Category Archives: Microsoft Teams

Part3 – Setup the PSTN Trunk for the Direct Routing Configuration for Microsoft Teams

Continuing the previous article now we’ll go through the next steps that is required to complete the enterprise voice configuration. Now we have setup the AudioCodes SBC , configured SIP trunk from Office 365 to SBC the next step is to setup PSTN trunk from the SBC to the Telephony Provider.

If there is already an existing setup then this part is not required because the configuration will be already present in that case. In this article we will have a look at how to configure the PSTN Trunk for a new telephony provider.

There are multiple PSTN Sip Providers that we can use to complete this configuration. In our case we have chosen Telnyx as the PSTN Sip Provider for this demo purpose. They provide us the flexibility to purchase numbers as low as 10 USD and hence have chosen this for our testing.

Over here we are not going to deep dive much into Telnyx configuration since our task is to create a PSTN Trunk between them and our SBC. So we will go through only the steps that is required to complete the Direct Routing Configuration.

The moment when we subscribe with Telnyx they provide an advance credit of 10 USD and a portal like below. As per the Telnyx documentation we need to create a new SIP connection to our SBC in the below section where we could see they have a SIP connection with their backend system as a default setup.

So over here have created a new SIP connection to the SBC as below. In order to proceed click on Add SIP connection. Added a name Teams SIP Connection Type – FQDN – Provide the SBC published FQDN – Keep the rest default – Finally use the authentication type credentials and use their login details that was received when registered and click save.

Now we have the inbound/outbound configuration that needs to be completed and have to choose number format, SIP Transport Protocol, SIP region based on our requirement.

And the moment when we expand the expert settings we could see the audio/video codec types that we need to choose based on our requirement.

And for the outbound have to choose the correct country where the number have been purchased.

Finally we need to create the outbound voice profile and whitelist the country where the call will be done. The outbound connection type can be selected as FQDN since we have the available SBC FQDN for the Direct Routing which will be published in the internet.

Whitelist of the country can be done by just searching for the appropriate country over the Available Regions and Countries section on the left and adding them to the selected regions and countries over the right side. FQDN connections need to chosen from the Connection’s outbound settings in the SIP Connections section of the portal which is shown in the outbound tab in SIP connection section.

Finally we need to purchase the numbers from them and setup a DID to a SIP connection. This is mandatorily required to receive the inbound calls from the PSTN Provider. We can navigate to numbers choose the number that needs to be setup as DID . Navigate to connection or app and choose the SIP connection that was created between Telnyx and the SBC. There is option to assign multiple DIDs to a single SIP connection , however since its our testing we have used only one in our example.

Having completed the configuration on the SIP provider portal, we need to setup few more configuration on the SBC part.

There are 3 configurations that needs to be completed on the SBC part.

  1. Sip Proxy
  2. IP Group
  3. Define Coders

Now we need to setup proxy sets to establish outbound and inbound connections from the SBC.

The appropriate ipaddress have to be chosen based on the location as per this information. In the Proxy addresses add the appropriate Ip addresses in the new proxy set type. The Transport type must be UDP. In our example have selected TCP and UDP for testing purposes.

Now we need to define the IP Group to denote the source and destination of the calls and associate them with the proxy sets created for the PSTN Trunk.

Having completed this the final step is to define the coders that is supported by Telnyx. This can be completed by navigating to the coders & profiles and selecting the coder groups.

The moment when it is completed we are ready to assign the number to the Teams Client. On a successful number assignment as per this article we get the assigned number.

And we receive the dial pad as below with the number.

Having reached this state the there are few scenarios that are not getting successful and may be it might require additional tweaking in my test environment which I haven’t visited for a quite long time. An inbound call is not getting successful. The SBC is not responding to Inbound INVITE from Telnyx even though it is listening on the port.

I will test further on the configuration and probably update the results in the upcoming posts. Similarly depending on your requirements, you may need to set more configurations such as IP profiles ,Routing , Additional Codecs and Proxy Sets.

Regards

Sathish Veerapandian

Upgrade the Surface Hub 2s from Windows 10 Team OS version RS2 (build 1703) to Windows 10 Team OS version 20H (build 2020) and Enable them for Microsoft Teams

Microsoft Teams Room devices are a great way to have virtual meetings that provides us a amazing meeting experiences. This especially helps a lot in sharing content, collaborate easily and increases the work efficiency more subsequently by viably utilizing the Microsoft Teams Meetings. Surface Hub 2s have been a great fully integrated windows device capable of organizing the remote meetings, enhanced collaboration with the white board and provides great video quality with its astounding 4k camera.

So as per this article the Surface Hubs that are running Windows 10 Team OS version RS2 (build 1703) might reach end of support by March 16th 2021. So here we will go through the steps on how to update the Surface Hub 2s devices that are currently running Windows 10 Team OS version RS2 to Windows 10 Team OS 20H.

As per this article there are 3 options to achieve this via Windows Update, Windows Update for Business and Bare Metal Recovery.

We have the first 2 options which was not successful. So we decided to move to the last option Bare Metal Recovery. Currently the devices were on Exchange Online with Skype Accounts. Subsequently our next plan is to move them to Teams once the upgrade is completed.

Summing up below was the scenario in our deployment:
1) Exchange Online Accounts to fetch the calendar and show the availability.
2) Skype accounts to host the meetings.
3) Local AD joined.

Once it is downloaded all we need to do is to unzip the downloaded package – Copy them to USB in FAT32 – Allocation Size Unit Default. Plugin to the USB of Surface Hub – Press the Power Button and the Volume Down Key at the same time

Performing the upgrade (Bare Metal Recovery)

So starting up the Bare Metal Recovery all we need is to navigate to the below URL Use the below link and choose Windows 10 Team Update – Enter the Serial Number of the Surface Hub – Choose the version Windows 10 Team version – Download https://support.microsoft.com/en-us/surfacerecoveryimage

After a few minutes we will see the language selection menu. Tap on the preferred language setting to make a choice.

The next screen we will get the keyboard selection menu. Tap on the preferred keyboard setting to make a choice.

Now we have to choose the Bare Metal Recovery method. Tap on ‘Recover from a drive’.

Choose for the option ‘Fully clean the drive’.

And start the recovery by selecting the ‘Recovery’ button.

The Surface Hub will restart 3 times. The first restart will show the progress of the recovery process.

The second restart will show the progress of device driver setup.

The 3rd restart will show us the ‘Out-of-the-Box’ setup screen for a Surface-Hub.

Setup the Surface-Hub

Now we have successfully upgraded the Surface-Hub to Windows 10 Team OS 20H we can proceed with the initial setup of the Surface-Hub. In the language select menu select the language of choice and press ‘Yes’.

Now we have to wait until Cortana has ended the introduction before we can continue with the Region Select menu.

Select the region of choice and select ‘Yes’.

Select the keyboard of choice.

And skip (for now) a second keyboard layout.

Now we have to wait for the EULA message

Accept the EULA to continue the setup.

Now we have to setup the device account. Since we are behind a proxy, we have to authenticate to the local AD. For this we use the following naming convention: <FQDN Domain Name\SamAccountName> Example: x.y.z/samaccountname

Important point to note here is that the Surface Hubs require Mobile Device Mailbox Policy in the past for the old version.

The good news is if the mailbox is hosted on Exchange Online it does work with EWS.

On the next screen we can accept the settings and continue.

When there are no issues during this setup part we will be noticed a successful setup.

Next we have to do is to give the device a name. In the first field we enter user friendly information. The second field is used for the device name which will be used to join the Surface Hub to the local Active Directory.

Next we choose for ADDS

Here we have to use a username with Domain Admin access

Before the device can be managed we have to add the securiy group in which the users are place for administering the Surface Hubs.

In the upcoming 8 steps you will see options to send diagnostic data, enable device location, Improve typing, etc. It is totally dependent on our choice to elect them. Personally I feel it is not that benificial for any meeting room device to send this type of data. Especially for customers from Europe has to decide on their on based the GDPR regulations.

Meanwhile we have to wait for the setup to be finished.

Configuring the Surface Hub for first use

Before we can use the Surface Hub for Teams Meetings we have to configure the Surface Hub using the Settings Menu. To open the Surface Hub Settings menu we have to press the Windows button, select ‘All apps’, and in the list we have to scroll down and select the ‘Settings’ option.

Enter your credentials. These username has to be in the Security Group we have setup earlier in this blog.

Choose for Surface Hub menu.

And notice that the sync-state of the account is showing ‘Account is up to date’.

In the sidebar menu select the option ‘Device Management’. Add the device account using the UPN and select ‘Continue’.

Again we have to use the SamAccountName information using the naming convention x.y.x\samaccountname

And when everything goes well, we have a successful setup.

In the sidebar menu we then choose Calling & Audio.

In this field we have to set the online domain suffix information

Before we can continue we have to restart the Surface Hub. In the right below corner we now touch the UP arrow. Choose Restart and Restart now to

When the Surface Hub is back again we have to update all applications using the MS Store. So we again we enter the Settings > Surface Hub > Apps & features and select ‘Open Store’.

In the right upper corner select the hamburger menu (3 dots) and choose the option ‘Downloads and updates’.

Now in the second screen select the option ‘Get Updates’. When all the updates are installed restart the Surface Hub again.

Now we create a Teams meeting to see if the calendar update will show the upcoming meetings.

Finally Teams meetings is successful on Surface Hub running Windows 10 Teams OS version 20H.

We could see the gallery view, large gallery view and the Together mode.

We attempted the same approach we have used a couple of Months back. However the upgrade was not successful. With the new version build available now the Bare Metal Recovery process is successful.

Just feel free to share your thoughts on this topic.

Regards,

Ewald Hollestelle

Script to move bulk users to Teams Only mode from On Premise Skype for Business Servers

When we enable Teams for Skype for Business Hybrid users the final stage of action is to move the actual on premise Skype for Business Account to Office 365 to make them to Teams only mode. As more organization are adopting the Microsoft Teams in a full fast track approach the last stage of migration is to move all the local accounts to Teams Only Mode.

This script will help in moving the users on batches to Teams Only Mode from an input csv file. It also provides the time taken to complete the batch on screen once the migration is completed.

Example below:



Measure-Command {
[CmdletBinding()]
param( [string] $UsersList = $(Read-Host -prompt `
    “Input the CSV File with Location”))
$Users = Import-Csv $UsersList -Delimiter ";"

#To Connect to Teams, Skype Online Session and Import them. Make sure you have the new Teams Module installed.

$mycred= Get-Credential
Connect-MicrosoftTeams -Credential $mycred
Import-Module MicrosoftTeams
$sfbsession = New-CsOnlineSession
Import-PSSession $sfbsession


#Initialize parameters and variables.

$sip= $users.SipAddress
$count = $users.count

write-host "We have found" $count "Users to Migrate" -foregroundcolor Yellow -backgroundcolor Black
$pauseSeconds = 10
$Sleep = 20

Write-Host "Pausing for " $pauseSeconds " seconds to verify your count..." -ForegroundColor Yellow
Start-Sleep -s $pauseSeconds

#To Enable Logging and store them for failed migration and any errors.

$transcriptname = “MoveCSUserStatus” + `
    (Get-Date -format s).Replace(“:”,”-“) +”.txt”
Start-Transcript $transcriptname

#Take export of SFB enabled users before move.

$Users | % {get-csuser -Identity $_.SipAddress} | Where-object {$_.Enabled -eq $True} | Select-object  SamAccountName,sipaddress,Enabled,EnterpriseVoiceEnabled | Out-File SFBUsersBeforeMove.csv -append            

$URL= "https://adminof.online.lync.com/HostedMigration/hostedmigrationService.svc"

#Initiate Move-CsUser Operation.

$NewSession=0
$x=0
foreach ($user in $users) {

$x++
Move-CsUser -Identity $user.SipAddress -Target sipfed.online.lync.com  -HostedMigrationOverrideUrl $URL  -UseOAuth -MoveToTeams -BypassAudioConferencingCheck  -BypassEnterpriseVoiceCheck -Verbose -Confirm:$False
$NewSession=$x/250
if($NewSession -eq 1) {
get-pssession | remove-pssession
Disconnect-MicrosoftTeams
Connect-MicrosoftTeams -Credential $mycred
Import-Module MicrosoftTeams
$sfbsession = New-CsOnlineSession
Import-PSSession $sfbsession
$NewSession=0
$x=0
Write-Host "Refreshing the Skype online Session" -ForegroundColor Green
}
}


#Pause for 20 seconds 

Start-Sleep -s $sleep 

#Validate the Move and complete Successfully Moved and Failed Users.

$loop = foreach ($user in $users) {
Get-CsOnlineUser -Identity $user.sipaddress | Select-object  sipaddress,hostingprovider,TeamsUpgradeEffectiveMode,RegistrarPool} 
$loop| Out-File TeamsOnlyMigrationStatus.csv -append

#Validate the meeting Migration status
$loop = foreach ($user in $users) {
Get-CsMeetingMigrationStatus -Identity $user.sipaddress | Select-Object UserPrincipalName,State,MigrationType,LastMessage,FailedMeetings}
$loop| Out-File MeetingMigrationStatus.csv -append

Stop-Transcript
Write-Host "Migration Script Completed Please Refer Transcript File for any Errors" -ForegroundColor Green

#Close the sessions.
          
get-pssession | remove-pssession  

#Send Email report to Notify the Migration have completed - Mention your SMTP server
#Send-MailMessage -from "username@domain.com" -to "admin@domain.com"-subject "TeamsOnlyMigrationTaskCompleted: No File" -body "Teams Only Migration Batch have been completed.Please refer log file Location for further information" -SmtpServer "Mention your SMTP Server" 
}

Notes:

  1. Make sure that you whitelist the traffic to office365 services to establish successful connection to the SFBO session.
  2. If there are multiple number of users recommended to split up the batches and execute them from 2 servers.
  3. Ensure the SSL traffic inspection, IP connection limits are excluded from Firewall/Proxy from the network side.
  4. Moving this from a shared bandwidth might be a bit slower and moving this from a temporary dedicated IP address might provide a better performance.
  5. This script uses -UseOauth switch. Make sure the Onpremise SFB servers are patched to the required version. Else use the legacy option by removing this switch. Recommended to run this first with few users list verify based on your environment and then later run for bulk users.

Regards

Sathish Veerapandian

Part 2 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Continuing the previous article there are few more steps to complete the configuration of the Direct Routing with the office 365 tenant and in this article we will run through those steps.

Currently the SBC is up and running configured with the certificates and required SBC DNS records now the next step is to enable the direct routing. Well there are two options to enable the Direct Routing via skype online powershell session or via the Microsoft Teams Admin center. In our example we will try to enable them via the Teams admin center.

Before doing this make sure to meet the network prerequisite that is required for Direct Routing and have written an article about the same almost a year ago.

Login to the admin portal with the appropriate credentials.

Enter the DNS name of the SBC that was configured in our case its sbc.nl.exchangequery.com

Subsequently we must add all the required information over here. One important point to note over here is that the SIP signaling port that is present by default is port 5067. The Direct Routing SIP Trunk can be configured only by using a TLS connection. We can choose the SIP port any port of our choice. If we try to configure the port 5060 it will not work since the TCP connectivity is not supported due to security reasons.

Enabling SIP option defines if an SBC will or won’t send SIP options messages and will be included in the monitoring. Rest of all the information have to be enabled as per the requirement. Also look into Location based routing and media optimization based on the requirement. Once done click on save and the configuration is complete.

But we could see that the SBC status shows error message and the configuration seems to be unsuccessful. Even after the configuration is completed even after loading the named certificate, intermediate and the root on the audiocodes we could see that the TLS connectivity status still shows as inactive. In addition to that we also see the SIP option status shows us the warning message as well.

Now further drill down into the logs gives us more additional information of the reason why it is failing. Still we we do have the correct certificates uploaded but the connection seems not completed.

So the initial thought was the issue with the firewall however the firewall connectivity was already completed and could ping the SBC on port 5061.

When looking into the audiocodes documentation came to know that in addition to the normal named certificate for the DNS Name its mandatory to upload the Baltimore Trusted Root Certificates. This is mandatorily required for establishing a Mutual TLS Connection with the Microsoft Teams Network.

So the DNS name of Microsoft Teams pstnhub.microsoft.com is using this certificate provided from baltimore and hence this import is required for establishing the mutual TLS connection.

We can Download the certificate from https://cacert.omniroot.com/bc2025.pem and follow the same procedure stated on previous article part 1 to import them on the Audiocodes SBC and make sure they are present on the Trusted Root Certificates.

The first part that we need to complete before the certificate validation is to ensure that the NTP server is setup correctly. This is a mandatory requirement for these two remote parties validating the certificates for setting up the mutual TLS connection between them.

You can go to setup – Administration – Time & Date and configure your NTP server.

Further to the NTP server there are few more configurations that need to be performed on the AudioCodes SBC which we will see below.

Configure the Proxy Sets: Add Microsoft SIP PSTN FQDNs

We have 3 Microsoft FQDNs as of now and all of them needs to be added over here and make sure the transport type is set to TLS.

Navigate to SetUp – Signaling & Media – Proxy Sets and add the 3 FQDNs over here.

SIP Interfaces:

We need to configure SIP interfaces for Teams Direct Routing as well. Configure as below. Keep the Enable TCP Keepalive option. SetUp- Signaling & Media – Core Entities – SIP Interfaces

Media Realms:

We need to configure Media Realms for Teams Direct Routing. Configure the settings as below. Select the default media realm as No. SetUp – Signaling & Media – Core Entities – Media Realms

Configure IP Groups:

Configure IP Groups as below – Make sure the Topology location is set as Up

In the Advanced make sure to mention the SBC published external FQDN. Keep the classify by proxy set Disable and keep the Client Forking Mode as Sequential.

Configure Coder Groups:
We need to add the supported coder groups for the leg SBC and the Direct Routing Configuration.
Teams supports OPUS and SILK Coders.

Inorder to configure the coder groups navigate to SetUp- Signaling & Media – Coders & Profiles – Coder Groups and mention the below values for Teams Direct Routing Leg. Later you might need to configure one for the SIP Trunk based on the coders they support.

Its mandatory to enable the SIP options for the SBC to monitor and for that we need to enable some configurations on the session border controller. In order to do that go to Setup- Signaling & Media – SBC – Routing – IP-to-IP Routing and configure all the required routing as per your requirement.

So we need to make sure other options are configured as per the documentation of the Audiocodes. Finally after the all the steps are done we can see the Teams Direct Routing Configuration is showing successful in the Teams Admin Center.

In our example we have 1 SBC, 1 Voice Routes and 0 SBCs with Issues which is a good sign. Since we didn’t initiate any real traffic we could see the message no data.

We do have a very good option to validate the pairing between the Audiocodes SBC and our Tenant Direct Routing. We can see the connectivity is successfully established over here and we can see that the status is showing online without any issues.

Now we have completed the Direct Routing And established the connectivity between SBC and the Teams Tenant there are lot more other configurations that needs to be performed on the SBC to complete the entire enterprise voice configuration. We will look into those on the upcoming articles.

Regards

Sathish Veerapandian

Part 1 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Microsoft have been providing us the option bring your own sip trunk for enabling the enterprise voice functionality. With Microsoft Teams Direct Routing we can provide the phone system to Teams users ,connect the SIP Trunks and use the local telecommunications provider. This option provides most of the customers for an easy transition to Microsoft Teams in parallel by utilizing the existing infrastructure and moving the users to the new system.

In order to leverage this functionality we need to setup certified session border controllers. Previously there is an article written which can be referred to check the readiness and steps that is required to configure Direct Routing in Microsoft Teams.

In this article series we will see on setting up audiocodes session border controller that will help in configuring the Direct Routing.

There are multiple ways to achieve this and we have an option to configure this from the Azure Market place. We will see on configuring this from the Azure Market Place.

First prerequisite is we need a valid azure subscription. Login to Azure and search in the Azure Market Place for Audio Codes.

Below are the results that we receive and there are few options for us to select over here. For instance we do have an SAAS offering that is fully managed in Azure. For a full setup we have Mediant Virtual Edition Session Border Controller and Cloud Edition Session Border Controller. The Mediant CE edition is more robust ,utilizes the full cloud elasticity and can scale up and down based on the demand. The VE is more of a Virtual edition that can be built easily on Orchestration Solutions and available in the Azure Market place for easier deployments. More information on the description can be found here

Here in this example we choose to use the Virtual Edition Session Border Controller. There are few important key take aways to note down here. While creating it is not allowing us to add them on an existing resource Group and it mandates us to create a new resource group or any existing resource group that is empty. And one more important thing is that the virtual machine name must be all lower case because in the network settings it doesn’t allow to create the dns name with the upper characters.

Next in the virtual machine settings we have the option to choose the computing size. And we have options to choose the OS versions. Here have chosen the latest os version. The cloud-init file is an optional file that can be chosen for automatic provisioning.

Next is the network settings where it provides us the option to set up the NIC interfaces based upon our requirement. Since in this case its a demo we are going with the network interfaces option 1. One more important thing here is that the public ip address has to be static . It picks up the setting static from this template however its better to verify them from the NIC settings once the VM has been deployed.

Finally it comes to the validation screen where we can check all the required settings and click on create.

Once it has been created we see all the required resources have been populated.

You can also see the DNS name that has been created with the static IP

Now when we login to the SBC DNS name we get the Audiocodes console that is ready for configuration.

Now this is running the next important thing is create an A record in the Public DNS and point that to this public ip address. One more important tip here is that this name that has been selected the domain has to be registered in the Office 365 portal.

The next important thing is the certificates configuration on the Mediant SBC. Create a certificate from the public CA and upload them from here Ip Network – Security and TLS Contexts.

In my case im using a certificate that has been provided by digicert for this domain that we are testing. Make sure the file is in password protected and pfx format.

Click on change certificate. There are multiple options to upload the certificate. Here we are choosing the last option upload the certificates from your computer in PFX format and with a password and select load file.

After a successful load file we see the message that states the upload is successful and here we see the red save alert that forces us to update the modified configuration.

We can also see the associated root and intermediate certificates of digicert have been populated over here in the trusted root certificates section.

Finally we have to upload the same certificate in pem format for the SBC

We get the below message after a successful upload of the pem file.

Now we have completed half of the initial readiness of the direct routing configuration and in the next blog we will go through the next steps of the further configuration.

Thanks & Regards

Sathish Veerapandian

Move users to Teams only mode from on premise Skype for business environment

This article outlines the technical steps that is required to move an on premise skype for business account to Teams only mode. There are lot of other factors that needs to be considered before making this change and this step can only be a final stage almost in any environment.

If there is any PSTN integration with Skype for Business on-premise environment then these factors needs to be planned and executed in stages before phasing out Skype for Business On-premise and moving users to Teams Only Mode. These features and functionalities needs to be transferred completely to Microsoft Teams.

If you are moving from a Skype for Business 2015 environment, ensure that the supported CU version admin tools is Skype for Business Server 2015 with CU8.

In this example I have built a lab on my environment which has my local Directory identities below test accounts synched to the Azure AD.

And I have a standard Skype for Business 2015 environment running in the local active directory environment.

The next step is to configure the skype for business hybrid to the office 365 tenant where we are going to perform the move operation.

There are three simple steps involved in this procedure first part is to configure federation with the below command from the Skype for business server management shell.

Set-CSAccessEdgeConfiguration -AllowOutsideUsers $True -AllowFederatedUsers $True -EnablePartnerDiscovery $True -UseDnsSrvRouting

Next step is to configure shared sip address space with Office 365 tenant. In order to do that the first step is to check if there is already hosting provider enabled and just in case if its present can we must remove them with the below command.

Get-CsHostingProvider | ?{ $_.ProxyFqdn -eq “sipfed.online.lync.com” } | Remove-CsHostingProvider

And the next step is to enable the hosting provider with the below command.

New-CsHostingProvider -Identity Office365 -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root

As we can see executing both the commands were successful in my case.

Now we’ve made the required change on the on-premise Skype for Business environment we need to make the same change on the Office 365 tenant by enabling the shared sip address space with the below command.

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

In the below example I have connected to Teams powershell session and have performed this task.

Once we have performed the server and tenant configuration now its very important that we need to allow requested URLs that will be resolved from the Management server where we are performing the operation.

The tenant URL for your subscription needs to be identified as per this Article . And this URL needs to be whitelisted on the outbound connection.

Get-CsTenant|ft identity

So in my tenant as per the article the hostedmigrationoverrideurl is adminof.online.lync.com

Permission:

Now need the required permissions to make this operation. The Skype On premise admin account will require a minimum of csserver administrator role. For Online permission we must have Skype for business Admin and user administrator role. In my case i attempted with Global Admin Credentials so not exactly sure about the behavior when we move directly to Teams only mode with granular permissions. It works with the split permission accounts OnPrem\Cloud with sessions established to SFBOnPrem and SFBO modules from the same PowerShell.

One more important thing to notify here is that the user that we are performing the move operation must have the appropriate license on the Office 365 so that the account gets enrolled on the Teams service.

Establishing the session:

Launch the PowerShell on the management server where you have the SFB admin tools installed and have connectivity to SFB on prem FE and required tenant to establish the PowerShell session to the new Teams Module. Make sure you install the Teams Module on the management server this as per this information.

Online:

OnPrem

Import the SFB powershell module on the same session. Since I have opened this session from a local SFB admin account I did not store the on prem credentials in this session.

Performing the move

We can perform the move with the below command. One important point to note here is that post CU8 the move operation will succeed only with the modern authentication by using the switch -UseOauth

$url=https://adminof.online.lync.com/HostedMigration/hostedmigrationService.svc

Move-CsUser -Identity Lionel.Augnel@nl.exchangequery.com -MovetoTeams -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url -UseOAuthBypassAudioConferencingCheck

In the below case we can see that the move operation is successful.

In the move results log as well we get few useful information which provides us the time taken for move user preparation, start time and few more information that might be helpful.

On validation we can see that the moved users are showing as homed in office365 and no longer present in SFB on premise environment.

And in the Teams we can see that the user has been migrated successfully to Teams mode directly.

Now the initial setup is completed script can be created to move the accounts in batches.

Schedule Microsoft Teams Live Events from an external app OBS Studio

With Microsoft Teams Live Events ,we have an alternative to stream them from outside encoding sources. There are few advantages of playing out this activity from an external application. We can customize the presentation deck by including various sources and there is an option to include multiple cameras and cumulate them on the same deck.

So here I caught some eye over this subject to investigate this alternative from an open source free tool OBS Studio . The installer can be downloaded and installed on the PC from where we are going to stream the live event from this app OBS Studio. And they are present in the list of Supported Encoders provided by Microsoft.

Well before we setup the OBS studio the mandatory part is we need to schedule a live event to generate the URL to build up the connection between them.

So created live event with org wide option.

In the next screen choose the option external app or device.

The moment when the live event is created we could see the server ingest url is been generated. So now the required url to establish the connection from OBS has been generated here we need to populate this value on the OBS studio app.

From the OBS Studio app navigate to settings

Navigate to stream – in the service select Custom and populate the server URL that was copied from the generated live event. Its mandatory to paste the stream key over here. You can paste some random numbers and that will become your stream key. This part is completed and you can click on apply.

Customization of the presentation Deck

Now we need to go to scene and create a new scene.

Once that is done we have option to add the source. We could see over here that there are ample of options available over here to modify our presentation deck.

Furthermore when selected the video capture device , we do have the opportunity to add multiple cameras over here with our own customization.

When further drilled down into the configure video option we can see options. I was able to change zoom, focus and exposure and might change here based on the camera that is connected.

We have options to add images, media and browsers which might be beneficial during the live event from the same deck. For instance below is an example to add the media video. The tool really seems to be powerful in providing additional options on customization of the deck.

Once the customization is done we are good to go to start the setup.

After that we click on start streaming from the OBS Studio. Once the session is started we can see the frames per second ratio which is ready to stream on Teams Live events.

Then from Teams live event you can click on start event.

Finally we can see the live events streaming from external encoder app. Below is a sample where we can see the state it says encoder preview and the customized deck with images and browser page.

Regards

Sathish Veerapandian

Microsoft Teams – script to generate teams owners ,visibility type, owners count, members count and archive status

Microsoft Teams utilization have phenomenally increased with the current COVID situation where almost everyone of us are working from the home. Microsoft Teams being one of the top collaboration software helping all of us to stay better connected during this time.

Most of the organizations doesn’t restrict the Team creation from Microsoft Teams because this factor is heavily influenced on better adoption rate of the Teams communication platform. The below script can be used to run in task scheduler or in Azure Function on a monthly basis for reviewing the Teams Created in last 30 days especially to see the Teams that have been archived and to see the fashion of teams created private or public by the users.

Below is the sample output of the script which will provide us the below details.

############################################################################################################################################
# Description   :- Powershell Script To extract Teams Name,Owner,backup owner,owner count,member count,Group Type and Archive Status.
# Created Date  :- 10-Oct-2020
# Created By    :- Sathish Veerapandian
# Version       :- 0.2
# Imp Notes     :- Please ensure you have folder C:\Scripts and clear the output files generated every time when you run the script again.
# Info          :- If you want to send reports as email please uncommentlast line and use the from/to address with SMTP Server
############################################################################################################################################
Connect-MicrosoftTeams

$Path="C:\scripts\TeamsReport.csv"

$Header = @"


TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}<br />
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #48D1CC;}<br />
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;background-color: #F0FFFF}<br />
"@

$Count = 0
Get-Team | foreach {
$TeamName = $null ; $TeamName = $_.DisplayName
$GroupId = $null ; $GroupId = $_.GroupId
$Visibility = $null ; $Visibility = $_.Visibility
$EmailAlias = $null; $EmailAlias = $_.MailNickName
$Archived = $null; $Archived = $_.Archived

$Count++
Write-Progress -Activity "`n Processed Teams count: $Count "`n"  Currently Processing: $TeamName"

$TeamMembersCount = $null ; $TeamMembersCount = (Get-TeamUser -GroupId $GroupId).count
$TeamOwners = $null ; $TeamOwners = Get-TeamUser -GroupId $GroupId -role Owner
$TeamOwnersCount = $null ; $TeamOwnersCount = ($TeamOwners).count
$Owner1 = ""
$Owner2 = ""

If ($TeamOwnersCount -eq 1) { $Owner1 = $TeamOwners[0].User}
Elseif ($TeamOwnersCount -ge 2) { $Owner1 = $TeamOwners[0].User; $Owner2 = $TeamOwners[1].User}

$Output = [PSCustomObject]@{
    TeamName = $Teamname
    Owner1 = $Owner1
    Owner2 = $Owner2
    TeamOwnersCount = $TeamOwnersCount
    TeamMembersCount = $TeamMembersCount
    TeamEmailAlias = $EmailAlias
    TeamVisibility = $Visibility
    TeamArchiveStatus = $Archived
}
$Output | select * | Export-Csv $Path -NoTypeInformation -Append
$Data = Import-CSV "C:\scripts\TeamsReport.csv"
$data | ConvertTo-Html -Head $Header | Out-File -FilePath C:\Scripts\TeamsReport.html
# Send the exported html as email for evaluation
#Send-MailMessage -From senderemailID -To recipientemailid -Attachments "C:\Scripts\TeamsReport.html" -BodyAsHtml -SmtpServer mentionsmtpserver -Subject TeamsGroupReport
}

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Utilize the Azure Sentinel to facilitate SOC and Monitor Teams critical events

Few days ago Microsoft has announced the new release which provides us the opportunity to integrate MS Teams related activities that are recorded in the audit logs to Azure Sentinel. Enabling this feature benefits organization where there is a separate SOC team monitoring and analyzing the security posture as an ongoing operational procedure.

We still have the Microsoft native cloud app security which benefits in creating the alerting mechanism for MS-Teams related activities.But with the Log Analytics and Azure Sentinel we can do a lot more than it can be done from the Cloud App Security. We can further fine tune the alerting, create workbooks and dashboards for Microsoft Teams related activities which will be useful for Teams Monitoring.

To start with this new feature ,we need to enable this new option to ingest Teams Data into Azure Sentinel Work Spaces. This article can be followed to start with connecting office 365 with the Microsoft Cloud native SIEM Azure Sentinel.

Navigate to Azure Sentinel Work Spaces – Select Data Connectors – Choose Office 365

Here we can see the new option for sending Teams Audit Logs to Azure Sentinel WorkSpace.

Once it is done after a while, we could see that the workspace have received the data types Office Activity (Teams)

Live Query Teams Monitoring :

When we navigate into the workspace we have the opportunity to fine tune and see the events that are written on the Audit Logs for Teams in a more refined way.

For instance to filter only Team creation can be checked from the workspace. This can be used for filtering even specific person and creating alert for them.

This helps the SOC Team for a live reactive analysis when any security incidents are reported for Teams related activities.

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "TeamCreated"
| where UserId has "sathish@exchangequery.com"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

Create Alerting Mechanism : Azure Monitor or Azure Sentinel

In a real example we can create alerts and notify the SOC Team when a bot has been added to the Team.

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "BotAddedToTeam"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

To create the alert once after writing the query we have the new alert rule where there is an opportunity to create alerting mechanism in two methods. Create Azure Monitor Alert or Create Azure Sentinel Alert.

To experience the behavior selected the option Create Azure Monitor alert. Used the same Query. Alert logic and the time period is set for demo and can be defined based on the period and frequency that suits best for the monitoring.

The action group can be selected to send this notification alert to a email addresses.

The notification type can be selected for other options like where ITSM can be chosen to trigger an incident for the same events.

In our case email was selected and after few minutes tested by adding a bot and got the alert notified on email address.

Further information about the bots that have been added can also been seen.

Create WorkBooks and Dashboards:

Here we do have the possibility to create workbooks and dashboards for Ms Teams related activities. There is one template present by default for Office 365 and there is a item Teams Workload present over here which will help in creating a workbook for Teams.

The default workbook provides decent information on monitoring the Teams related activity.

This will be a good start to create one dedicated work book for Microsoft Teams and pin them as a separate dashboards for Microsoft Teams related activities. I have also written post on creating Azure Monitoring Workbooks which can be referred for creating dashboards for Teams Activities.

Microsoft Teams logs in Azure Sentinel is really a welcoming native cloud integration feature set where lot of organizations can be definitely beneficial in terms of actively monitoring the Teams Activities with no additional cost of investing on 3rd party SIEM integrations.

Regards

Sathish Veerapandian

Overview of Microsoft Teams Graph API and its benefits

Microsoft Teams Graph API have been there for a quite a long time and it can be beneficial in various ways to perform Teams related tasks in API operations. In this article we will go through the Teams Graph API overview and API calls available as of now.

Using Graph API developers have a unified Rest API to access Teams underpinned components. For instance, using Graph API we can post a survey notification to a channel with option to vote for the survey. With this we can create a Team, add members and owners ,configure team settings and even archive a Team.

The overview of Graph API can be explored by navigating to the below URL.

https://developer.microsoft.com/en-us/graph/graph-explorer

Before consuming the Graph API we need the required permissions on the Graph API to run the query. So we need to consent the required permission based on the action that will be performed from the Graph API. In below example have granted the below permissions to execute the Graph API operations for Teams.

Once logged in initially we can check for the basic me option which returns the user information as below.

As of now while writing the blog post the Teams has below graph options 9 general and 4 beta versions. So if any issues identified on beta while pulling from the applications, powerapps , logic apps or other APIs it will be fixed sooner.

Now moving to the Teams part below query shows the teams where im member of

https://graph.microsoft.com/v1.0/me/joinedTeams

So now trying with the post request to create a channel on a Team called Test Team.The prerequisite of creating a channel is to mention the Teams ID under which the channel needs to be created.

Upon a successful post we can see that the new channel called architecture discussion have been created.

Interestingly we have an option to send a channel message. Example below message.

The test post message we set have been received in Team Channel.

When attempted the get message present in a channel we get the actual messages present in them.

Now we have tested the API operations from the Graph explorer there are multiple ways to access them from different programs. In our example we will try to access them from the powershell and create a Team. The first prerequisite for Creating the Teams from Graph API is they need to be as an Office365 Group. The Office365 group is created as a Post Operation

Once the Office365 Team is created we can use the Put operation to enable Teams in them. While there are lots of samples available on the internet to create the teams i found this video which is very helpful start the graph API operations for Microsoft Teams via Powershell.

As a initial prerequisite we need o install the SharepointPNPPowershell online and connect to them.

Below is a sample script that can be used to create a Team from the Graph API via Powershell.

#connect to graph API
Install-Module SharepointPNPPowershellOnline
connect-pnponline -scopes "Group.ReadWrite.All"
$accesstoken = Get-PnPGraphAccessToken

#Prepare generic OAuth Bearer token header
$headers = @{
"Content-Type" = "application/json"
Authorization = "Bearer $accessToken"
}

#Create the Office 365 Group - Post Request
$NewGroup = @{
Description = "Team Fun Friday"
DisplayName = "Fun Friday"
groupTypes = @("Unified")
mailEnabled = $true
mailNickname = "teamfunfriday"
securityenabled = $false
}
$creategroupbody = ConvertTO-Json -InputObject $NewGroup

$response = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/groups" -Body $creategroupbody -Method Post -Headers $headers -UseBasicParsing
$groupid = $response.id

#Create the Team - Put Request
$NewTeamRequest = @{
membersettings = @{
allowcreateupdatechannels = $true
}
messagingsettings = @{
allowusereditmessages = $true
allowuserdeletemessages = $true
}
funsettings = @{
allowgiphy = $true
giphycontentrating = "strict"
}
}
$createTeamBody = ConvertTo-Json -InputObject $NewTeamRequest
$response = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/groups/$groupid/team" -Body $createTeamBody -Method Put -Headers $headers -UseBasicParsing
Write-Host $response

Upon a successful execution of the above script we will get the below message on the powershell session.

On verification could see the associated office 365 group and the Team have been created.

Also the team is automatically created and visible from the Teams client

With the Microsoft Graph APIs it becomes a unified REST API experience and it helps us to perform multiple Teams operations and automate the Team management life cycle.

<span>%d</span> bloggers like this: