Category Archives: Microsoft Teams

Script to move bulk users to Teams Only mode from On Premise Skype for Business Servers

When we enable Teams for Skype for Business Hybrid users the final stage of action is to move the actual on premise Skype for Business Account to Office 365 to make them to Teams only mode. As more organization are adopting the Microsoft Teams in a full fast track approach the last stage of migration is to move all the local accounts to Teams Only Mode.

This script will help in moving the users on batches to Teams Only Mode from an input csv file. It also provides the time taken to complete the batch on screen once the migration is completed.

Example below:



Measure-Command {
[CmdletBinding()]
param( [string] $UsersList = $(Read-Host -prompt `
    “Input the CSV File with Location”))
$Users = Import-Csv $UsersList -Delimiter ";"

#To Connect to Teams, Skype Online Session and Import them. Make sure you have the new Teams Module installed.

$mycred= Get-Credential
Connect-MicrosoftTeams -Credential $mycred
Import-Module MicrosoftTeams
$sfbsession = New-CsOnlineSession
Import-PSSession $sfbsession


#Initialize parameters and variables.

$sip= $users.SipAddress
$count = $users.count

write-host "We have found" $count "Users to Migrate" -foregroundcolor Yellow -backgroundcolor Black
$pauseSeconds = 10
$Sleep = 20

Write-Host "Pausing for " $pauseSeconds " seconds to verify your count..." -ForegroundColor Yellow
Start-Sleep -s $pauseSeconds

#To Enable Logging and store them for failed migration and any errors.

$transcriptname = “MoveCSUserStatus” + `
    (Get-Date -format s).Replace(“:”,”-“) +”.txt”
Start-Transcript $transcriptname

#Take export of SFB enabled users before move.

$Users | % {get-csuser -Identity $_.SipAddress} | Where-object {$_.Enabled -eq $True} | Select-object  SamAccountName,sipaddress,Enabled,EnterpriseVoiceEnabled | Out-File SFBUsersBeforeMove.csv -append            

$URL= "https://adminof.online.lync.com/HostedMigration/hostedmigrationService.svc"

#Initiate Move-CsUser Operation.

$NewSession=0
$x=0
foreach ($user in $users) {

$x++
Move-CsUser -Identity $user.SipAddress -Target sipfed.online.lync.com  -HostedMigrationOverrideUrl $URL  -UseOAuth -MoveToTeams -BypassAudioConferencingCheck  -BypassEnterpriseVoiceCheck -Verbose -Confirm:$False
$NewSession=$x/250
if($NewSession -eq 1) {
get-pssession | remove-pssession
Disconnect-MicrosoftTeams
Connect-MicrosoftTeams -Credential $mycred
Import-Module MicrosoftTeams
$sfbsession = New-CsOnlineSession
Import-PSSession $sfbsession
$NewSession=0
$x=0
Write-Host "Refreshing the Skype online Session" -ForegroundColor Green
}
}


#Pause for 20 seconds 

Start-Sleep -s $sleep 

#Validate the Move and complete Successfully Moved and Failed Users.

$loop = foreach ($user in $users) {
Get-CsOnlineUser -Identity $user.sipaddress | Select-object  sipaddress,hostingprovider,TeamsUpgradeEffectiveMode,RegistrarPool} 
$loop| Out-File TeamsOnlyMigrationStatus.csv -append

#Validate the meeting Migration status
$loop = foreach ($user in $users) {
Get-CsMeetingMigrationStatus -Identity $user.sipaddress | Select-Object UserPrincipalName,State,MigrationType,LastMessage,FailedMeetings}
$loop| Out-File MeetingMigrationStatus.csv -append

Stop-Transcript
Write-Host "Migration Script Completed Please Refer Transcript File for any Errors" -ForegroundColor Green

#Close the sessions.
          
get-pssession | remove-pssession  

#Send Email report to Notify the Migration have completed - Mention your SMTP server
#Send-MailMessage -from "username@domain.com" -to "admin@domain.com"-subject "TeamsOnlyMigrationTaskCompleted: No File" -body "Teams Only Migration Batch have been completed.Please refer log file Location for further information" -SmtpServer "Mention your SMTP Server" 
}

Notes:

  1. Make sure that you whitelist the traffic to office365 services to establish successful connection to the SFBO session.
  2. If there are multiple number of users recommended to split up the batches and execute them from 2 servers.
  3. Ensure the SSL traffic inspection, IP connection limits are excluded from Firewall/Proxy from the network side.
  4. Moving this from a shared bandwidth might be a bit slower and moving this from a temporary dedicated IP address might provide a better performance.
  5. This script uses -UseOauth switch. Make sure the Onpremise SFB servers are patched to the required version. Else use the legacy option by removing this switch. Recommended to run this first with few users list verify based on your environment and then later run for bulk users.

Regards

Sathish Veerapandian

Part 2 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Continuing the previous article there are few more steps to complete the configuration of the Direct Routing with the office 365 tenant and in this article we will run through those steps.

Currently the SBC is up and running configured with the certificates and required SBC DNS records now the next step is to enable the direct routing. Well there are two options to enable the Direct Routing via skype online powershell session or via the Microsoft Teams Admin center. In our example we will try to enable them via the Teams admin center.

Before doing this make sure to meet the network prerequisite that is required for Direct Routing and have written an article about the same almost a year ago.

Login to the admin portal with the appropriate credentials.

Enter the DNS name of the SBC that was configured in our case its sbc.nl.exchangequery.com

Subsequently we must add all the required information over here. One important point to note over here is that the SIP signaling port that is present by default is port 5067. The Direct Routing SIP Trunk can be configured only by using a TLS connection. We can choose the SIP port any port of our choice. If we try to configure the port 5060 it will not work since the TCP connectivity is not supported due to security reasons.

Enabling SIP option defines if an SBC will or won’t send SIP options messages and will be included in the monitoring. Rest of all the information have to be enabled as per the requirement. Also look into Location based routing and media optimization based on the requirement. Once done click on save and the configuration is complete.

But we could see that the SBC status shows error message and the configuration seems to be unsuccessful. Even after the configuration is completed even after loading the named certificate, intermediate and the root on the audiocodes we could see that the TLS connectivity status still shows as inactive. In addition to that we also see the SIP option status shows us the warning message as well.

Now further drill down into the logs gives us more additional information of the reason why it is failing. Still we we do have the correct certificates uploaded but the connection seems not completed.

So the initial thought was the issue with the firewall however the firewall connectivity was already completed and could ping the SBC on port 5061.

When looking into the audiocodes documentation came to know that in addition to the normal named certificate for the DNS Name its mandatory to upload the Baltimore Trusted Root Certificates. This is mandatorily required for establishing a Mutual TLS Connection with the Microsoft Teams Network.

So the DNS name of Microsoft Teams pstnhub.microsoft.com is using this certificate provided from baltimore and hence this import is required for establishing the mutual TLS connection.

We can Download the certificate from https://cacert.omniroot.com/bc2025.pem and follow the same procedure stated on previous article part 1 to import them on the Audiocodes SBC and make sure they are present on the Trusted Root Certificates.

The first part that we need to complete before the certificate validation is to ensure that the NTP server is setup correctly. This is a mandatory requirement for these two remote parties validating the certificates for setting up the mutual TLS connection between them.

You can go to setup – Administration – Time & Date and configure your NTP server.

Further to the NTP server there are few more configurations that need to be performed on the AudioCodes SBC which we will see below.

Configure the Proxy Sets: Add Microsoft SIP PSTN FQDNs

We have 3 Microsoft FQDNs as of now and all of them needs to be added over here and make sure the transport type is set to TLS.

Navigate to SetUp – Signaling & Media – Proxy Sets and add the 3 FQDNs over here.

SIP Interfaces:

We need to configure SIP interfaces for Teams Direct Routing as well. Configure as below. Keep the Enable TCP Keepalive option. SetUp- Signaling & Media – Core Entities – SIP Interfaces

Media Realms:

We need to configure Media Realms for Teams Direct Routing. Configure the settings as below. Select the default media realm as No. SetUp – Signaling & Media – Core Entities – Media Realms

Configure IP Groups:

Configure IP Groups as below – Make sure the Topology location is set as Up

In the Advanced make sure to mention the SBC published external FQDN. Keep the classify by proxy set Disable and keep the Client Forking Mode as Sequential.

Configure Coder Groups:
We need to add the supported coder groups for the leg SBC and the Direct Routing Configuration.
Teams supports OPUS and SILK Coders.

Inorder to configure the coder groups navigate to SetUp- Signaling & Media – Coders & Profiles – Coder Groups and mention the below values for Teams Direct Routing Leg. Later you might need to configure one for the SIP Trunk based on the coders they support.

Its mandatory to enable the SIP options for the SBC to monitor and for that we need to enable some configurations on the session border controller. In order to do that go to Setup- Signaling & Media – SBC – Routing – IP-to-IP Routing and configure all the required routing as per your requirement.

So we need to make sure other options are configured as per the documentation of the Audiocodes. Finally after the all the steps are done we can see the Teams Direct Routing Configuration is showing successful in the Teams Admin Center.

In our example we have 1 SBC, 1 Voice Routes and 0 SBCs with Issues which is a good sign. Since we didn’t initiate any real traffic we could see the message no data.

We do have a very good option to validate the pairing between the Audiocodes SBC and our Tenant Direct Routing. We can see the connectivity is successfully established over here and we can see that the status is showing online without any issues.

Now we have completed the Direct Routing And established the connectivity between SBC and the Teams Tenant there are lot more other configurations that needs to be performed on the SBC to complete the entire enterprise voice configuration. We will look into those on the upcoming articles.

Regards

Sathish Veerapandian

Part 1 – Configure AudioCodes SBC for Microsoft Teams Direct Routing

Microsoft have been providing us the option bring your own sip trunk for enabling the enterprise voice functionality. With Microsoft Teams Direct Routing we can provide the phone system to Teams users ,connect the SIP Trunks and use the local telecommunications provider. This option provides most of the customers for an easy transition to Microsoft Teams in parallel by utilizing the existing infrastructure and moving the users to the new system.

In order to leverage this functionality we need to setup certified session border controllers. Previously there is an article written which can be referred to check the readiness and steps that is required to configure Direct Routing in Microsoft Teams.

In this article series we will see on setting up audiocodes session border controller that will help in configuring the Direct Routing.

There are multiple ways to achieve this and we have an option to configure this from the Azure Market place. We will see on configuring this from the Azure Market Place.

First prerequisite is we need a valid azure subscription. Login to Azure and search in the Azure Market Place for Audio Codes.

Below are the results that we receive and there are few options for us to select over here. For instance we do have an SAAS offering that is fully managed in Azure. For a full setup we have Mediant Virtual Edition Session Border Controller and Cloud Edition Session Border Controller. The Mediant CE edition is more robust ,utilizes the full cloud elasticity and can scale up and down based on the demand. The VE is more of a Virtual edition that can be built easily on Orchestration Solutions and available in the Azure Market place for easier deployments. More information on the description can be found here

Here in this example we choose to use the Virtual Edition Session Border Controller. There are few important key take aways to note down here. While creating it is not allowing us to add them on an existing resource Group and it mandates us to create a new resource group or any existing resource group that is empty. And one more important thing is that the virtual machine name must be all lower case because in the network settings it doesn’t allow to create the dns name with the upper characters.

Next in the virtual machine settings we have the option to choose the computing size. And we have options to choose the OS versions. Here have chosen the latest os version. The cloud-init file is an optional file that can be chosen for automatic provisioning.

Next is the network settings where it provides us the option to set up the NIC interfaces based upon our requirement. Since in this case its a demo we are going with the network interfaces option 1. One more important thing here is that the public ip address has to be static . It picks up the setting static from this template however its better to verify them from the NIC settings once the VM has been deployed.

Finally it comes to the validation screen where we can check all the required settings and click on create.

Once it has been created we see all the required resources have been populated.

You can also see the DNS name that has been created with the static IP

Now when we login to the SBC DNS name we get the Audiocodes console that is ready for configuration.

Now this is running the next important thing is create an A record in the Public DNS and point that to this public ip address. One more important tip here is that this name that has been selected the domain has to be registered in the Office 365 portal.

The next important thing is the certificates configuration on the Mediant SBC. Create a certificate from the public CA and upload them from here Ip Network – Security and TLS Contexts.

In my case im using a certificate that has been provided by digicert for this domain that we are testing. Make sure the file is in password protected and pfx format.

Click on change certificate. There are multiple options to upload the certificate. Here we are choosing the last option upload the certificates from your computer in PFX format and with a password and select load file.

After a successful load file we see the message that states the upload is successful and here we see the red save alert that forces us to update the modified configuration.

We can also see the associated root and intermediate certificates of digicert have been populated over here in the trusted root certificates section.

Finally we have to upload the same certificate in pem format for the SBC

We get the below message after a successful upload of the pem file.

Now we have completed half of the initial readiness of the direct routing configuration and in the next blog we will go through the next steps of the further configuration.

Thanks & Regards

Sathish Veerapandian

Move users to Teams only mode from on premise Skype for business environment

This article outlines the technical steps that is required to move an on premise skype for business account to Teams only mode. There are lot of other factors that needs to be considered before making this change and this step can only be a final stage almost in any environment.

If there is any PSTN integration with Skype for Business on-premise environment then these factors needs to be planned and executed in stages before phasing out Skype for Business On-premise and moving users to Teams Only Mode. These features and functionalities needs to be transferred completely to Microsoft Teams.

If you are moving from a Skype for Business 2015 environment, ensure that the supported CU version admin tools is Skype for Business Server 2015 with CU8.

In this example I have built a lab on my environment which has my local Directory identities below test accounts synched to the Azure AD.

And I have a standard Skype for Business 2015 environment running in the local active directory environment.

The next step is to configure the skype for business hybrid to the office 365 tenant where we are going to perform the move operation.

There are three simple steps involved in this procedure first part is to configure federation with the below command from the Skype for business server management shell.

Set-CSAccessEdgeConfiguration -AllowOutsideUsers $True -AllowFederatedUsers $True -EnablePartnerDiscovery $True -UseDnsSrvRouting

Next step is to configure shared sip address space with Office 365 tenant. In order to do that the first step is to check if there is already hosting provider enabled and just in case if its present can we must remove them with the below command.

Get-CsHostingProvider | ?{ $_.ProxyFqdn -eq “sipfed.online.lync.com” } | Remove-CsHostingProvider

And the next step is to enable the hosting provider with the below command.

New-CsHostingProvider -Identity Office365 -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root

As we can see executing both the commands were successful in my case.

Now we’ve made the required change on the on-premise Skype for Business environment we need to make the same change on the Office 365 tenant by enabling the shared sip address space with the below command.

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

In the below example I have connected to Teams powershell session and have performed this task.

Once we have performed the server and tenant configuration now its very important that we need to allow requested URLs that will be resolved from the Management server where we are performing the operation.

The tenant URL for your subscription needs to be identified as per this Article . And this URL needs to be whitelisted on the outbound connection.

Get-CsTenant|ft identity

So in my tenant as per the article the hostedmigrationoverrideurl is adminof.online.lync.com

Permission:

Now need the required permissions to make this operation. The Skype On premise admin account will require a minimum of csserver administrator role. For Online permission we must have Skype for business Admin and user administrator role. In my case i attempted with Global Admin Credentials so not exactly sure about the behavior when we move directly to Teams only mode with granular permissions. It works with the split permission accounts OnPrem\Cloud with sessions established to SFBOnPrem and SFBO modules from the same PowerShell.

One more important thing to notify here is that the user that we are performing the move operation must have the appropriate license on the Office 365 so that the account gets enrolled on the Teams service.

Establishing the session:

Launch the PowerShell on the management server where you have the SFB admin tools installed and have connectivity to SFB on prem FE and required tenant to establish the PowerShell session to the new Teams Module. Make sure you install the Teams Module on the management server this as per this information.

Online:

OnPrem

Import the SFB powershell module on the same session. Since I have opened this session from a local SFB admin account I did not store the on prem credentials in this session.

Performing the move

We can perform the move with the below command. One important point to note here is that post CU8 the move operation will succeed only with the modern authentication by using the switch -UseOauth

$url=https://adminof.online.lync.com/HostedMigration/hostedmigrationService.svc

Move-CsUser -Identity Lionel.Augnel@nl.exchangequery.com -MovetoTeams -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url -UseOAuthBypassAudioConferencingCheck

In the below case we can see that the move operation is successful.

In the move results log as well we get few useful information which provides us the time taken for move user preparation, start time and few more information that might be helpful.

On validation we can see that the moved users are showing as homed in office365 and no longer present in SFB on premise environment.

And in the Teams we can see that the user has been migrated successfully to Teams mode directly.

Now the initial setup is completed script can be created to move the accounts in batches.

Schedule Microsoft Teams Live Events from an external app OBS Studio

With Microsoft Teams Live Events ,we have an alternative to stream them from outside encoding sources. There are few advantages of playing out this activity from an external application. We can customize the presentation deck by including various sources and there is an option to include multiple cameras and cumulate them on the same deck.

So here I caught some eye over this subject to investigate this alternative from an open source free tool OBS Studio . The installer can be downloaded and installed on the PC from where we are going to stream the live event from this app OBS Studio. And they are present in the list of Supported Encoders provided by Microsoft.

Well before we setup the OBS studio the mandatory part is we need to schedule a live event to generate the URL to build up the connection between them.

So created live event with org wide option.

In the next screen choose the option external app or device.

The moment when the live event is created we could see the server ingest url is been generated. So now the required url to establish the connection from OBS has been generated here we need to populate this value on the OBS studio app.

From the OBS Studio app navigate to settings

Navigate to stream – in the service select Custom and populate the server URL that was copied from the generated live event. Its mandatory to paste the stream key over here. You can paste some random numbers and that will become your stream key. This part is completed and you can click on apply.

Customization of the presentation Deck

Now we need to go to scene and create a new scene.

Once that is done we have option to add the source. We could see over here that there are ample of options available over here to modify our presentation deck.

Furthermore when selected the video capture device , we do have the opportunity to add multiple cameras over here with our own customization.

When further drilled down into the configure video option we can see options. I was able to change zoom, focus and exposure and might change here based on the camera that is connected.

We have options to add images, media and browsers which might be beneficial during the live event from the same deck. For instance below is an example to add the media video. The tool really seems to be powerful in providing additional options on customization of the deck.

Once the customization is done we are good to go to start the setup.

After that we click on start streaming from the OBS Studio. Once the session is started we can see the frames per second ratio which is ready to stream on Teams Live events.

Then from Teams live event you can click on start event.

Finally we can see the live events streaming from external encoder app. Below is a sample where we can see the state it says encoder preview and the customized deck with images and browser page.

Regards

Sathish Veerapandian

Microsoft Teams – script to generate teams owners ,visibility type, owners count, members count and archive status

Microsoft Teams utilization have phenomenally increased with the current COVID situation where almost everyone of us are working from the home. Microsoft Teams being one of the top collaboration software helping all of us to stay better connected during this time.

Most of the organizations doesn’t restrict the Team creation from Microsoft Teams because this factor is heavily influenced on better adoption rate of the Teams communication platform. The below script can be used to run in task scheduler or in Azure Function on a monthly basis for reviewing the Teams Created in last 30 days especially to see the Teams that have been archived and to see the fashion of teams created private or public by the users.

Below is the sample output of the script which will provide us the below details.

############################################################################################################################################
# Description   :- Powershell Script To extract Teams Name,Owner,backup owner,owner count,member count,Group Type and Archive Status.
# Created Date  :- 10-Oct-2020
# Created By    :- Sathish Veerapandian
# Version       :- 0.2
# Imp Notes     :- Please ensure you have folder C:\Scripts and clear the output files generated every time when you run the script again.
# Info          :- If you want to send reports as email please uncommentlast line and use the from/to address with SMTP Server
############################################################################################################################################
Connect-MicrosoftTeams

$Path="C:\scripts\TeamsReport.csv"

$Header = @"


TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}<br />
TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #48D1CC;}<br />
TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black;background-color: #F0FFFF}<br />
"@

$Count = 0
Get-Team | foreach {
$TeamName = $null ; $TeamName = $_.DisplayName
$GroupId = $null ; $GroupId = $_.GroupId
$Visibility = $null ; $Visibility = $_.Visibility
$EmailAlias = $null; $EmailAlias = $_.MailNickName
$Archived = $null; $Archived = $_.Archived

$Count++
Write-Progress -Activity "`n Processed Teams count: $Count "`n"  Currently Processing: $TeamName"

$TeamMembersCount = $null ; $TeamMembersCount = (Get-TeamUser -GroupId $GroupId).count
$TeamOwners = $null ; $TeamOwners = Get-TeamUser -GroupId $GroupId -role Owner
$TeamOwnersCount = $null ; $TeamOwnersCount = ($TeamOwners).count
$Owner1 = ""
$Owner2 = ""

If ($TeamOwnersCount -eq 1) { $Owner1 = $TeamOwners[0].User}
Elseif ($TeamOwnersCount -ge 2) { $Owner1 = $TeamOwners[0].User; $Owner2 = $TeamOwners[1].User}

$Output = [PSCustomObject]@{
    TeamName = $Teamname
    Owner1 = $Owner1
    Owner2 = $Owner2
    TeamOwnersCount = $TeamOwnersCount
    TeamMembersCount = $TeamMembersCount
    TeamEmailAlias = $EmailAlias
    TeamVisibility = $Visibility
    TeamArchiveStatus = $Archived
}
$Output | select * | Export-Csv $Path -NoTypeInformation -Append
$Data = Import-CSV "C:\scripts\TeamsReport.csv"
$data | ConvertTo-Html -Head $Header | Out-File -FilePath C:\Scripts\TeamsReport.html
# Send the exported html as email for evaluation
#Send-MailMessage -From senderemailID -To recipientemailid -Attachments "C:\Scripts\TeamsReport.html" -BodyAsHtml -SmtpServer mentionsmtpserver -Subject TeamsGroupReport
}

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Utilize the Azure Sentinel to facilitate SOC and Monitor Teams critical events

Few days ago Microsoft has announced the new release which provides us the opportunity to integrate MS Teams related activities that are recorded in the audit logs to Azure Sentinel. Enabling this feature benefits organization where there is a separate SOC team monitoring and analyzing the security posture as an ongoing operational procedure.

We still have the Microsoft native cloud app security which benefits in creating the alerting mechanism for MS-Teams related activities.But with the Log Analytics and Azure Sentinel we can do a lot more than it can be done from the Cloud App Security. We can further fine tune the alerting, create workbooks and dashboards for Microsoft Teams related activities which will be useful for Teams Monitoring.

To start with this new feature ,we need to enable this new option to ingest Teams Data into Azure Sentinel Work Spaces. This article can be followed to start with connecting office 365 with the Microsoft Cloud native SIEM Azure Sentinel.

Navigate to Azure Sentinel Work Spaces – Select Data Connectors – Choose Office 365

Here we can see the new option for sending Teams Audit Logs to Azure Sentinel WorkSpace.

Once it is done after a while, we could see that the workspace have received the data types Office Activity (Teams)

Live Query Teams Monitoring :

When we navigate into the workspace we have the opportunity to fine tune and see the events that are written on the Audit Logs for Teams in a more refined way.

For instance to filter only Team creation can be checked from the workspace. This can be used for filtering even specific person and creating alert for them.

This helps the SOC Team for a live reactive analysis when any security incidents are reported for Teams related activities.

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "TeamCreated"
| where UserId has "sathish@exchangequery.com"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

Create Alerting Mechanism : Azure Monitor or Azure Sentinel

In a real example we can create alerts and notify the SOC Team when a bot has been added to the Team.

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| sort by TimeGenerated
| where Operation has "BotAddedToTeam"
| project UserId,AddonName,TimeGenerated,RecordType,Operation,UserType,OfficeWorkload

To create the alert once after writing the query we have the new alert rule where there is an opportunity to create alerting mechanism in two methods. Create Azure Monitor Alert or Create Azure Sentinel Alert.

To experience the behavior selected the option Create Azure Monitor alert. Used the same Query. Alert logic and the time period is set for demo and can be defined based on the period and frequency that suits best for the monitoring.

The action group can be selected to send this notification alert to a email addresses.

The notification type can be selected for other options like where ITSM can be chosen to trigger an incident for the same events.

In our case email was selected and after few minutes tested by adding a bot and got the alert notified on email address.

Further information about the bots that have been added can also been seen.

Create WorkBooks and Dashboards:

Here we do have the possibility to create workbooks and dashboards for Ms Teams related activities. There is one template present by default for Office 365 and there is a item Teams Workload present over here which will help in creating a workbook for Teams.

The default workbook provides decent information on monitoring the Teams related activity.

This will be a good start to create one dedicated work book for Microsoft Teams and pin them as a separate dashboards for Microsoft Teams related activities. I have also written post on creating Azure Monitoring Workbooks which can be referred for creating dashboards for Teams Activities.

Microsoft Teams logs in Azure Sentinel is really a welcoming native cloud integration feature set where lot of organizations can be definitely beneficial in terms of actively monitoring the Teams Activities with no additional cost of investing on 3rd party SIEM integrations.

Regards

Sathish Veerapandian

Overview of Microsoft Teams Graph API and its benefits

Microsoft Teams Graph API have been there for a quite a long time and it can be beneficial in various ways to perform Teams related tasks in API operations. In this article we will go through the Teams Graph API overview and API calls available as of now.

Using Graph API developers have a unified Rest API to access Teams underpinned components. For instance, using Graph API we can post a survey notification to a channel with option to vote for the survey. With this we can create a Team, add members and owners ,configure team settings and even archive a Team.

The overview of Graph API can be explored by navigating to the below URL.

https://developer.microsoft.com/en-us/graph/graph-explorer

Before consuming the Graph API we need the required permissions on the Graph API to run the query. So we need to consent the required permission based on the action that will be performed from the Graph API. In below example have granted the below permissions to execute the Graph API operations for Teams.

Once logged in initially we can check for the basic me option which returns the user information as below.

As of now while writing the blog post the Teams has below graph options 9 general and 4 beta versions. So if any issues identified on beta while pulling from the applications, powerapps , logic apps or other APIs it will be fixed sooner.

Now moving to the Teams part below query shows the teams where im member of

https://graph.microsoft.com/v1.0/me/joinedTeams

So now trying with the post request to create a channel on a Team called Test Team.The prerequisite of creating a channel is to mention the Teams ID under which the channel needs to be created.

Upon a successful post we can see that the new channel called architecture discussion have been created.

Interestingly we have an option to send a channel message. Example below message.

The test post message we set have been received in Team Channel.

When attempted the get message present in a channel we get the actual messages present in them.

Now we have tested the API operations from the Graph explorer there are multiple ways to access them from different programs. In our example we will try to access them from the powershell and create a Team. The first prerequisite for Creating the Teams from Graph API is they need to be as an Office365 Group. The Office365 group is created as a Post Operation

Once the Office365 Team is created we can use the Put operation to enable Teams in them. While there are lots of samples available on the internet to create the teams i found this video which is very helpful start the graph API operations for Microsoft Teams via Powershell.

As a initial prerequisite we need o install the SharepointPNPPowershell online and connect to them.

Below is a sample script that can be used to create a Team from the Graph API via Powershell.

#connect to graph API
Install-Module SharepointPNPPowershellOnline
connect-pnponline -scopes "Group.ReadWrite.All"
$accesstoken = Get-PnPGraphAccessToken

#Prepare generic OAuth Bearer token header
$headers = @{
"Content-Type" = "application/json"
Authorization = "Bearer $accessToken"
}

#Create the Office 365 Group - Post Request
$NewGroup = @{
Description = "Team Fun Friday"
DisplayName = "Fun Friday"
groupTypes = @("Unified")
mailEnabled = $true
mailNickname = "teamfunfriday"
securityenabled = $false
}
$creategroupbody = ConvertTO-Json -InputObject $NewGroup

$response = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/groups" -Body $creategroupbody -Method Post -Headers $headers -UseBasicParsing
$groupid = $response.id

#Create the Team - Put Request
$NewTeamRequest = @{
membersettings = @{
allowcreateupdatechannels = $true
}
messagingsettings = @{
allowusereditmessages = $true
allowuserdeletemessages = $true
}
funsettings = @{
allowgiphy = $true
giphycontentrating = "strict"
}
}
$createTeamBody = ConvertTo-Json -InputObject $NewTeamRequest
$response = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/groups/$groupid/team" -Body $createTeamBody -Method Put -Headers $headers -UseBasicParsing
Write-Host $response

Upon a successful execution of the above script we will get the below message on the powershell session.

On verification could see the associated office 365 group and the Team have been created.

Also the team is automatically created and visible from the Teams client

With the Microsoft Graph APIs it becomes a unified REST API experience and it helps us to perform multiple Teams operations and automate the Team management life cycle.

Microsoft Teams – Change the Supported Meeting Mode on existing Skype Room Systems to Teams Mode by leveraging Intune Scripts

Microsoft Teams have been the highly adopted collaborative platform in few months time.It has been helping a ton worldwide and the new features that is been released every now and then makes us stay connected and expands the efficiency in every organization who have been using them.

By default Microsoft Certified Room systems are forward compatible with the new Skype for Business or Teams services while maintaining the same client user experience.Usually when any organization has only Skype then these meeting rooms will have the options only Skype enabled on them.

In this article we will be looking at how to enable the existing Skype room systems to have the capacity to host Teams Meetings in them.

Example screen of a Skype room system panel where we have the below options on the supported meeting mode while configuring them at the initial stage .

These devices are basically on KIOSK mode running on recommended versions of Windows 10 currently supported one being 1909 at the time of writing this blog.

Ideally when a Skype room system account have been migrated to Teams with all the prerequisites this mode on the meeting room devices needs to be changed to support Skype for Business and Microsoft Teams.

This can be done by using the local admin credentials of this Skype room system , logging into the system context and change the mode to support both Teams and Skype. In a real scenario for a small scale deployment for lesser than 10 rooms changing them manually from the local IT support is possible. But in a huge deployments where there are 100 plus systems deployed across the globe and making them change manually will be a uncomfortable experience.

This supported meeting mode on the Skype room systems is controlled via an XML file present on below location. This location is standard for all the meeting rooms running on KIOSK mode and have a file named skypesettings.xml

C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState

At startup these devices looks up for this XML file named SkypeSettings.xml on the above location. If it finds them it applies the configuration settings indicated by the XML file then deletes the XML file. The best thing is that we can mention only the changes that we require on the system on the XML file and it will update the delta changes and keep the other settings as same.

In order to enable Teams, Skype and have Teams as default client we can use the below XML

<SkypeSettings>
    <IsTeamsDefaultClient>true</IsTeamsDefaultClient>
    <SkypeMeetingsEnabled>true</SkypeMeetingsEnabled>
    <TeamsMeetingsEnabled>true</TeamsMeetingsEnabled>
</SkypeSettings>

Now this XML can be easily pushed to all the Skype Room Systems via Intune Scripting Profile.

Below are the prerequisites before performing this action:

  1. The Skype Room Systems accounts must have thee Teams license assigned to them. This offers an easy migration path from Skype for Business to Teams by just enabling Teams on the device.
  2. The Skype Room Systems must have been registered on Microsoft Intune to target this intune scripting profile to them.

Login to Microsoft Intune- Navigate to Device Configuration – Create the Scripts as below. Ensure the script settings have all the default settings. Target them to the meeting room devices which requires this change.

Copy save them as ps1 and Use the below script on the script settings page.

$target = "C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState\SkypeSettings.xml"
$xml = "<SkypeSettings>
    <IsTeamsDefaultClient>True</IsTeamsDefaultClient>
    <SkypeMeetingsEnabled>false</SkypeMeetingsEnable
    <TeamsMeetingsEnabled>true</TeamsMeetingsEnabled>
</SkypeSettings>"
$xml | Out-File -FilePath $target -Force

After the next azure AD sync is completed on the targeted devices we can see the XML file to be successfully deployed on the below location.

Also we can see the overview of assigned and failed devices on the intune script profile. In our case it was successful since it deployed to targeted system without any issue.

Once the Skype room systems gets this XML and usually these systems reboots every night to check for the system updates install them as a maintenance window. During that time this XML will be updated since the device will be rebooted. Once this change has been applied to all the systems the Intune Script profile can be removed since it is a one time configuration change on the systems after the user accounts have the teams enabled.

Option2:

Create storage container in Azure , store the XML file and make intune to pull the xml file from there. Keeping this option is beneficial just in case if we need to modify the XML file frequently for device settings.

Navigate to azure portal – Storage accounts – Select File shares

Create a new file share for the pushing the Teamsxml

Once it is shared we can use the appropriate url in the script.

Below script can be used for the same

$source = "storage file source url"
$target = "C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalState\SkypeSettings.xml"
Invoke-Webrequest $source -Outfile $target
$xml | Out-File -FilePath $target -Force

Regards

Sathish Veerapandian

Microsoft Teams – Utilize Power BI to get more details on the Call Quality Dashboards

With Microsoft PowerBI we can gather more details from the call quality dashboards. As of now Microsoft have released 7 power BI desktop templates to accumulate more details on the Microsoft teams call quality dashboard.

PowerBI being a very potential platform for data gathering and analysis these new templates for Microsoft Teams have been more outstanding in terms of analyzing the Microsoft Teams data.

We will go through the overview of the reports and the configuration on this post.

Firstly the PowerBI Query Templates for Microsoft Teams needs to be downloaded.

We have below 7 templates report:

  1. CQD Helpdesk Report.pbit
  2. CQD Location Enhanced Report.pbit
  3. CQD Mobile Device Report.pbit
  4. CQD PSTN Direct Routing Report.pbit
  5. CQD Summary Report.pbit
  6. CQD Teams Utilization Report.pbit
  7. CQD User Feedback (Rate My Call) Report.pbit

These are customizable templates which can be used to analyze data. These above are PBIT file formats which can be used from PowerBI desktop which has the data source configured. If we need to open them directly from the powerbi portal they need to be renamed as pbix. If we are importing them from the powerbi desktop the following file MicrosoftCallQuality.pqx needs to be imported to the location [Documents]\Power BI Desktop\Custom Connectors folder.

From Desktop:

The initial requirement is that the PowerBI Desktop version must be installed and the data gateway already configured. The steps from Microsoft can be followed from here

Place the pqx file in below location. The below location will be automatically created once the desktop version is installed.

Set the data source:

Option 1: Use the Microsoft Call Quality (Beta)

In-order to set the data source open Power Bi desktop – Select get data – choose Microsoft Call Quality (Beta)

Once it has been connected we could see the below message as disclaimer since it is on beta roll-out at the time of writing this blog.

Next we will be having the below option which has all the details to build the query.

The moment when we click on load we will be presented with the below screen. Here we need to select the option direct query since we are getting the data directly from the Microsoft call quality dashboards.

Once connected we will have all the options to build our own custom reports by selecting all the required fields from the right , visualizations and filter. This option is very beneficial where we have our office network details uploaded on the call quality dashboard for detailed analysis and building our own custom dashboards. Here we have selected few fields for example and could see they are populated on the dashboard.

Option 2: Import the Teams PowerBI Templates report and publish them from the desktop.

The second option is to import the PowerBI Templates and publish them on the desktop. Inorder to import them navigate to file- import – select power bi template and import all the pbit format files. These templates have to be imported one by one.

Once imported we get all the details as per the template imported. We do further have an option to customize the reports. Click on publish to publish the reports directly to the workspace.

Choose destination the workspace to be published. In our case we have selected Microsoft Teams – CQD and thats the workspace created in PowerBI for Teams CQD.

Once its published we have the dashboards published in the workspace and ready to share.

When clicked on share we have the below options while sharing the report. Users will need powerbi pro license and CQD access role to access this report.

Importing from the PowerBI Web Portal:

Importing them from the web portal is very much easier. We need to click on the datasets – files and select get option since we need to import the downloaded files here to create the new content.

Select files and click on local file and choose the powerbi templates. Here we need to rename all the file formats to pbix since the portal will not recognize the pbit format version.

Once uploaded we can see the dashboards. The template dashboards have lot of information especially with user details breakdown which is very nice. The below example is from CQD Helpdesk Report. Here we have an option to search by users, conference or by date which is very convinient.

Further from the user activities tab it gives us more report as example below. The good thing is that we could see the device information on the end point.

Below example comes from CQD Teams Utilization Report. This gives more info on how the Teams is utilized by users in our organization.Few samples from the templates. The call count summary gives all the information in one view.

We get the location details as well in the over all call quality and gives the data for past 180 days.

User details are very impressive where we can see the app version, drivers and further we have filters on the right to customize the view.

Below example shows day details breakdown with further customization filters and fields to get data based on our requirement. The default report itself has lots of required data which is very great.

The mobile devices all quality also have lot of useful information with overall summary.

We get the mobile devices call quality with rendered devices, call quality trend and number of conference attended from the mobile.

The desktop version is very much convenient to create customization dashboards.Well there are more reports which are handy and available from these default templates which will be definitely useful and in the above examples we have gone through few of them. These reports can be customized easily and shared with less efforts and it gives a very good view with rich data experience.

Thanks & Regards

Sathish Veerapandian

%d bloggers like this: