant with 25 E3 licenses, 100 E5 licenses, and 10 standalone SfB Online Plan 2 licenses would be be given 135 video interop user licenses.  This ensures that every user in the tenant is allowed to create meetings capable of using RealConnect.

          If additional Office 365 user licenses are added to the tenant in the future then simply sign-in to the Polycom RealConnect for Office 365 and Microsoft Teams portal which will trigger the service to recalculate the current user licenses and update the available amount to match.

          Assigning a license to a user can be performed using either the Microsoft 365 Admin Center or PowerShell, no differently than any other Office 365 license.

          • In the Microsoft 365 admin center browse to Users > Active Users and then select the desired user or users, and the click Edit for Product Licenses.  (If editing multiple users then select Add to existing product license assignments.)
          • Click on the slider next to Skype Meeting Video Interop for Skype for Business and then click Save.

          image

          Validate Configuration

          To confirm that the configuration was successfully completed sign in to Skype for Business using one of the accounts which was assigned to the service policy in the previous steps (e.g. jeff@msteams.net).

          • Create a new Skype Meeting using Outlook 2016 (Click-to-Run installations only) on a Windows or Mac workstation.  Confirm that the resulting meeting invitation now displays an additional section of instructions in the message body pertaining to the video interop service.

          Note that this additional video conferencing device details may not immediately appear in new meetings, as the configuration can take several hours (routinely up to 8) to be enabled across Microsoft’s cloud service.  Also make sure to restart both Outlook and the Skype for Business client on the workstation if the details are still not appearing.

            image

            At this point the configuration for Skype for Business Online is complete and the service is ready to be used with the Office 365 tenant.

            Next Steps

            As outlined earlier depending on the existing topology, desired workflow, and available VTCs there may be a need to perform additional configuration steps.  The additional articles in this series are outlined in the beginning of this article.

            Managing Office 365 with PowerShell

            October 9, 2018 by · 3 Comments 

            This article is intended to share a streamlined approach for managing Office 365 services via PowerShell which are pertinent to the Microsoft UC platform, namely Exchange Online, Skype for Business Online, and Microsoft Teams.  Covered are a host of one-time installation steps needed to prepare a single workstation with the requisite software as well as the individual PowerShell cmdlets repeatedly used to invoke access to each service when management processes need to be run.

            Before jumping into how to connect a single PowerShell window to all of these UC-related services online it is important to understand the different services and what has changed over the years in terms of PowerShell behavior.

            Background

            There are several different articles available providing guidance for connecting to the various Microsoft Office 365 Online services via PowerShell.  They range from examples like an older blog post written specifically for Lync Online to new, updated guidance from Microsoft on how to access multiple services in a single console.  The older approaches utilized the original requirements of manually downloading and installing several different PowerShell modules via traditional Windows Installer packages which were created for connecting to services like Lync Online and Exchange Online.  There even use to be a separate download required simply to authenticate into Office 365 first using the original Organizational ID (Org ID) online authentication model.

            Now though, most of the various services in Office 365 are easier to connect to via PowerShell for management purposes, but they are still not all using the same methodology and installation processes.  While most are updated to use basically the same process there are a few outliers.  To access Exchange Online and/or the Office 365 Security & Compliance Center a completely different approach was used than the rest of the PowerShell modules used for managing services to Azure Active Directory (Azure AD), Skype for Business Online, or Teams.

            Of the more recent changes which improve upon and simplify the overall management experiences there are two primary concepts worth calling out.  One is the creation of a central repository for PowerShell resources and the other is the inclusion of Modern Authentication.  The newer PowerShell Gallery is now used to store and distribute various modules making installation and updates of future module version much easier.  Also by leveraging Modern Authentication each of these modules utilize the same approach for providing administrative credentials for access.

            The Modules

            Yet, as mentioned earlier not all of these services operate identically and there are even some overlapping modules used for accessing the core Office 365 service

            The following core modules are needed for managing any underlying Azure AD accounts or tenant components:

            • Microsoft Azure Active Directory Module for Windows PowerShell – This module contains the original set of *-Msol* cmdlets for managing Azure AD.  This is the older v1 PowerShell module referred to as MSOnline.
                  
            • Azure Active Directory PowerShell for Graph – This module is the newer v2 module containing all of the *-AzureAD* cmdlets for managing Azure AD.   This is the newer v2 PowerShell module referred to as AzureAD.

            Microsoft currently recommends using the newer v2 module, but that does not currently include any of the cmdlets provided in the v1 module.  So, it is not feasible to simply use only the newer Azure AD module when it does not also include all the older functionality.  For many of the management tasks covered on this blog for services like Skype for Business it is still required to execute several MSOnline cmdlets, thus both the v1 and v2 would be leveraged.  In fact, only the v1 module is really needed in most of the currently documented Skype for Business configuration and management processes as they all utilize the -Msol cmdlets, and not the newer -AzureAD cmdlets.  If in the future some of that guidance is updated then make sure to leverage the appropriate modules.

            Luckily both of the cmdlets above can easily be installed form the PowerShell Gallery so inclusion of both is trivial and essentially there is no harm in loading an additional module into a PowerShell session even if no cmdlets from that module are executed.

            The following two modules are handled completely differently from the modules above though as they are not available via the PowerShell Gallery and must be installed through two separate manual processes.

            • Skype for Business Online PowerShell – This module contains all of the *-Cs* cmdlets originally added for managing Lync Online, now Skype for Business Online, and also includes UC-related Microsoft Teams management cmdlets.
            • Exchange Online PowerShell – This newer module with Modern Authentication support contains all of the cmdlets used for managing Exchange Online but these cmdlet names do not share a common naming convention for easy identification.

            Installation

            The following steps walk through importing or installing each individual PowerShell module and are required only once per workstation.  An up-to-date Windows 10 workstation was used which contains all of the prerequisite Windows components to successfully complete the process.  If any errors occur when using older versions of Windows then it may be needed to updated components like PowerShell or Windows Management Framework.

            MSOnline

            Installation of the first module will assume that no other PowerShell modules have ever been installed on the specific workstation and will prompt for the one-time installation of the NuGet Package Provider as well as ask to temporarily trust the PSGallery repository.

            • Launch Windows PowerShell as an administrator.

            image

            • Enter the following cmdlet to install the MSOnline module on the local workstation directly from the PowerShell gallery.

            Install-Module -Name MSOnline

            • When prompted to install the prerequisite NuGet provider enter "Y" to allow the installation.

            image

            • When prompted to install the untrusted repository enter "A" to allow the installation.

            image

            • To verify successful installation of the both the requisite NuGet and PSGallery components as well as the desired MSOnline module run the following cmdlets to list the installed PowerShell Package Providers, Repositories, and Modules.

            Get-PackageProvider

            image

            Get-PSRepository

            image

            Get-InstalledModule

            image

            Note that the PSGallery repository listed above is currently set as Untrusted.  While this is acceptable it will continue to trigger the ‘untrusted repository’ prompt seen earlier when attempting to install any other modules from the PowerShell Gallery.  At this point it may be preferred to configure this as a trusted repository on the specific workstation to further streamline additional module installation.  This is a completely optional step, but one that is typically recommended give the PowerShell gallery is a trusted Microsoft source.

            • Use the following PSRepository cmdlets to set the PowerShell gallery to trusted and then confirm that modification.

            Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

            Get-PSRepository

            image

            Azure AD

            • In the same administrative PowerShell window issue the following cmdlet to install the AzureAD module. 

            Install-Module -Name AzureAD

            image

            If the PSGallery repository was not manually trusted using the optional step above then the step above will again prompt for access to the still untrusted repository in order to download the AzureAD module.  If this prompt appears enter "A" to allow it.

            • Use the Get-InstalledModule cmdlet again to verify that AzureAD module has been installed.

            Get-InstalledModule

            image

            Skype for Business

            image

            • If the installation fails with an error reporting an insufficient or missing version of the Visual C++ 2017 x64 runtime then download and install the latest version of the x64 redistributable package (e.g. vc_redist.x64.exe).
            • To verify successful installation open Apps & Features under the Windows System Settings and then search for ‘Skype’ to filter out of the list of installed programs to display the following results.

            image

            Exchange Online

            • Using Microsoft Edge (other browsers may not be compatible) sign-in to the Microsoft 365 Admin Center using an administrator account and then navigate to Admin Centers > Exchange to open the Exchange Admin Center in a new browser window.
              • Select Hybrid from the navigation pane and then click Configure under "The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely."

            image

              • Open the Microsoft.Online.CSE.PSModule.Client.application and then select Install when prompted.

            image

            • Once the module installation completes then simply close the Windows PowerShell window which was automatically opened.

            image

            At this point all four PowerShell modules have been installed on the workstation and the one-time setup is complete.


            Usage

            The following cmdlets can be issued individually to establish connections into each desired online service via PowerShell.  Due to the way that the Exchange module functions though it is critical to use the Exchange PowerShell module to start with as that module cannot be utilized in a standard PowerShell window.

            This approach leverages support for Modern Authentication throughout all four modules which does not utilize a single stored set of credentials.  Each connection will prompt for authentication in a separate window.

            Connecting to Online Services

            • Launch the Microsoft Exchange Online PowerShell Module which was just installed on the workstation in the previous step.

            image

            Connect-EXOPSSession

            image

            • Sign in using an administrative account for the tenant.

            image     image

              Once the session has been imported a warning may appear related to potentially unapproved verbs which can be ignored.

              • Connect to Azure AD using the Connect-MsolService cmdlet and enter the same administrator credentials when prompted.

              Connect-MsolService

              • Connect to Azure AD using the Connect-AzureAD cmdlet, again entering the same credentials if prompted.

              Connect-AzureAD

              • Connect to Skype for Business Online using the following cmdlets, providing the account username when prompted in-line and the account’s password when prompted by a separate window.

              Import-Module SkypeOnlineConnector

              $skype = New-CsOnlineSession

              Import-PSSession $skype

              If all commands were successful then the resulting PowerShell window should look something like this:

              image

              Testing Connectivity

              Issue the following four example cmdlets to test that each of the four modules are functioning properly with access to the online services.

              Get-Mailbox

              Get-MsolAccountSku

              Get-AzureADUser

              Get-CsOnlineUser

              Quick Reference

              The following can be inserted into a .ps1 file to create a basic batch process for connecting to all four services in succession. Due to the way that Modern Authentication does not allow token sharing between the various modules then the authentication prompts will still appears between each connection attempt.  Some of the Connect cmdlets support providing the User Principal Name in-line while others do not.  To attempt to incorporate these newer modules into custom scripts to further automate the process take a look at these other blog articles.

              Connect-MsolService
              Connect-AzureAD

              Connect-EXOPSSession -UserPrincipalName "jeff@jdskype.net"
              Import-Module SkypeOnlineConnector
              $skype = New-CsOnlineSession -UserName "jeff@jdskype.net"
              Import-PSSession $skype

              Make sure to execute the script after launching the Microsoft Exchange Online PowerShell Module, as that is the only PowerShell instance which is capable of using the Connect-EXOPSSession cmdlet.

              Displaying Teams in the Exchange Online Address Book

              July 3, 2018 by · 1 Comment 

              Microsoft has recently implemented a change in how Office 365 Groups are handled by default in Exchange Online.  Since the release of Microsoft Teams, which uses Office 365 Groups as the core membership list for individual Teams, when a user created a new team then the associated Office 365 Group was automatically Exchange-enabled with distribution group capabilities.  This meant that every single Team created in an organization would appear in the Exchange Online Address Book, thus offering the potential to rapidly clutter up the Global Address List.  This default behavior was hotly contested by the overall community and in response Microsoft has reacted by essentially reversing this, but not retroactively.

              Now when a new Office 365 Group or Team is created it will no longer appear in the Exchange Address Book, nor will it be displayed in the Outlook Groups section in the navigation pane.  This only applies to new groups though as no changes have been applied to any of the existing groups in Office 365 tenants today.

              So, this means that administrators need to understand how to address two potential issues: hiding all the existing groups if desired and unhiding individual new groups if desired.

              In order to programmatically hide all the existing groups from the address book and/or Outlook client navigation pane then the guidance in this article can be followed.  Yet when creating new teams and/or groups an additional configuration step will be required if it is desired to have them appear in Outlook. 

              Configuration

              This is a simple configuration change that is currently only available through a PowerShell cmdlet leveraging two different parameters.

              The preferred method for managing Exchange Online using PowerShell cmdlets now is to leverage Modern Authentication using the newer Microsoft Exchange Online PowerShell Module which can be initially installed from the Exchange Admin Center.

              Connect to Exchange Online PowerShell

              • Using a web browser Sign in to the Office Admin Center using an administrator account and then navigate to Admin Centers > Exchange to open the Exchange Admin Center in a new browser window.
              • Select Hybrid from the navigation pane and then click Configure under "The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely."

              image

              • Open the Microsoft.Online.CSE.PSModule.Client.application and then select Install when prompted.

              image

              The initial steps above are a one-time installation process per workstation.  For future sessions from the same workstation this PowerShell module is now installed locally and can be launched from the Microsoft Exchange Online Powershell Module desktop app.

              image

              • Once the installation is complete and the Windows PowerShell window appears use the Connect-EXOPSSession cmdlet to open a connection to the desired Exchange Online tenant.

              Connect-EXOPSSession -UserPrincipalName jeff@msteams.net

              image

              The -UserPrincipalName parameter used above is optional and if omitted then the following authentication prompt will ask for both the username and password.

              • Enter the password for the administrator account provided in the cmdlet above.

              image

              Edit Office 365 Group

              Use the following Exchange Online PowerShell cmdlets to independently control the behavior of the address book and Outlook navigation bar behavior for the desired group.

              • Use the Get-UnifiedGroup cmdlet to view the current display settings for all existing groups.

              Get-UnifiedGroup |ft DisplayName,HiddenFrom*

              image

              In this example a new Team named ‘Marketing Team‘ was recently created while the other two groups where originally created before Microsoft changed the behavior.  As seen above the new Office 365 Group for that Team has automatically been hidden from both the address book and Outlook clients.

              To reverse this for either or both behaviors issue the following Set-UnifiedGroup cmdlets as shown below.

              • To include the new group in the Exchange Online Outlook Address Book disable the -HiddenFromAddressListsEnabled parameter.

              Set-UnifiedGroup -Identity "Marketing Team" -HiddenFromAddressListsEnabled $false

              Note that this change will take time to propagate throughout the tenant.  While the Online Address Book will be updated almost immediately the Offline Address Book in Exchange Online can take 24-48 hours to reflect this change.

              • To include the new group in the Outlook client’s Groups navigation pane

              Set-UnifiedGroup -Identity "Marketing Team" -HiddenFromExchangeClientsEnabled:$false

              Notice that the cmdlet above is using a colon (:) as a separator between the parameter name and defined value.  For some reason this parameter (and not the others in this cmdlet) is defined in PowerShell as a switch and not a Boolean value and thus will not work with a space as a delimiter.  For the sake of simplicity a colon can be alternatively be used in place of a space in the Boolean parameters.

              Locating IDs in Azure AD

              June 21, 2018 by · 2 Comments 

              This article covers various methods for identifying the Directory ID and Object ID values for tenants and user accounts in Microsoft’s Office 365 environment.  These Universally Unique Identifiers (UUID) are assigned to the overall directory and each user individual account that exists in Azure Active Directory (AAD), whether the account was created in the cloud or was initially created on an Active Directory (AD) on-premises instance and was then synchronized to the cloud.

              The tenant identifier is referenced with different names depending on where the value is being retrieved from and it uses the same 32-character, dash-separated, hexadecimal format as the individual Object IDs use.  Also with the user accounts the term "Object ID" can refer to either/both the AzureAD account’s actual numeric identifier or the account’s UserPrincipalName (UPN) value.  So, for example, a valid Object ID for a user account could be ‘jeff@jdskype.net‘ and ‘e0d3ad3d-0000-1111-2222-3c5f5c52ab9b‘.  In essence a query using the Object ID (UPN) can be issued to return the Object ID (Numeric).

              In the event that a numeric identifier is be needed this article can be used as a quick reference for querying for the different values in a multiple ways.  Additionally the latter half of this article shows how to install either or both of the prerequisite PowerShell modules for managing Azure AD.

              Using the Admin Center

              The easiest option is to simply use the GUI-based admin centers available to Office 365 tenant administrators, but for repeated or bulk tasks PowerShell is usually the preferred route.  The Office 365 Admin Center includes an Azure AD specific administration console which can be used to browse for a specific user account and locate the Object ID value.

              Tenant (Directory ID)

              • Open the Office 365 Admin Portal and sign-in with an account in the desired tenant which has been delegated the appropriate administrative rights.
              • In the main menu on the left expand the Admin Centers section at the bottom and then click on the Azure Active Directory option to launch the console in a new browser window.

              • In the Azure Active Directory admin center menu select Azure Active Directory and then navigate to Manage > Properties.

              • The Directory ID field will be displayed as shown in the following screenshot.

              image

              User (Object ID)

              • Open the Office 365 Admin Portal and sign-in with an account in the desired tenant which has been delegated the appropriate administrative rights.
              • In the main menu on the left expand the Admin Centers section at the bottom and then click on the Azure Active Directory option to launch the console in a new browser window.

              • In the Azure Active Directory admin center menu select Users.

              • Browse to or search for the desired user and then click on the account name to view the user account’s Profile information.

              • The Object ID field will be displayed in the Identity section as shown in the following screenshot.

              image

              Using PowerShell Modules

              For quick reference purposes this portion is written out-of-order.  If the proper PowerShell modules have already been configured on a workstation or server then the following cmdlet should work as shown.  But if the required first-time setup for using PowerShell with Office 365 has not yet been completed then skip down to the Configuring PowerShell Modules section and then once complete return to the cmdlets shown here.

              AzureAD

              The newer Get-AzureAD cmdlet can be used to locate teh Object ID value and is the recommended cmdlet set to use by Microsoft.

              • Launch Windows PowerShell and issue the Connect-AzureAD cmdlet.  A separate authentication window will appear.

              Connect-AzureAD

              • Enter the credentials of an administrative account for the desired Office 365 tenant.  If authentication is successful then Tenant ID will automatically be displayed.

              image

              • Enter the following Get-AzureADUser cmdlet to locate the Object ID for a specific user account by searching against the account name.

              Get-AzureADUser -SearchString ‘jeff’

              image

              MSOnline

              If preferred the Get-MsolUser cmdlet can also be used to locate the Object ID value.

              • Launch Windows PowerShell and issue the Connect-MsolService cmdlet.  A separate authentication window will appear.

              Connect-MsolService

              • Enter the credentials of an administrative account for the desired Office 365 tenant.  If authentication is successful then some account and tenant information will be displayed.
              • Enter the following Get-MsolUser cmdlet to locate the Object ID for a specific user account by searching against the account name.

              Get-MsolUser -SearchString ‘jeff’ | ft UserP*,ObjectID

              image


              Installing PowerShell Modules

              In order to run the commands shown above the proper PowerShell module(s) must first be installed or imported.  This section covers the one-time setup for both the older and newer management modules.  These two options are provided via two different PowerShell modules available today for managing Azure AD objects: MSOnline and AzureAD.  These separate PowerShell modules must be installed or imported on a Windows workstation but the processes for doing so has changed over time.  The newer AzureAD module is the preferred method for managing Azure objects.

              Older guidance related to using the MSOnline PowerShell cmdlets outlined having to separately install the Microsoft Online Services Sign-In Assistant and Azure AD PowerShell modules but these steps are no longer required in most cases.  Firstly, all Office 365 tenants can now leverage Modern Authentication so the older sign-in assistant is not required.  Secondly, the needed PowerShell modules are available in the online PowerShell Gallery and can simply be imported when PowerShell 5.0 or newer is used.

              • To validate the version of PowerShell on the desired Windows system run the $PSVersionTable cmdlet in PowerShell.

              $PSVersionTable

              image

              For the purposes of the remainder of this article it is assumed that Windows 10 or Windows Server 2016 is being utilized, which both include PS 5.0 or newer depending on the applied Windows Updates.  Using an older version of PowerShell may require downloading and installing some modules manually.

              Azure Active Directory PowerShell 2.0

              As stated earlier Microsoft encourages customers to leverage the newer Azure Active Directory PowerShell module, so for any new workstation or server configuration then this is the preferred process.  Just as outlined above PowerShell 5.0 or newer is required to install the needed modules as shown below.  (If a PowerShell version older than 5.0 is being used then the latest version of the module can be installed manually by downloading the package from the PowerShell Gallery online.)

              • Launch Windows PowerShell as an administrator and then run the following cmdlet to install the latest version of the AzureAD module directly from the PowerShell Gallery (a working connection to the Internet to obviously required for this step to successfully complete).

              Install-Module AzureAD

              If this is the first time installing PowerShell modules from the PowerShell Gallery on the specific workstation or server then two additional confirmation prompts may appear.  By default Windows PowerShell does not trust NuGet galleries, nor the specific PSGallery.  To configure this trust manually the steps on this Microsoft article may be followed beforehand, but are not necessary as the trust can be overridden by responding to the following prompts during the package installation.

              • If the message "NuGet provider is required to continue" appears then enter "Y" to allow PowerShell to install the NuGet provider package.
              • If the message "untrusted repository" appears then enter "Y" to also trust the PSGallery package.

              image

              To validate that the installation was successful and to check on the version number of the installed module run the following two cmdlets in the same PowerShell window.  (Note that running the Get-Module cmdlet will not return any information without first running the Import-Module cmdlet.)

              Import-Module AzureAD

              Get-Module AzureAD

              image

              At this point a connection can be established to Office 365 via the AzureAD module to retrieve the Object ID as shown in the previous section.

              MSOnline PowerShell 1.0

              This approach leverages the older, but still available, MSOnline PowerShell module for Azure Active Directory management.  In order to utilize this command set the module must first be installed on a Windows workstation if it has not already been. While this module does include some options which are not currently available in the newer AzureAD module the Object ID can be queried in either as shown above.

              But if none of this has been setup then it’s recommended to simply leverage the newer AzureAD module shown in the previous section.

              • Launch Windows PowerShell as an administrator and then run the following cmdlet to install the latest version of the MSOnline module directly from the PowerShell Gallery (a working connection to the Internet to obviously required for this step to successfully complete).

              Install-Module MSOnline

              If this is the first time installing PowerShell modules from the PowerShell Gallery on the specific workstation or server then two additional confirmation prompts may appear.  By default Windows PowerShell does not trust NuGet galleries, nor the specific PSGallery.  To configure this trust manually the steps on this Microsoft article may be followed beforehand, but are not necessary as the trust can be overridden by responding to the following prompts during the package installation.

              • If the message "NuGet provider is required to continue" appears then enter "Y" to allow PowerShell to install the NuGet provider package.
              • If the message "untrusted repository" appears then enter "Y" to also trust the PSGallery package.

              image

              To validate that the installation was successful and to check on the version number of the installed module run the following two cmdlets in the same PowerShell window.  (Note that running the Get-Module cmdlet will not return any information without first running the Import-Module cmdlet.)

              Import-Module MSOnline

              Get-Module MSOnline

              image

              At this point a connection can be established to Office 365 via the MSOnline module to retrieve the Object ID as shown in the previous section.

              Hot-Desking and Common Area Phones in Skype for Business

              May 10, 2018 by · 24 Comments 

              This article is intended to explain the differences in new capabilities brought to both Skype for Business Online and the latest firmware releases for Polycom UCS-based IP phones.  While both Hot-desking and Common Area Phone (CAP) features were first provided in Lync Server these concepts are both handled quite differently in Office 365.

              Essentially the Hot-Desking topic discussed in this article is referring to existing functionality in Lync and Skype for Business Server that VVX phones now support, while the Common Area Phone topic is brand new functionality brought only to Skype for Business Online which VVX phones can leverage immediately.  These capabilities are available in the Polycom UCS family of devices starting with VVX phones in the recent 5.7.0 firmware release.

              It is important to understand that these Hot-desking and Common Area Phone (CAP) concepts are complimentary capabilities which are often confused with each other or incorrectly treated as one in the same.

              • Hot-desking provides a method for a ‘guest’ user to sign into a phone that is already registered with a ‘host’ user, without permanently signing out the original ‘host’ user.  Without this feature to switch user accounts on a phone a new user would have to completely sign out the current user, and to return that phone to the original state someone would have to manually sign back in again with the original user’s credentials.  Hot-desking allows the original credentials to stay cached in the phone to be used again to automatically re-register to Skype for Business.  This capability is nothing new to Skype for Business Server as hot-desking has been around since Lync Server 2010 and was added originally for Lync Phone Edition (LPE) devices.  
                    
              • Common Area Phone (CAP) support refers to a new provisioning and licensing model specific to Skype for Business Online.  So this feature comes from both updates to the VVX firmware and new capabilities brought by Microsoft into Office 365.  Microsoft has added a new provisioning portal to be used in conjunction with accounts which have been assigned a new Office 365 license.  This new functionality is entirely different than the CAP implementation already in Lync/SfB Server platform.

              These are two distinctly different feature sets which can, but are not required to, be used in conjunction. Any user account type (standard or CAP) can be used in hot-desking scenarios, although there are some limitations today based on where the accounts are homed.  Some of this works only for Skype for Business Server users homed on-premises and other parts are only applicable to Skype for Business Online users.  These caveats are outlined in the following sections.

              Also it is still a recommended practice to disable device updates when registering phones to Skype for Business Online as Microsoft continues to publish older firmware versions.  At the time of posting this article UCS 5.7.1 is the most recent version available from Polycom, yet 5.6.0 is what is still being provided via the Device Update Service in Skype for Business Online .  So, after upgrading a phone to 5.7.x and configuring the features shown in this article the phone will automatically ‘update’ to the published, older version thus removing the new capabilities.

              Hot-Desking Support

              True hot-desking functionality has been added to the VVX platform to not just mimic what has been available in the Lync Phone Edition platform but to provide even more flexibility than what those older devices can do.  This capability is enabled by default in UCS starting in the 5.7.0 release (feature.HotDesking.enabled="1"), yet it is not usable unless hot-desking is also enabled on the Skype for Business platform that the phone is registered to.

              This added functionality now allows for two different sets of credentials to be registered on the same phone, but not at the same time.  A ‘host’ user account is signed in first, typically by an administrator, and then a ‘guest’ user account can be signed in later on, typically by an end-user.  When the guest user is either signed out, either manually by someone or automatically due to the configured hot-desking timeout, then the host user is automatically signed back into the phone used saved credentials.

              For Lync Server and Skype for Business Server deployments hot-desking behavior can be controlled as described in this older article, including enabling/disabling it at a global or custom level as well as controlling the timeout value.

              However, hot-desking is not currently available for Skype for Business Online, which can be confirmed by running the following Skype for Business Online PowerShell cmdlet.

              Update: It is now possible to manage custom user policies in Skype for Business Online, meaning that Hotdesking can be enabled by defining a new custom policy: https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Custom-Policies-for-Skype-for-Business-Online/ba-p/53824

              Get-CsClientPolicy | ft Identity,*hotdesk*

              image_thumb21

              Notice that the EnableHotdesking parameter is not set to ‘True’ in any of the available online client policies.

              In Skype for Business Hybrid environments it is possible for online users to sign in as the ‘guest’ as long as the ‘host’ account which is first registered on the phone is an on-premises user.  If an online user signs in first as the ‘host’ then hot-desking is not available for that account and thus no Guest soft key will appear on the phone.

              Usage

              Enabling Hot-desking for Lync or Skype for Business Server deployments is unchanged and either a CAP account or a regular user account can be used.

              When a Skype for Business Server-homed user account with an assigned policy that has Hot-desking enabled is registered to a phone then a Guest soft key will appear on the home screen.

              image

              Selecting the Guest bottom prompts to sign the Host user out fro the phone.

              image

              After (temporarily) signing out the host user the phone automatically returns to the Sign In window so a user can then select the available method they want to use for signing in with their own credentials.  If no options are selected after about 30 seconds then the phone drops to the home screen where both the Guest and Host soft keys are displayed.  If still no sign-in actions are performed and the phone is left idle for about 3 minutes then it will automatically sign the Host user back into the phone and return to the previously registered state.

              But if a user signs in with a different account as a Guest then that account will stay registered on the phone until the HotdeskingTimeout value in their assigned Skype for Business client policy is reached, which is a default of 5 minutes.  At that threshold of inactivity the phone will automatically sign out the Guest account and sign the Host account back in.

              Common Area Phones in Skype for Business Online

              A mixture of new capabilities in the VVX firmware and new functionality in the Skype for Business Online platform now provides a new way to license and register online accounts for common area use-cases.

              The term Common Area Phone means two entirely different things when talking about Lync and Skype for Business Server deployments versus Skype for Business Online.

              • In server-based environments a Common Area Phone (CAP) account is a special type of user account which in essence is simply an Active Directory Contact Object that is enabled in Lync/SfB Server differently than standard AD User objects.  This model was first introduced in Lync Server 2010 with the advent of the Aries model family of the Lync Phone Edition platform and leverages only Certificate-based Authentication (TLS-DSK) via PIN Authentication and DHCP Options 43/120.  These accounts are not Exchange mailbox-enabled and thus address a simple goal: the ability to register a phone using generic credentials, provisioned and managed by an administrator, which is intended solely to provide basic ‘dial-tone’ features to a handset or conference phone.  These CAP accounts then also provide the hot-desking capability to the registered device so that a fully-featured user can temporarily sign-in with their own account.
              • With Skype for Business Online though the CAP terminology is completely different as this is currently related only to licensing and device provisioning.  A new, dedicated Office 365 license has been added to reduce the overall cost for common-use IP phones and a new Web Sign-in method specific to these common-area use cases as also been added.  There is no special account type like with the server platform as any standard online user account can be used with the new license, meaning that Exchange calendaring is available for phones registered using a CAP-enabled account.  Registering a phone to Skype for Business online is also completely different than the server-only PIN Authentication method.

              Also note that one major difference between the LPE and VVX device models is that in the LPE Aries family there existed the concept of a specific Common Area Phone model.  These were special models (e.g. Polycom CX500) which were designed only for use with CAP accounts (due to the lack of a USB-B port) but could still be used with any account which was enabled for PIN Authentication.  These devices cannot be registered with Skype for Business Online because PIN Authentication was never provided in Office 365.  (More importantly all LPE devices will cease to function with Office 365 on October 31st, 2018 when TLS 1.2 is enforced by Microsoft.)

              Comparatively the VVX phones which leverage the UCS platform software do not have these limitations.  Firstly, full user credentials can be entered directly into the phone or remotely without the need for USB, unlike LPE devices which can only use the standard authentication mode via USB-pairing to a PC.  Secondly, all VVX devices support the new Web Sign-in method that Skype for Business Online provided as a replacement for the older server-only PIN Authentication method.  Essentially any VVX phone model can ‘be’ a Common Area Phone in either server or online platforms.

              Licensing

              The new Common Area Phone license is simply a new subscription plan available in Office 365.  It is not a Skype for Business Add-on subscription like calling plans are as it does not go with an existing subscription plan; it replaces the need for other subscription plans.  As covered in this past article devices typically require the Skype for Business Online Plan 2 subscription at a minimum to perform most Skype for Business meeting-related functions.  As phones typically require PBX feature and PSTN connectivity then the additional cost of potential add-in licenses like Phone System (formerly Cloud PBX) can add up.  Alternatively Enterprise plans have been used in the past which include licenses for so many other unrelated Office 365 services.

              Thus the creation of a dedicated license provides the needed Skype for Business core licensing, Skype for Business Online (Plan 2), as well as a Phone System license.  No differently than the other Enterprise subscriptions this new license also does not include a Phone Calling plan; those must always be added at an additional cost.

              image

              As the Common Area Phone license includes a Skype for Business Online license then a separate Business or Enterprise license should not also be assigned to the same user as that would literally be a waste of money.

              It is important to understand that this subscription plan is simply a license and accounts provided this license will function in Skype for Business Online no differently than an account assigned to another plan that includes Skype for Business Online Plan 2 (e.g. Enterprise E3) or if the a standalone Skype for Business Online license itself is assigned directly to the user.  In essence the only difference here is the monthly cost for that user account.

              Provisioning Portal

              Microsoft has added a new portal to the existing Web Sign-in methodology which was added previously to address the lack of PIN Authentication support in Skype for Business Online.  The new provisioning process for Common Area Phones is almost identical to the previous Web Sign-in process used for regular users, but with a few distinct differences.

              • Instead of a user authenticating using their own account credentials an administrator will sign into the new provisioning site.  This allows that administrator to provision any phones using only the code provided by the phone, the password of the desired account is not required.  When the desired account is selected its password will automatically be reset to a unique, unknown value.
              • While this process was created for Common Area ‘accounts’ it is not limited to only accounts with the Common Area Phone license.  As mentioned before the new license functions no differently as the underlying Skype for Business Online Plan 2 is what drives the actual functionality.  Thus any user licensed for Skype for Business, be it through a standalone license, a Business plan, or Enterprise plan, can technically be provisioned on a phone by an administrator using this new portal.  Be aware that doing this on any user account will reset the password and effectively lock that user out of their own systems, thus this process should really only be used with accounts that are assigned to regular users.

              Acquire Common Area Phone Subscription

              The new licensing subscription can be purchased or trialed in the Office 365 Admin Center.

              • Sign-in to the Office 365 portal using an administrative account for the desired tenant and then open the Admin Center.
              • Browse to Billing > Subscriptions > Add Subscriptions and then expand the Other Plans section.

              • Locate and select the Common Area Phone option and select either Buy Now or Start Free Trial.

              image

              • Once the new plan has been purchased or selected for a 30-day trial then navigate to Billing > Subscriptions to validate that the new plan has been added to the tenant.

              image

              The screenshot above indicates that the tenant used in this article is currently in an existing trial period which includes 25 licenses for 30 days. (One licensee has already been assigned and the trial is nearing expiration in this example tenant.)

              Assign Common Area Phone License

              At this point either a new account can be created for the device or an existing account can be enabled with the license.  For the purposes of this article a new account will be created and enabled.

              • Create a new user account (e.g. kitchen@jdskype.net) in the Office 365 Admin Center and assign a Common Area Phone license, and if applicable, a Calling Plan.

              image

              Configure Phone

              In order to provision a device using the Common Area Phone model a Polycom VVX running at least 5.7.0 USC firmware is required.  The following steps were performed on a VVX 601 running version 5.7.1.2205.

              • Press the Home button on the phone and navigate the followings menus: Settings > Advanced > Enter Admin Password (default is ‘456’) > Administration Settings > Common Area Phone Settings.
              • Set the CAP and CAP Admin Mode settings both to Enabled.

              image_thumb17

              • Press the back arrow and then select Save Config.

              The two settings above perform two different tasks.  The CAP setting simply enables the Common Area Phone feature on the device but does not provide for a way to sign in directly on the phone.  This is by design, to prevent end-users from attempting to provision a phone using their own standard accounts.  Yet, to register the phone to Skype for Business directly from the handset it must also have the CAP Admin Mode enabled.  Without this setting turned on then no Sign In button will appear on the phone and it can only be registered remotely or via a provisioning platform.

              The CAP (but not the CAP Admin Mode) setting can also be changed remotely using the Web Configuration Utility (Settings > Skype for Business Settings > Common Area Phone Settings).

              image

              Once back at the main screen the Sign In button will appear if the CAP Admin Mode setting was enabled directly on the phone.  At this point the unregistered phone will display a "CAP is enabled" message on the main screen.  (If the phone was already registered to Skype for Business then it may report that device lock is disabled or alter other options previously available.)

              image_thumb30

              If the phone is left alone in this mode too long then the following message will appear, indicating that it is not currently registered.

              image_thumb31

              Register Phone

              • To register the phone using the new process select the Sign In soft key to show the available sign-in options.

              image_thumb19

              • Select the Web Sign-in (CAP) option and the resulting screen will display.

              image_thumb33

              Note that while this screen looks identical to the previous Web Sign-in process the provided URL is actually different.  The standard Web Sign-in process for regular users to self-provision a phone is http://aka.ms/sphone where the new admin provisioning portal is http://aka.ms/skypecap.

              • Using a web browser on any Internet-connected PC or mobile device go to http://aka.ms/skypecap as instructed above to complete the provisioning process.      
                     
              • Sign in using a tenant administrator account for the Office 365 tenant to access the Tenant Admin Common Area Phone Provisioning Portal. Do not sign in with the credentials of the user account which is to be assigned to the specific phone.
                    
              • Enter the partial (e.g. ‘k‘) or complete (e.g. ‘kitchen‘) account name or SIP URI (e.g. kitchen@jdskype.net) to search for the desired CAP account.  The example below shows a less-specific search that returns all matches (wildcard characters are not valid).
                       
              • Deselect the Search for Common Area Phones only setting as this option is not currently functional and will return no results, regardless of the user type. (This article will be updated when the behavior of this setting is fixed.)

              • Enter the alphanumeric code provided by the phone into the Pairing Code field adjacent to the desired account name and then click Provision.

              image_thumb37

              At this point the phone will automatically proceed to sign-in and the provisioning is complete.  As noted earlier the account’s password will have been automatically changed to a unique, unknown value during the process so to use this same account again with anything other than a Common Area Phone the password would need to be reset by an administrator.

              Note that this new Common Area Phone feature set in Skype for Business Online is not yet fully featured and still has some additional capabilities not yet delivered.  Given the focus on Microsoft Teams it is hard to say if and when this feature set will become complete at it is currently only applicable to Skype for Business Online.

              Q2 2018 Skype and Teams UG Meetings

              May 9, 2018 by · 1 Comment 

              The next round of quarterly Skype and Teams Users Group meetings has been announced and scheduled starting this month.

              image_thumb2

              Latest News

              This quarter we welcome Boston to the Skype and Teams User Group family. This brings the national total up to 22 regional events per quarter approaching nearly 100 meetings a year!

              Event Details

              This quarter’s events will be conducted in our typical multi-session format:

              Session 1: Enterprise Connect Recap – In this session, we will get you up to speed on all the important announcements that occurred at Enterprise Connect 2018.   This will include announcements from all our sponsors and Microsoft.  If you missed anything, this is your chance to catch up!

              Session 2: Microsoft Teams Roadmap Update – In this session, we take a look at several of the updates to the Roadmap, as well as other changes that may not be clearly called out on the Roadmap. At the rate that Teams is ramping up, this session is a definitely a great way to get caught up!

              Session 3: Open Discussion – In feedback from previous sessions, the Open Discussions are always really popular sessions. Given the large amount of news and changes over this last quarter, we felt that taking a bit of time in the Q2 Meeting to openly discuss would be very beneficial to all. Bring your thoughts and questions!

              Industry Experts will be on-site to deliver these presentations and help answer any questions related to Skype for Business.  Food, beverages and additional door prizes will be provided courtesy of the Skype for Business Users Group and its official sponsors.

              Western U.S.

              Central U.S.

              Southern U.S.

              Eastern U.S.

              For a full schedule of regional events the Skype and Teams Users Group Meetups page lists all planned event locations with links to the associated registration page for each regional group.  For anyone who is not yet a member and would like to participate simply visit the site listed above and register for your local group, this will automatically create a new user account for you to use again for all future event registrations..


              Chicago Event

              Continuing the recent schedule of alternating locations each quarter places our Q1 event back downtown in the Aon Building. 

              Food will be ready at 5:30pm so come early if you can to spend time socializing with the group before the presentations begin at 6:00pm.

              Date Location Address
              Tuesday, May 29th
              5:30PM – Food and Networking 
              6:00 PM – Presentation Kickoff
              Chicago Suburban Event Microsoft Midwest District Office
              3025 Highland Pkwy., Suite 300
              Downers Grove, IL 6051

              Next Page »