When you create a Resource Account in Teams Admin Center (or via PowerShell), you need to specify whether the Resource Account will be for a Call Queue or an Auto Attendant. Under the hood of Teams, that makes a difference.

Every so often, a customer I’m working with needs to change a Resource Account from an Call Queue to an Auto Attendant, usually to take advantage of schedule that’s present in Auto Attendants. If you need to do this, you can use the Set-CsOnlineApplicationInstance.

First, use Get-CsOnlineApplicationInstance to see what you have

You can tell by the DisplayName field that my first two items are Call Queues, the other three happen to be Auto Attendants.

If I want to change “TestQueue” to be for an Auto Attendant instead, I can do this

Boring, right?

Note that 11cd3e2e-fccb-42ad-ad00-878b93575e07 is the ApplicationID for a Call Queue object, and ce933385-9390-45d1-9512-c8d228074e07 is for Auto Attendants.

Restricting where a user can call internal to your organization is complex. If you must do this for compliance reasons, you need to take a look at Information Barriers.

One of the complexities is that in a Teams client the user can find another user by name and click to call them. They can do this same type of lookup on phones too.

Common Area Phones are more restricted than users, and it’s a simple policy change to allow or prohibit the lookup of users on a phone. We’ll typically see this restriction in place on phones in public areas, like a lobby courtesy phone. If you want to further restrict that public area phone can call by dialing numbers, you have just one option.

In a previous post, we talked about a Dial Plan normalization rule that would translate one phone number into a different, invalid phone number to prevent the original number from being called. If you want to restrict a CAP from calling anything other than one internal number, you can use the same procedure, but instead of the invalid number, translate all numbers to the number you want the phone to be able to call.

This sample rule allows the CAP to only call +14255551212, the security desk in my example:

And if I want the CAP to be able to call HR at 6789 and then have all other calls go to security, I could do something like this with two rules, since they’re processing in top-down sequence:

And you could add as many rules as you wanted, just make sure they’re above the ^(.*)$, which is the catch-all that should be at the bottom of the list.

If you’re on Direct Routing, blocking calls is as “simple” as ensuring that there is no route to the destination in the Voice Routing Policy assigned to the user placing the call.

For example, if we have a voice usage for national calls that looks like this ^\+(1\d{10})$ then any call that matches +1xxxxxxxxxx (that’s ten x if you’re wondering) will be allowed through. Carrying on with our example from previous posts of blocking calls to the 425 area code, we could change the route pattern to

^(\+1((?!425)|(\d{3}))\d{7})$

And calls to the 425 area code would no longer match this entry. That regex looks a bit gnarly. The +1 will always need to be at the start. (?!425) means “not 425”. The | is an OR, and (\d{3}) is any 3 digits. This says “We need +1 then (Not 425 but any other 3 digits) then 7 more digits.

If you have multiple voice usages – perhaps for service numbers, national, and international – you should be able to modify only the voice route associated with the national usage to block calls to the 425 area code.

This will work because a call to +1425xxxxxxx wouldn’t match with other typical usages, like service numbers (2xx-8xx) or international (country codes other than +1). However, if you have a more complex setup of usages and routes, you will need to ensure that a route further down the ordered list of usages does not allow the call. That is because while usages are evaluated top-to-bottom, evaluation continues until a route match is successful AND the call completes OR until the list is exhausted.

If you have ^(\+1((?!425)|(\d{3})\d{7})$ route in a usage above ^(\+1(\d{10})$ then a call to the 425 area code would be blocked by the first usage but would match the second usage.

This will definitely catch people using (.*) as a catchall for international calls at the bottom of their usage list. This also means that you cannot simply create a usage and route that blocks a call and insert it into the list of usages above a rule that would allow it. Your exception/block must take place in the same route regex that would match and permit the call.

If you need a “best effort” method to block external calls to specific numbers, but aren’t hugely concerned over whether the solution is perfect, there is an option that will work with Calling Plans, Direct Routing, and Operator Connect.

Teams Dial Plans normalize the number a user enters on the keypad (or clicks on), usually into E.164 format. This allows users to dial based on their habits versus adherence to the E164 format. For example, they might dial 425 555 1212 and Teams will normalize this into +14255551212 to actually place the call. We can take advantage of this for call blocking by creating dial plan normalization rules that translate the dialed number into something other than the proper E164 format.

For example, 425xxxxxxx might get translated into +11001234567. That number doesn’t exist under the number plan for the +1 country code, so the call will fail. (It’s technically invalid, there are no area codes beginning with “1” in the North American Numbering Plan. Yet anyway!).

If you build something like this out, note that the “test” field here won’t allow you to put a + in front. You’ll have to test without the + here, and then test with the + at the client level.

Notice that the rule has \+?1? in front of the condition. That will match a + or 1 if they’re present, but doesn’t require them to be there. This means that even if a user knows how to dial an E164 number, this method can still catch and block the call.

You could get trickier here and translate to an E164 number that belongs to one of your Teams endpoints, and users would wind up connecting to that Teams endpoint. You could use Teams Routing Rules to build a rule that would play a message to the caller if these numbers were dialed.

I did say above that this solution may not be bulletproof. It’s possible that a client may implement number normalization in such a manner that it won’t match on a number in E164 format, on the assumption that it’s already in E164 format so it does not need to be normalized.

This is also where I put on my consultant hat and talk about non-technical aspects. If you have a user who is routinely abusing your phone system, and there is not technical solution to the issue, you may need to implement non-technical measures – a trip to HR, a visit with the school principal, etc..

It’s common for an organization to want to restrict where a user or phone can call outside an organization, especially long distance tolled calls. There are a number of different ways to do this, with a variety of different administrative impacts.

If a user has calling plans, the first way would be to only license the account for domestic calling, versus domestic and international. If you do this, note that adding a Communications Credit license to the user will allow them to make international calls on a pay-as-you-go basis. You might want communications credits assigned to a Calling Plan user to allow them to continue to make outgoing calls once the “per user per month” pooled minutes expire. If that’s the case, you’ll need to implement an additional method discussed below.

Regardless of whether a user’s PSTN service is via Calling Plans, Operator Connect, or Direct Routing, you can restrict where they can call in Teams Admin Center:

Here, I can block outbound calling entirely with “Don’t allow”, permit international calling with “Any destination” or only to Karl’s own country/region with the middle option “In the same country or region as the organizer”.

The text here – specifically the word “organizer” – would lead you to believe that this is for dialout from meetings. However, it does also apply to PSTN calls Get-CsOnlineDialOutPolicy (SkypeForBusiness) | Microsoft Learn

Note that this restriction will apply regarding of Operator Connect, Direct Routing, or Calling Plans being the PSTN connectivity option for the user.

This isn’t a terribly granular capability. If you’re on Operator Connect, your operator may be able to do some extra screening for you. There are some other solutions that may work well, or at least well enough, for your scenario, in my next post.