Part 2 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Continuing the previous article there are few more steps to complete the configuration of the Direct Routing with the office 365 tenant and in this article we will run through those steps.

Currently the SBC is up and running configured with the certificates and required SBC DNS records now the next step is to enable the direct routing. Well there are two options to enable the Direct Routing via skype online powershell session or via the Microsoft Teams Admin center. In our example we will try to enable them via the Teams admin center.

Before doing this make sure to meet the network prerequisite that is required for Direct Routing and have written an article about the same almost a year ago.

Login to the admin portal with the appropriate credentials.

Enter the DNS name of the SBC that was configured in our case its sbc.nl.exchangequery.com

Subsequently we must add all the required information over here. One important point to note over here is that the SIP signaling port that is present by default is port 5067. The Direct Routing SIP Trunk can be configured only by using a TLS connection. We can choose the SIP port any port of our choice. If we try to configure the port 5060 it will not work since the TCP connectivity is not supported due to security reasons.

Enabling SIP option defines if an SBC will or won’t send SIP options messages and will be included in the monitoring. Rest of all the information have to be enabled as per the requirement. Also look into Location based routing and media optimization based on the requirement. Once done click on save and the configuration is complete.

But we could see that the SBC status shows error message and the configuration seems to be unsuccessful. Even after the configuration is completed even after loading the named certificate, intermediate and the root on the audiocodes we could see that the TLS connectivity status still shows as inactive. In addition to that we also see the SIP option status shows us the warning message as well.

Now further drill down into the logs gives us more additional information of the reason why it is failing. Still we we do have the correct certificates uploaded but the connection seems not completed.

So the initial thought was the issue with the firewall however the firewall connectivity was already completed and could ping the SBC on port 5061.

When looking into the audiocodes documentation came to know that in addition to the normal named certificate for the DNS Name its mandatory to upload the Baltimore Trusted Root Certificates. This is mandatorily required for establishing a Mutual TLS Connection with the Microsoft Teams Network.

So the DNS name of Microsoft Teams pstnhub.microsoft.com is using this certificate provided from baltimore and hence this import is required for establishing the mutual TLS connection.

We can Download the certificate from https://cacert.omniroot.com/bc2025.pem and follow the same procedure stated on previous article part 1 to import them on the Audiocodes SBC and make sure they are present on the Trusted Root Certificates.

The first part that we need to complete before the certificate validation is to ensure that the NTP server is setup correctly. This is a mandatory requirement for these two remote parties validating the certificates for setting up the mutual TLS connection between them.

You can go to setup – Administration – Time & Date and configure your NTP server.

Further to the NTP server there are few more configurations that need to be performed on the AudioCodes SBC which we will see below.

Configure the Proxy Sets: Add Microsoft SIP PSTN FQDNs

We have 3 Microsoft FQDNs as of now and all of them needs to be added over here and make sure the transport type is set to TLS.

Navigate to SetUp – Signaling & Media – Proxy Sets and add the 3 FQDNs over here.

SIP Interfaces:

We need to configure SIP interfaces for Teams Direct Routing as well. Configure as below. Keep the Enable TCP Keepalive option. SetUp- Signaling & Media – Core Entities – SIP Interfaces

Media Realms:

We need to configure Media Realms for Teams Direct Routing. Configure the settings as below. Select the default media realm as No. SetUp – Signaling & Media – Core Entities – Media Realms

Configure IP Groups:

Configure IP Groups as below – Make sure the Topology location is set as Up

In the Advanced make sure to mention the SBC published external FQDN. Keep the classify by proxy set Disable and keep the Client Forking Mode as Sequential.

Configure Coder Groups:
We need to add the supported coder groups for the leg SBC and the Direct Routing Configuration.
Teams supports OPUS and SILK Coders.

Inorder to configure the coder groups navigate to SetUp- Signaling & Media – Coders & Profiles – Coder Groups and mention the below values for Teams Direct Routing Leg. Later you might need to configure one for the SIP Trunk based on the coders they support.

Its mandatory to enable the SIP options for the SBC to monitor and for that we need to enable some configurations on the session border controller. In order to do that go to Setup- Signaling & Media – SBC – Routing – IP-to-IP Routing and configure all the required routing as per your requirement.

So we need to make sure other options are configured as per the documentation of the Audiocodes. Finally after the all the steps are done we can see the Teams Direct Routing Configuration is showing successful in the Teams Admin Center.

In our example we have 1 SBC, 1 Voice Routes and 0 SBCs with Issues which is a good sign. Since we didn’t initiate any real traffic we could see the message no data.

We do have a very good option to validate the pairing between the Audiocodes SBC and our Tenant Direct Routing. We can see the connectivity is successfully established over here and we can see that the status is showing online without any issues.

Now we have completed the Direct Routing And established the connectivity between SBC and the Teams Tenant there are lot more other configurations that needs to be performed on the SBC to complete the entire enterprise voice configuration. We will look into those on the upcoming articles.

Regards

Sathish Veerapandian

Part 1 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Microsoft have been providing us the option bring your own sip trunk for enabling the enterprise voice functionality. With Microsoft Teams Direct Routing we can provide the phone system to Teams users ,connect the SIP Trunks and use the local telecommunications provider. This option provides most of the customers for an easy transition to Microsoft Teams in parallel by utilizing the existing infrastructure and moving the users to the new system.

In order to leverage this functionality we need to setup certified session border controllers. Previously there is an article written which can be referred to check the readiness and steps that is required to configure Direct Routing in Microsoft Teams.

In this article series we will see on setting up audiocodes session border controller that will help in configuring the Direct Routing.

There are multiple ways to achieve this and we have an option to configure this from the Azure Market place. We will see on configuring this from the Azure Market Place.

First prerequisite is we need a valid azure subscription. Login to Azure and search in the Azure Market Place for Audio Codes.

Below are the results that we receive and there are few options for us to select over here. For instance we do have an SAAS offering that is fully managed in Azure. For a full setup we have Mediant Virtual Edition Session Border Controller and Cloud Edition Session Border Controller. The Mediant CE edition is more robust ,utilizes the full cloud elasticity and can scale up and down based on the demand. The VE is more of a Virtual edition that can be built easily on Orchestration Solutions and available in the Azure Market place for easier deployments. More information on the description can be found here

Here in this example we choose to use the Virtual Edition Session Border Controller. There are few important key take aways to note down here. While creating it is not allowing us to add them on an existing resource Group and it mandates us to create a new resource group or any existing resource group that is empty. And one more important thing is that the virtual machine name must be all lower case because in the network settings it doesn’t allow to create the dns name with the upper characters.

Next in the virtual machine settings we have the option to choose the computing size. And we have options to choose the OS versions. Here have chosen the latest os version. The cloud-init file is an optional file that can be chosen for automatic provisioning.

Next is the network settings where it provides us the option to set up the NIC interfaces based upon our requirement. Since in this case its a demo we are going with the network interfaces option 1. One more important thing here is that the public ip address has to be static . It picks up the setting static from this template however its better to verify them from the NIC settings once the VM has been deployed.

Finally it comes to the validation screen where we can check all the required settings and click on create.

Once it has been created we see all the required resources have been populated.

You can also see the DNS name that has been created with the static IP

Now when we login to the SBC DNS name we get the Audiocodes console that is ready for configuration.

Now this is running the next important thing is create an A record in the Public DNS and point that to this public ip address. One more important tip here is that this name that has been selected the domain has to be registered in the Office 365 portal.

The next important thing is the certificates configuration on the Mediant SBC. Create a certificate from the public CA and upload them from here Ip Network – Security and TLS Contexts.

In my case im using a certificate that has been provided by digicert for this domain that we are testing. Make sure the file is in password protected and pfx format.

Click on change certificate. There are multiple options to upload the certificate. Here we are choosing the last option upload the certificates from your computer in PFX format and with a password and select load file.

After a successful load file we see the message that states the upload is successful and here we see the red save alert that forces us to update the modified configuration.

We can also see the associated root and intermediate certificates of digicert have been populated over here in the trusted root certificates section.

Finally we have to upload the same certificate in pem format for the SBC

We get the below message after a successful upload of the pem file.

Now we have completed half of the initial readiness of the direct routing configuration and in the next blog we will go through the next steps of the further configuration.

Thanks & Regards

Sathish Veerapandian

Move users to Teams only mode from on premise Skype for business environment

This article outlines the technical steps that is required to move an on premise skype for business account to Teams only mode. There are lot of other factors that needs to be considered before making this change and this step can only be a final stage almost in any environment.

If there is any PSTN integration with Skype for Business on-premise environment then these factors needs to be planned and executed in stages before phasing out Skype for Business On-premise and moving users to Teams Only Mode. These features and functionalities needs to be transferred completely to Microsoft Teams.

If you are moving from a Skype for Business 2015 environment, ensure that the supported CU version admin tools is Skype for Business Server 2015 with CU8.

In this example I have built a lab on my environment which has my local Directory identities below test accounts synched to the Azure AD.

And I have a standard Skype for Business 2015 environment running in the local active directory environment.

The next step is to configure the skype for business hybrid to the office 365 tenant where we are going to perform the move operation.

There are three simple steps involved in this procedure first part is to configure federation with the below command from the Skype for business server management shell.

Set-CSAccessEdgeConfiguration -AllowOutsideUsers $True -AllowFederatedUsers $True -EnablePartnerDiscovery $True -UseDnsSrvRouting

Next step is to configure shared sip address space with Office 365 tenant. In order to do that the first step is to check if there is already hosting provider enabled and just in case if its present can we must remove them with the below command.

Get-CsHostingProvider | ?{ $_.ProxyFqdn -eq “sipfed.online.lync.com” } | Remove-CsHostingProvider

And the next step is to enable the hosting provider with the below command.

New-CsHostingProvider -Identity Office365 -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root

As we can see executing both the commands were successful in my case.

Now we’ve made the required change on the on-premise Skype for Business environment we need to make the same change on the Office 365 tenant by enabling the shared sip address space with the below command.

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

In the below example I have connected to Teams powershell session and have performed this task.

Once we have performed the server and tenant configuration now its very important that we need to allow requested URLs that will be resolved from the Management server where we are performing the operation.

The tenant URL for your subscription needs to be identified as per this Article . And this URL needs to be whitelisted on the outbound connection.

Get-CsTenant|ft identity

So in my tenant as per the article the hostedmigrationoverrideurl is adminof.online.lync.com

Permission:

Now need the required permissions to make this operation. The Skype On premise admin account will require a minimum of csserver administrator role. For Online permission we must have Skype for business Admin and user administrator role. In my case i attempted with Global Admin Credentials so not exactly sure about the behavior when we move directly to Teams only mode with granular permissions. It works with the split permission accounts OnPrem\Cloud with sessions established to SFBOnPrem and SFBO modules from the same PowerShell.

One more important thing to notify here is that the user that we are performing the move operation must have the appropriate license on the Office 365 so that the account gets enrolled on the Teams service.

Establishing the session:

Launch the PowerShell on the management server where you have the SFB admin tools installed and have connectivity to SFB on prem FE and required tenant to establish the PowerShell session to the new Teams Module. Make sure you install the Teams Module on the management server this as per this information.

Online:

OnPrem

Import the SFB powershell module on the same session. Since I have opened this session from a local SFB admin account I did not store the on prem credentials in this session.

Performing the move

We can perform the move with the below command. One important point to note here is that post CU8 the move operation will succeed only with the modern authentication by using the switch -UseOauth

$url=https://adminof.online.lync.com/HostedMigration/hostedmigrationService.svc

Move-CsUser -Identity Lionel.Augnel@nl.exchangequery.com -MovetoTeams -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url -UseOAuthBypassAudioConferencingCheck

In the below case we can see that the move operation is successful.

In the move results log as well we get few useful information which provides us the time taken for move user preparation, start time and few more information that might be helpful.

On validation we can see that the moved users are showing as homed in office365 and no longer present in SFB on premise environment.

And in the Teams we can see that the user has been migrated successfully to Teams mode directly.

Now the initial setup is completed script can be created to move the accounts in batches.

Schedule Microsoft Teams Live Events from an external app OBS Studio

With Microsoft Teams Live Events ,we have an alternative to stream them from outside encoding sources. There are few advantages of playing out this activity from an external application. We can customize the presentation deck by including various sources and there is an option to include multiple cameras and cumulate them on the same deck.

So here I caught some eye over this subject to investigate this alternative from an open source free tool OBS Studio . The installer can be downloaded and installed on the PC from where we are going to stream the live event from this app OBS Studio. And they are present in the list of Supported Encoders provided by Microsoft.

Well before we setup the OBS studio the mandatory part is we need to schedule a live event to generate the URL to build up the connection between them.

So created live event with org wide option.

In the next screen choose the option external app or device.

The moment when the live event is created we could see the server ingest url is been generated. So now the required url to establish the connection from OBS has been generated here we need to populate this value on the OBS studio app.

From the OBS Studio app navigate to settings

Navigate to stream – in the service select Custom and populate the server URL that was copied from the generated live event. Its mandatory to paste the stream key over here. You can paste some random numbers and that will become your stream key. This part is completed and you can click on apply.

Customization of the presentation Deck

Now we need to go to scene and create a new scene.

Once that is done we have option to add the source. We could see over here that there are ample of options available over here to modify our presentation deck.

Furthermore when selected the video capture device , we do have the opportunity to add multiple cameras over here with our own customization.

When further drilled down into the configure video option we can see options. I was able to change zoom, focus and exposure and might change here based on the camera that is connected.

We have options to add images, media and browsers which might be beneficial during the live event from the same deck. For instance below is an example to add the media video. The tool really seems to be powerful in providing additional options on customization of the deck.

Once the customization is done we are good to go to start the setup.

After that we click on start streaming from the OBS Studio. Once the session is started we can see the frames per second ratio which is ready to stream on Teams Live events.

Then from Teams live event you can click on start event.

Finally we can see the live events streaming from external encoder app. Below is a sample where we can see the state it says encoder preview and the customized deck with images and browser page.

Regards

Sathish Veerapandian

PowerBI – Microsoft Intune Data WareHouse Beta connector

Now we can use PowerBI and use the Microsoft intune data warehouse to build reports for the entire organization to foresee the intune analytics and the status. PowerBI being a very potential platform for data gathering and analysis this intune data warehouse can help in terms of analyzing the Microsoft intune statistics and provide us the overall metrics.

When we look into the get data from the PowerBI desktop version, we do see the option Intune Data WareHouse Beta Preview connector. Once authenticated with the account we can select this connector

At this point of writing this blog , we could see that this connector is integrated with a 3rd party service as of now and it in the progress of full mature version and can expect more improvements in the future.

On further progress we have an option to pull data up to 60 days as of now.

Once connected we can see there are 48 datasets that can be helpful in building the required reports and the dashboard for Microsoft Intune.

Here just for an example have loaded few datasets that might be helpful for us in creating a reporting for the intune statistics.

For instance we could measure how many users have intune licensed , jailbroken devices , azure ad registered devices , trends of OS versions getting enrolled in intune and even see the amount if MAM getting enforced on devices.

Once the data is segregated and creating the report we can go ahead and publish them to the Workspace.

On a successful operation we get this below message. There is an option to create a portrait view of the report which is compatible for mobile phones.

We could publish this report to dashboard and share them to users which can provide insights to enterprise mobile environment. 

Finally below is an sample overview of the shared dashboard view.

There are lot of benefits in using the Data Warehouse when compared to the Azure Portal. The Data WareHouse is like accessing the raw data from the backend where the delta is refreshed in the daily fashion and we have option to pull the historical intune data.

One important point to note here is that the Intune Data Warehouse only contains Intune data. Just in case if co-management is utilized then additional steps to retrieve the data from configuration manager is required.

Power Bi desktop is used to create the reports and this can be done with the free version of the PowerBI. PowerBI Pro license is required for publishing the reports and share them for collaboration.

Regards

Sathish Veerapandian

Microsoft Teams – script to generate teams owners ,visibility type, owners count, members count and archive status

Microsoft Teams utilization have phenomenally increased with the current COVID situation where almost everyone of us are working from the home. Microsoft Teams being one of the top collaboration software helping all of us to stay better connected during this time.

Most of the organizations doesn’t restrict the Team creation from Microsoft Teams because this factor is heavily influenced on better adoption rate of the Teams communication platform. The below script can be used to run in task scheduler or in Azure Function on a monthly basis for reviewing the Teams Created in last 30 days especially to see the Teams that have been archived and to see the fashion of teams created private or public by the users.

Below is the sample output of the script which will provide us the below details.

############################################################################################################################################
# Description   :- Powershell Script To extract Teams Name,Owner,backup owner,owner count,member count,Group Type and Archive Status.
# Created Date  :- 10-Oct-2020
# Created By    :- Sathish Veerapandian
# Version       :- 0.2
# Imp Notes     :- Please ensure you have folder C:\Scripts and clear the output files generated every time when you run the script again.
# Info          :- If you want to send reports as email please uncommentlast line and use the from/to address with SMTP Server
############################################################################################################################################
Connect-MicrosoftTeams

$Path="C:\scripts\TeamsReport.csv"

$Header = @"


TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}<br />
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #48D1CC;}<br />
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;background-color: #F0FFFF}<br />
"@

$Count = 0
Get-Team | foreach {
$TeamName = $null ; $TeamName = $_.DisplayName
$GroupId = $null ; $GroupId = $_.GroupId
$Visibility = $null ; $Visibility = $_.Visibility
$EmailAlias = $null; $EmailAlias = $_.MailNickName
$Archived = $null; $Archived = $_.Archived

$Count++
Write-Progress -Activity "`n Processed Teams count: $Count "`n"  Currently Processing: $TeamName"

$TeamMembersCount = $null ; $TeamMembersCount = (Get-TeamUser -GroupId $GroupId).count
$TeamOwners = $null ; $TeamOwners = Get-TeamUser -GroupId $GroupId -role Owner
$TeamOwnersCount = $null ; $TeamOwnersCount = ($TeamOwners).count
$Owner1 = ""
$Owner2 = ""

If ($TeamOwnersCount -eq 1) { $Owner1 = $TeamOwners[0].User}
Elseif ($TeamOwnersCount -ge 2) { $Owner1 = $TeamOwners[0].User; $Owner2 = $TeamOwners[1].User}

$Output = [PSCustomObject]@{
    TeamName = $Teamname
    Owner1 = $Owner1
    Owner2 = $Owner2
    TeamOwnersCount = $TeamOwnersCount
    TeamMembersCount = $TeamMembersCount
    TeamEmailAlias = $EmailAlias
    TeamVisibility = $Visibility
    TeamArchiveStatus = $Archived
}
$Output | select * | Export-Csv $Path -NoTypeInformation -Append
$Data = Import-CSV "C:\scripts\TeamsReport.csv"
$data | ConvertTo-Html -Head $Header | Out-File -FilePath C:\Scripts\TeamsReport.html
# Send the exported html as email for evaluation
#Send-MailMessage -From senderemailID -To recipientemailid -Attachments "C:\Scripts\TeamsReport.html" -BodyAsHtml -SmtpServer mentionsmtpserver -Subject TeamsGroupReport
}

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Utilize the Azure Sentinel to facilitate SOC and Monitor Teams critical events

Few days ago Microsoft has announced the new release which provides us the opportunity to integrate MS Teams related activities that are recorded in the audit logs to Azure Sentinel. Enabling this feature benefits organization where there is a separate SOC team monitoring and analyzing the security posture as an ongoing operational procedure.

We still have the Microsoft native cloud app security which benefits in creating the alerting mechanism for MS-Teams related activities.But with the Log Analytics and Azure Sentinel we can do a lot more than it can be done from the Cloud App Security. We can further fine tune the alerting, create workbooks and dashboards for Microsoft Teams related activities which will be useful for Teams Monitoring.

To start with this new feature ,we need to enable this new option to ingest Teams Data into Azure Sentinel Work Spaces. This article can be followed to start with connecting office 365 with the Microsoft Cloud native SIEM Azure Sentinel.

Navigate to Azure Sentinel Work Spaces – Select Data Connectors – Choose Office 365

Here we can see the new option for sending Teams Audit Logs to Azure Sentinel WorkSpace.

Once it is done after a while, we could see that the workspace have received the data types Office Activity (Teams)

Live Query Teams Monitoring :

When we navigate into the workspace we have the opportunity to fine tune and see the events that are written on the Audit Logs for Teams in a more refined way.

For instance to filter only Team creation can be checked from the workspace. This can be used for filtering even specific person and creating alert for them.

This helps the SOC Team for a live reactive analysis when any security incidents are reported for Teams related activities.

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "TeamCreated"
| where UserId has "sathish@exchangequery.com"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

Create Alerting Mechanism : Azure Monitor or Azure Sentinel

In a real example we can create alerts and notify the SOC Team when a bot has been added to the Team.

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "BotAddedToTeam"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

To create the alert once after writing the query we have the new alert rule where there is an opportunity to create alerting mechanism in two methods. Create Azure Monitor Alert or Create Azure Sentinel Alert.

To experience the behavior selected the option Create Azure Monitor alert. Used the same Query. Alert logic and the time period is set for demo and can be defined based on the period and frequency that suits best for the monitoring.

The action group can be selected to send this notification alert to a email addresses.

The notification type can be selected for other options like where ITSM can be chosen to trigger an incident for the same events.

In our case email was selected and after few minutes tested by adding a bot and got the alert notified on email address.

Further information about the bots that have been added can also been seen.

Create WorkBooks and Dashboards:

Here we do have the possibility to create workbooks and dashboards for Ms Teams related activities. There is one template present by default for Office 365 and there is a item Teams Workload present over here which will help in creating a workbook for Teams.

The default workbook provides decent information on monitoring the Teams related activity.

This will be a good start to create one dedicated work book for Microsoft Teams and pin them as a separate dashboards for Microsoft Teams related activities. I have also written post on creating Azure Monitoring Workbooks which can be referred for creating dashboards for Teams Activities.

Microsoft Teams logs in Azure Sentinel is really a welcoming native cloud integration feature set where lot of organizations can be definitely beneficial in terms of actively monitoring the Teams Activities with no additional cost of investing on 3rd party SIEM integrations.

Regards

Sathish Veerapandian

Synology DiskStation Active Backup for Office365

Recently i was requested to review the synology diskstation ActiveBackup for Office 365 . Though Microsoft 365 provides unlimited retention period and litigation hold for office 365 applications i always had one topic in my hit list to read on why there might be a reason to have a local backup instance for Office 365 applications.This made me to do some little bit research on this topic and could see there might be few business cases ,compliance/legal requirements which demands to maintain backup copies of electronic data.

Moreover the litigation hold and retention period is not applicable for all office 365 plans. I have seen organizations consuming wide variety of Office 365 plans based on their business models.

On the other hand i see most of the office 365 backup solutions provides faster efficiency of users able to restore the content on their own mostly from the user management portal. In an ideal scenario office 365 user data recovery can be executed from a native tool set where we use the native content search or an e-discovery case from the admin portal. In a real case scenario if we don’t have an SLA for restore of data that comes in everyday for a resigned employee or an existing employee there might be some delay where only few admins are responsible in handling the operations tasks. With these third party packages we can optimize the processes for data restore.

In this article we will have a look at Active Backup for Office365 from Synology. A little while back i setup DS920 + Diskstation with Sea Gate Iron Wolf HDD . SeaGate IronWolf is always BUILT FOR NAS Designed for 24×7 NAS workloads with better performance, spacious capacity, blazing-fast speeds and provides 2 applications sea tools and disk wizard for monitoring the drives.

In order to setup Active Backup for Office 365 we have to login to the Disk Station Manger.Keep this in mind the Active Backup for Office 365 supports only in 64 bit NAS and they must be running DSM 6.1 or later with atleast 2GB of ram.

After logged in to disk station manager in the package center , we can see the Active Backup for Office365 is present as an addon. Once its installed we can open them.

In the setup screen it provides us an option to choose in which office 365 data center our tenant resides.

Subsequent log in with the admin credentials we can see it requests for oauth permissions so that it can get the read and write access on all users data to perform the backup and restore operations.

Then it takes to the redirect page that we must confirm that we are ok with sending the office 365 data to the local DS domain.

Once it is completed Active Backup for Office 365 is opened. Navigate to Task Creation Wizard.

Here we have 2 highlighting features :

Account Discovery – When this option is turned on every new account in Office 365 gets the backup enabled automatically which is really a good features.

Enable the Active Backup Portal for end users – User logins with his own credentials and can see his own data and perform restore.

Here we have options to select the users where we need to take a backup for them. On a business standpoint we can think of 2 cases first one being the users not having the appropriate license for Litigation hold and retention policies and the latter one being VIP users or critical Financial Mailbox data that might require a local copy as per the business model concerning the audit and compliance requirements.

Selected few users for our testing and we also have the option to choose what service that needs to be backed up.

We have the site list where there is an option to choose the sites.

We have the backup and retention policy here to choose based on our requirement. We do have the file version retention policy as well.

Finally we choose the destination folder location in the NAS drive and the backup task creation is successful.

We can see the overall status and the backup summary in the Active Backup for Office 365 Dashboard once after few backup schedules have been successful.

Restore Operation:

There is an option to choose which service that we need to restore for the user. Here it can be one drive, Mail , Site , Calendar or Contacts. At the moment of writing this blog I do not see a separate option to restore for Teams Data.

Option 1 : Admin Restore

When admin logins he has the full privilege to navigate to all employees ,their data and restore them.

Option 2 : User Restore

User logins with his own credentials in the Office 365 Active Backup Portal and can see his own data.

Email Restore:

From the Admin console logged in – have the option to choose the users.

Here we can see the option to select our restore point date and choose the required emails individually. In the restore we have two options first one to restore them directly to users mailbox and the second one where we can export them as individual email messages.

We have the option to search for the individual files with keywords, subject ,date and including with attachments which looks like a promising feature.The ability to perform a granular brick level backup will minimize most of the native recovery operations task.

In the final screen we have the option to change the user destination. In a real case scenario this can be useful where a current employee might require a data from a resigned employee after getting prior approval for a valid business reason.

Once the restore operation is successful we can see in the user mailbox it has been stored them on a separate destination folder and only the selected emails are restored.

On a export operation we the selected files are exported individually as emails.

File Restore:

File restore is also very promising. It makes an easy task to restore the file directly to the destination or take an export which downloads the requested file in the same format.

On doing a direct restore we can see that there is an option to restore the file sharing permission which looks great.

Below were the highlights identified from the evaluation:

1) License-free for unlimited Office 365 backups.
2) Option Monitor and manage your backup even from multiple tenants from same single dashboard.
3) There is account discovery – when this option is turned on every new account in Office 365 gets the backup enabled automatically.
4) There is an advanced search engine which allows to find any files containing the keyword including mail attachments
5) Option to preview the content of each file before we could restore them

Of course Microsoft does provide enough ways to protect data against corruption, deletion , ransomware and disaster scenarios with security, retention policies and litigation hold. If that convinces then we are ok with the native backup mechanism.As an alternative we can choose these packages that can hold data locally mostly for compliance/legal purposes , Volume of users not covering the licensing requirements to retain their data and enhanced recovery mechanism based on the business requirements.

I find this software to be beneficial for organizations that might require to backup Office 365 data as a part of their legal and compliance regulatory requirements.

Thanks & Regards

Sathish Veerapandian

Overview of Microsoft Teams Graph API and its benefits

Microsoft Teams Graph API have been there for a quite a long time and it can be beneficial in various ways to perform Teams related tasks in API operations. In this article we will go through the Teams Graph API overview and API calls available as of now.

Using Graph API developers have a unified Rest API to access Teams underpinned components. For instance, using Graph API we can post a survey notification to a channel with option to vote for the survey. With this we can create a Team, add members and owners ,configure team settings and even archive a Team.

The overview of Graph API can be explored by navigating to the below URL.

https://developer.microsoft.com/en-us/graph/graph-explorer

Before consuming the Graph API we need the required permissions on the Graph API to run the query. So we need to consent the required permission based on the action that will be performed from the Graph API. In below example have granted the below permissions to execute the Graph API operations for Teams.

Once logged in initially we can check for the basic me option which returns the user information as below.

As of now while writing the blog post the Teams has below graph options 9 general and 4 beta versions. So if any issues identified on beta while pulling from the applications, powerapps , logic apps or other APIs it will be fixed sooner.

Now moving to the Teams part below query shows the teams where im member of

https://graph.microsoft.com/v1.0/me/joinedTeams

So now trying with the post request to create a channel on a Team called Test Team.The prerequisite of creating a channel is to mention the Teams ID under which the channel needs to be created.

Upon a successful post we can see that the new channel called architecture discussion have been created.

Interestingly we have an option to send a channel message. Example below message.

The test post message we set have been received in Team Channel.

When attempted the get message present in a channel we get the actual messages present in them.

Now we have tested the API operations from the Graph explorer there are multiple ways to access them from different programs. In our example we will try to access them from the powershell and create a Team. The first prerequisite for Creating the Teams from Graph API is they need to be as an Office365 Group. The Office365 group is created as a Post Operation

Once the Office365 Team is created we can use the Put operation to enable Teams in them. While there are lots of samples available on the internet to create the teams i found this video which is very helpful start the graph API operations for Microsoft Teams via Powershell.

As a initial prerequisite we need o install the SharepointPNPPowershell online and connect to them.

Below is a sample script that can be used to create a Team from the Graph API via Powershell.

#connect to graph API
Install-Module SharepointPNPPowershellOnline
connect-pnponline -scopes "Group.ReadWrite.All"
$accesstoken = Get-PnPGraphAccessToken

#Prepare generic OAuth Bearer token header
$headers = @{
"Content-Type" = "application/json"
Authorization = "Bearer $accessToken"
}

#Create the Office 365 Group - Post Request
$NewGroup = @{
Description = "Team Fun Friday"
DisplayName = "Fun Friday"
groupTypes = @("Unified")
mailEnabled = $true
mailNickname = "teamfunfriday"
securityenabled = $false
}
$creategroupbody = ConvertTO-Json -InputObject $NewGroup

$response = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/groups" -Body $creategroupbody -Method Post -Headers $headers -UseBasicParsing
$groupid = $response.id

#Create the Team - Put Request
$NewTeamRequest = @{
membersettings = @{
allowcreateupdatechannels = $true
}
messagingsettings = @{
allowusereditmessages = $true
allowuserdeletemessages = $true
}
funsettings = @{
allowgiphy = $true
giphycontentrating = "strict"
}
}
$createTeamBody = ConvertTo-Json -InputObject $NewTeamRequest
$response = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/groups/$groupid/team" -Body $createTeamBody -Method Put -Headers $headers -UseBasicParsing
Write-Host $response

Upon a successful execution of the above script we will get the below message on the powershell session.

On verification could see the associated office 365 group and the Team have been created.

Also the team is automatically created and visible from the Teams client

With the Microsoft Graph APIs it becomes a unified REST API experience and it helps us to perform multiple Teams operations and automate the Team management life cycle.

Microsoft Teams – Change the Supported Meeting Mode on existing Skype Room Systems to Teams Mode by leveraging Intune Scripts

Microsoft Teams have been the highly adopted collaborative platform in few months time.It has been helping a ton worldwide and the new features that is been released every now and then makes us stay connected and expands the efficiency in every organization who have been using them.

By default Microsoft Certified Room systems are forward compatible with the new Skype for Business or Teams services while maintaining the same client user experience.Usually when any organization has only Skype then these meeting rooms will have the options only Skype enabled on them.

In this article we will be looking at how to enable the existing Skype room systems to have the capacity to host Teams Meetings in them.

Example screen of a Skype room system panel where we have the below options on the supported meeting mode while configuring them at the initial stage .

These devices are basically on KIOSK mode running on recommended versions of Windows 10 currently supported one being 1909 at the time of writing this blog.

Ideally when a Skype room system account have been migrated to Teams with all the prerequisites this mode on the meeting room devices needs to be changed to support Skype for Business and Microsoft Teams.

This can be done by using the local admin credentials of this Skype room system , logging into the system context and change the mode to support both Teams and Skype. In a real scenario for a small scale deployment for lesser than 10 rooms changing them manually from the local IT support is possible. But in a huge deployments where there are 100 plus systems deployed across the globe and making them change manually will be a uncomfortable experience.

This supported meeting mode on the Skype room systems is controlled via an XML file present on below location. This location is standard for all the meeting rooms running on KIOSK mode and have a file named skypesettings.xml

C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState

At startup these devices looks up for this XML file named SkypeSettings.xml on the above location. If it finds them it applies the configuration settings indicated by the XML file then deletes the XML file. The best thing is that we can mention only the changes that we require on the system on the XML file and it will update the delta changes and keep the other settings as same.

In order to enable Teams, Skype and have Teams as default client we can use the below XML

<SkypeSettings>
    <IsTeamsDefaultClient>true</IsTeamsDefaultClient>
    <SkypeMeetingsEnabled>true</SkypeMeetingsEnabled>
    <TeamsMeetingsEnabled>true</TeamsMeetingsEnabled>
</SkypeSettings>

Now this XML can be easily pushed to all the Skype Room Systems via Intune Scripting Profile.

Below are the prerequisites before performing this action:

  1. The Skype Room Systems accounts must have thee Teams license assigned to them. This offers an easy migration path from Skype for Business to Teams by just enabling Teams on the device.
  2. The Skype Room Systems must have been registered on Microsoft Intune to target this intune scripting profile to them.

Login to Microsoft Intune- Navigate to Device Configuration – Create the Scripts as below. Ensure the script settings have all the default settings. Target them to the meeting room devices which requires this change.

Copy save them as ps1 and Use the below script on the script settings page.

$target = "C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState\SkypeSettings.xml"
$xml = "<SkypeSettings>
    <IsTeamsDefaultClient>True</IsTeamsDefaultClient>
    <SkypeMeetingsEnabled>false</SkypeMeetingsEnable
    <TeamsMeetingsEnabled>true</TeamsMeetingsEnabled>
</SkypeSettings>"
$xml | Out-File -FilePath $target -Force

After the next azure AD sync is completed on the targeted devices we can see the XML file to be successfully deployed on the below location.

Also we can see the overview of assigned and failed devices on the intune script profile. In our case it was successful since it deployed to targeted system without any issue.

Once the Skype room systems gets this XML and usually these systems reboots every night to check for the system updates install them as a maintenance window. During that time this XML will be updated since the device will be rebooted. Once this change has been applied to all the systems the Intune Script profile can be removed since it is a one time configuration change on the systems after the user accounts have the teams enabled.

Option2:

Create storage container in Azure , store the XML file and make intune to pull the xml file from there. Keeping this option is beneficial just in case if we need to modify the XML file frequently for device settings.

Navigate to azure portal – Storage accounts – Select File shares

Create a new file share for the pushing the Teamsxml

Once it is shared we can use the appropriate url in the script.

Below script can be used for the same

$source = "storage file source url"
$target = "C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState\SkypeSettings.xml"
Invoke-Webrequest $source -Outfile $target
$xml | Out-File -FilePath $target -Force

Regards

Sathish Veerapandian

%d bloggers like this: