Merging Multiple SfB On-Prem Orgs to One Tenant

Mergers, acquisitions, and other optimization activity can lead to a scenario where you want to merge multiple on-premises Skype for Business organizations into a single O365 Tenant, be that for Skype for Business Online or Teams.

Usually, the organization starts this process by synchronizing the on-prem AD contents from all organizations with Azure AD. This is followed by Exchange hybrid configuration. Both AD/AAD and Exchange support simultaneous hybrid configurations with multiple on-prem organizations.

Skype for Business, however, only permits one on-prem organization to be in a hybrid configuration at a time. The first organization is configured for hybrid, and the first SfBO or Teams users appear. Shortly after that, a report will come in to helpdesk about the online users not being able to reach the non-hybrid on-prem SfB organizations. Investigation shows that the on-prem users in the hybrid organizations can, however, reach these other organizations.

What’s going on can be a maddening process to unravel. For once, it’s not DNS or the network! When the AD/AAD sync is configured, the domain for the non-hybrid on-prem SfB organization is configured in the tenant (AD, Exchange, or a number of other reasons). This causes O365 to think that it now owns this domain for all O365 services, including SIP. The traffic to the user never leaves the hybrid organization via the federation processes, and results in a user not found scenario.

The solution is a simple one: Run the Disabled-CsOnlineSipDomain cmdlet against the non-hybrid on-prem SfB domain, from SfB online powershell. This tells O365 to ignore that domain for SIP purposes (but leave AD, Exchange, and others alone). Now the traffic will leave the organization and reach the intended user via federation. Problem solved!

Port Exhaustion

When you have devices on an internal network that access the Internet via NAT, your firewall with perform what’s called “Port Address Translation”, or PAT.

When a device sends IP packets, it has both a source and destination port. The destination port is whatever service you’re access (like 443 for HTTPS), and the OS is typically in charge of selecting a source port, though an application (like Teams) may specific source ports to use.

Since you’ll have a number of systems behind your firewall, there’s the possibility that some of them will select the same source port to use in a conversation. This is especially true with an application like Teams that allows a source port range to be selected to facilitate QoS. PAT translates these source ports (whether or not they’re conflicting) to an unused port on the firewalls outside IP.

Problems can arise, however, if there is sufficient traffic on your LAN to use up all of the ports on the outside of your firewall. This can be because of a specific application using numerous ports, numerous applications running on a system, the overall number of systems on the LAN, or usually some combination of all three. This is called port exhaustion, as the supply of available ports is exhausted. Any modern enterprise or business class firewall will let you monitor the number of ports being used, and the good ones will generate an alarm. If you’re encountering port exhaustion, the most practical solution is to add IP addresses to the pool of IP addresses that the firewall can use.

If this isn’t possible, a much less favourable solution is to adjust timeout values on the firewall. Be aware that this can lead to poor application performance as connections need to be re-established for the application to run, rather than being left open.

Finally, you can use this article for guidance on planning the number of users/applications/devices per IP address. Note that these are only guidance, and different applications will use ports differently. Monitoring is key!

Securing Access to Your Voicemail

Skype for Business offered a few different ways to access your voicemail messages. As they were stored in your Exchange inbox, you could use Outlook to read speech-to-text transcriptions – assuming the message wasn’t too long, and the quality was good enough. You could also play the message in Outlook or a media player. Voicemail buttons in the Skype for Business client and deskphones dialed your voicemail. Lastly, you could dial in to the Exchange server using a Subscriber Access number. As a part of this dialin, you may have had to enter a PIN to authenticate you.

With Teams, Exchange UM is no longer used and has been replaced by Cloud Voicemail. One of the features that’s not present in Cloud Voicemail is the concept of subscriber access. Honestly I can’t say I miss it, with so many clients available that offer easier access to voicemail messages than mashing buttons to enter extensions and PINs, even if it were available I doubt that I would ever use it.

Along with Subscriber Access not being present in Cloud Voicemail, PIN authentication is also not implemented. This is because all other means of accessing your voicemail already require you to be authenticated.  This can cause some concern about voicemail being access from deskphones, but really there’s no change here in what you need to be doing from a security perspective. If you leave your desk, lock your PC and lock your phone. Yes, that’s two things that need to be locked and unlocked. Hopefully we’ll see a “better together” experience that provides for automatic phone locking and unlocking when the Windows/Mac/Linux system you’re on is locked or unlocked.

If you have a stand-alone phone that needs voicemail, then you’ll need to use the lock function on the phone.

And finally, note that emergency calls are permitted from locked devices.

Conference Entry Tones/Announcements

I was working a customer who wanted help setting up Conference entry tones and announcements. There isn’t actually a lot to setup:

BridgeSettings

These are found under Meetings > Conference Bridges > Bridge Settings.

The most important thing to understand is that these settings apply to dial-in users, and not those users who join conferences through a Teams client.

The first setting is to turn on or off entry/exit announcements. Typically, this is useful when a large number of people dial in to meetings, or when you want an audio indicator that someone has joined a meeting.

The second setting allows you to select Tones or name announcement. If you select the option for a name, callers are asked to record their name before they join the conference.

The PIN length setting establishes how long a user’s dial-in PIN needs to be. It’s important to note that this isn’t the phone lock/unlock PIN, nor is it a voicemail PIN (Cloud Voicemail at present, does not have PINs)

The last setting is straight forward – send an email to users if any of their dial-in settings change.

An important thing to note, is that the tone/name announcement is played when dialin users join a conference. If someone joins a conference via Teams client, no tone or name announcement is played. When a tone/name is played, all participants hear the tone. This means that if you are the conference organizer and have dialed in, you will only hear tones and announcements for other people who dial in. This can be less than ideal, however there is excellent roster functionality available in all Teams clients, including mobile.

And finally, note that these settings are not configurable on a per-meeting basis. They’re an all-or-none setting.

Update: It was announced in March 2020 that these settings will become configurable on a per-meeting basis!

Basic Calls with the MTR

Microsoft Teams Room Systems, MTRs, are excellent devices for joining Teams meetings. However, you’re not always going to be in a meeting when you need to make or receive a call on an MTR. It doesn’t always make sense to put a regular desk phone in the room or a speakerphone on the table. So what does the experience look like?

Receiving a call

Receiving a call is straightforward. First, you need to have a phone number assigned to the MTR, either through a Calling Plan or Direct Routing. Note that you don’t need to assign a phone number to your MTR if you’ll only use it in meetings. When the number is called, the device rings, and you hit the answer button and the call uses the MTR speakers and Microphone. This probably isn’t desirable if you’re in a meeting, so you can have a look at turning on Busy-on-busy.

Placing a call

Placing a call on an MTR is different than on a regular Teams phone. The major difference is that the call is placed via the audio conference bridge. This has two implications. First, an outbound call will consume minutes from your outbound conference minute pool. Second, the call will appear to be from the conference bridge number and not any DID that you’ve assigned to the MTR.

Teams Admin Roles

Teams, like SfB, has a concept of administrative roles. These roles control what you as an administrator can see and do. This helps secure the environment, and also simplifies things for the administrator. If you’re not in charge of Direct Routing, why even see that in the Teams admin center?

I didn’t understand the first docs.microsoft.com post that tried to explain these roles, and while they’ve improved the explanations and role descriptions, I thought a more thorough explanation might help others out. Here’s what my investigate found.

The four roles and a brief outline of what they do are:

  • Teams Service Administrator. This role manages the Teams service, and also allows the creation and management of O365 Groups, which are a core foundation for Teams
  • Teams Communications Administrator. This role can manage call and meeting functionality within Teams.
  • Teams Communications Support Engineer. This role can manage communication issues within Teams by using advanced tools.
  • Teams Communications Support Specialist. This role can manage communication issues within Teams by using basic tools.

If you’re more of a visual learner, here is what the four roles would see in the Teams Admin Center:

Teams Service Admin…

TACServiceAdmin

Teams Communications Administrator

TACCommsAdmin

The Teams Communications Support Specialist and Teams Communications Support Engineer see the same thing in the menu:

TACSpecEng

However they see different things when they drill down into things. Here’s what the Teams Communications Support Specialist sees:

TACSpecWide

and here’s what the Teams Communication Support Engineer sees:

TACEng

Note the highlight part, showing that the Engineer role sees more advanced details suitable for their role.

PowerShell tells us a similar story. Here, the Teams Communications Support Specialist has no access to PSTN or voice commands:

PowerShell Spec

While the Teams Service Admin does:

PowerShellServiceAdmin

While these four roles don’t provide the same degree of flexibility and granularity (and complexity!) that was available in Skype for Business Server, you should ensure that you follow the principal of least privilege when assigning permissions to your support team.

Cool Tool – What is My Tenant ID

In an organization running O365, every once in a while you’ll need to jump through hoops inside O365 or Powershell to find your tenant ID. While it’s not that terrible, it’s certainly not speedy. If you’re a Microsoft Partner, you often need the Tenant ID for various Microsoft paperwork. It can be a hassle to collect this from your customer, or get credentials setup early enough in the engagement process with them. For you, this is a lifesaver!

The brilliant folks at ShareGate came up with http://www.whatismytenantid.com. Enter any domain name associated with your tenant – including the .onmicrosoft.com:

Whatismytenantid

and a few nanoseconds later:

Whatismytenantid2

Note that if your browser window is smallish, you may get an add that covers the ID and Copy to clipboard button, so hit maximize.