Author: Adam Fowler

Migrating Phone System from Skype for Business to Microsoft Teams

I thought I’d document a few lessons learned in this migration. The migration was from Skype for Business Server 2015 and Skype for Business 2016 clients with Enterprise Voice, moving users across to Microsoft Teams.


The steps to migrate a user for me were:

  1. Add user to AD Group “Azure AD Licensing Telstra Calling for Office 365” as this allocates a Telstra Calling for Office 365 license. These licenses are bought from https://marketplace.telstra.com/ and feed into Microsoft 365. I believe this is unique to Australia.
  2. From Skype for Business Server Management Shell:
    $cred=Get-Credential
    $url="https://adminau1.online.lync.com/HostedMigration/hostedmigrationService.svc" (different links here for different countries)
    Move-CsUser -Identity userupn@contoso.com –Target sipfed.online.lync.com -MoveToTeams -Credential $cred -HostedMigrationOverrideUrl $url

    set-csuser -identity userupn@contoso.com -LineURI $null
  3. Form a machine with the Teams PowerShell Module installed:
    $Session = New-CSOnlineSession -OverrideAdminDomain yourdomain.onmicrosoft.com
    Import-PSSession $session –AllowClobber
    Set-CsOnlineVoiceUser -Identity userupn@contoso.com -TelephoneNumber 61812341234
    Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity userupn@contoso.com
  4. Configure call forwarding in Gateway (Pilot Users only that were being given a new number out of our normal number range)

EHR Error on Teams Portal

We can’t get details of EHR usage. Please try again. If you continue to have problems, contact Microsoft customer support.

Seeing this error everywhere on the Teams Admin portal, unsure what the cause/fix is yet. It ended up disappearing by itself after a few weeks *shrug* – you’ll see this theme is common around portal errors.


Dial Plans error


We can’t get the effective dial plan so the dial plan can’t be tested.

Going into any Dial Plan brings up this admin portal error, as well as trying to run a Test Dial plan test:

Something went wrong while testing this phone number. If you continue to have problems, contact Microsoft customer support.

This problem was another portal issue – logged a case which Microsoft confirmed was at their end, and a few weeks later they’d resolved it.


Create Resource Account error

We can’t save changes to ___

When creating a Resource Account used for Auto Attendant or Call queues, I was getting a very unhelpful error. I believe this is because I’m running in hybrid mode, so Teams can’t create an account on my primary domain – changing the domain to @contoso.onmicrosoft.com then let me create the Resource Account.

This problem also disappeared later and now I can create accounts on my primary domain – put it down to another portal issue.


Desk Phones requiring PIN

Phones would be registered in Intune, because they’re running Android – and that means any ‘all user’ Android policy would apply.

I’ve since created Dynamic Device Groups and filtered by DeviceModel and DeviceOSType – only testing the Poly CCX500 at this stage, but will add more models as we get them. Also filtering by OStype which is not really necessary, but does make sure it’s only Android devices affected.

(device.deviceModel -eq "CCX500") and (device.deviceOSType -eq "Android")

If you use a test account 20 times, that account will hit its device limit in azure and get locked out.


Skype for Business users unable to call Teams users

Early in migration, we tested interoperability between the two platforms, as it wasn’t going to be an overnight company wide migration. A Skype for Business user trying to call a migrated to Teams user would instead get diverted elsewhere. This was because we had Unassigned Number range rules in place, that were designed to send calls somewhere if it wasn’t allocated to anyone. Removing these rules immediately fixed this issue.


Home Screen on Desk Phones Laggy

The default experience if the phone supports it, is to show a home screen. More details on what the Home Screen is here. This is in CsTeamsIPPhonePolicy with the default value ‘AllowHomeScreen’ set to ‘EnabledUserOverride’. Changing this to Disabled via the PowerShell command:

set-CsTeamsIPPhonePolicy -allowhomescreen Disabled

removed this. I like the idea of the Home Screen, but not at the cost of a fast functioning phone vs a slow one.

I later found out this is due to the 1GB RAM on some devices, and Teams now (at the time of writing) uses > 1GB RAM, and then the Home Screen uses even more RAM. Trying a phone model with 2GB RAM this all worked perfectly.

I believe this is also fixed now, but it took Microsoft about 5 months to resolve.


New Desk Phones not signing in

Testing the Poly CCX500 model, some wouldn’t sign in to Teams out of the box. As soon as I tried to sign in, they’d say:

‘Error Could not sign in. You will need to sign in again. If you see this message again, please contact your company support. OK’

I spent so long on this, unsuccessfully trying to update the firmware via USB etc. In the end, turning off the ‘DHCP Time’ setting under ‘Device Settings’ made it work – I assume it had some problems contacting a NTP server (settings appeared correct in the DHCP scope of the phone). Someone else found the same issue here, but this was due to the phone running a very old v1 firmware. This shouldn’t affect most people, but worth noting.


Microsoft News and interests Taskbar Icon in Windows 10

Microsoft is now rolling out their News and interests taskbar icon, which was announced back in April on TechCommunity.

I’ve seen this turn up in the last day on both my home PC and work PC – the work PC being configured to get updates immediately from Windows Updates for Business.

If you don’t want this at all, you can disable via Group Policy or Intune.

Group Policy

If you want to disable this with a Group Policy setting, you’ll need to get the latest ADMX files updated 7th May 2021 from Microsoft. These will contain a new ‘feeds.admx’ policy definition file, but it’s just a single enable/disable setting:

You can do either of the registry settings recommended by Ben below – the first being a user config setting and the second being a machine policy that users couldn’t change in any way. The second registry setting is the same as what Group Policy is setting above.

For more granular control on disabling or enabling options in it, the registry entries live in:

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds

From here, if you wanted to disabled ‘Open on Hover’ you’d use this value:

ShellFeedsTaskbarOpenOnHover : 0 (off) or 1 (on)

Intune

Intune is covered on the TechCommunity article and is just setting ‘Enable News and interests’ to ‘Allowed’ or ‘Not Allowed’

Microsoft also has an end user support article on News and Interests, which covers end user configuration, how they can turn it off, personalisation options and other user advice.

Update UPN from AD to Azure AD

When there was a name change in Active Directory (AD), we used to update the Universal Principal Name (UPN) in AD, then separately run the Set-MsolUserPrincipalName command to update Azure AD to the same UPN. Except, it no longer worked – I was now getting an ‘Access Denied’ message.

When trying to update the UPN via the Microsoft 365 admin center, it would correctly advise that the object was homed in AD, so changes needed to be made there. Except, they were, and Azure AD Connect was even reporting that it had seen the update and sent it off to Azure AD, no errors.

After some investigation, I found that there is now an option to allow ‘Synchronize userPrincipalName updates‘ which is off in older tenants. To check and update this:

In PowerShell, first install and connect to MSOLService. Then to check the status if UPN updates will sync and update:

Get-MsolDirSyncFeatures -Feature SynchronizeUpnForManagedUsers

If it’s $true, you’re already set. If it’s $false, update the value to $true with this command:

Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers -Enable $true

In my testing, running another Azure AD Sync (both delta and full) did not resolve any already updated UPNs. I had to change the UPNs to a temporary value, sync, then change them back to the original value I wanted, and sync again. The update was instant in Azure AD once the sync had run each time.

Poly Studio P15 Review

Poly kindly sent me a new piece of hardware to review – the Poly Studio P15. It’s on of the devices in their ‘Poly Studio P Series‘ which only came out early in 2021. These devices are personal video devices, but aimed at the higher end of the market. It includes the Poly Studio P5 Webcam (or kits that include the webcam and a headset or speaker), the Poly Studio P21 Personal Meeting Display, and this Poly Studio P15.

Although you could call the Poly Studio P15 a webcam, Poly calls it a Video Bar. Which I think is fair enough – it’s 42.5cm long (17 inches). On a standard 24″ monitor it extends above a lot of the screen, but luckily on my 43″ it is quite a good fit. The mechanism that balances the device on top of the monitor is quite adaptable – with both an adjustable kicker, as well as being able to slide the base forward or backward means that I could get it quite stable, without getting in the way of my actual display area.

Out of the box, beyond the video bar and kickstand, is a USB-C cable, and a power pack. The lens itself can be rotated to open/close the lens cap. Once plugged in to power and the compuer via USB-C, that’s all that’s needed for the camera to show up in Windows 10; no extra software is required to make it function, but if you want to change settings or run updates, you’ll need the Poly Lens app.

The Poly Studio P15 specifications are below.

CAMERA
• Ultra HD (4K 16:9, 2160p), Full HD (1080p), HD (720p)
• 90° DFOV
• Personal conference view with auto-framing
• True color and low light compensation
• Electronic zoom up to 4x
• Manual pan, tilt and zoom control through Poly Lens Desktop App

AUDIO
• Poly Acoustic Clarity technology provides full-duplex conversations, acoustic echo cancellation and background noise suppression
• Poly NoiseBlockAI technology
• Poly Acoustic Fence technology
• Microphones: 3-element beamforming microphone array
• 50 Hz to 14 kHz frequency response

SPEAKER
• 100 Hz to 20 KhZ frequency response
• Output: 80 dBA @ 1000 Hz @ 1 meter at maximum volume

INTERFACES
• 1x USB 3.0 Type-C port (with USB 2.0 compatibility)
• 2x USB 2.0 Type-A ports
• Power connector
• Kensington security lock

POWER REQUIREMENTS
• External DC power supply: 12V/3A

SYSTEM REQUIREMENTS
• Windows 8.1, 10
• Mac OS 10.10 or higher
• USB 3.0 required for 4K video

DEVICE DRIVER SUPPORT
• USB 2.0/3.0/3.1
• UVC/UAC Plug and Play Compatible

COMPATIBILITY
• Certified for Microsoft Teams and Zoom applications
• Compatible with any application that supports standard USB/UVC standards

MANAGEABILITY
• Cloud: Poly Lens service
• Local (Windows/Mac): Poly Lens
• Desktop App

OTHER FEATURES
• Integrated privacy shutter
• Adjustable monitor clamp
• Tripod ready
• USB-A ports built-in for wireless headset adapter or other peripherals as USB hub
• Status LED indicates calling and mute state

DIMENSIONS
With monitor clamp:
• 17 W x 3 H x 3 D (Inches)
• 425 W x 70 H x 78 D (MM))
Without monitor clamp:
• 17 W x 2.5 H x 3 D (Inches)
• 425 W x 65 H x 78 D (MM)

OPERATING CONDITIONS
• Temperature: 0° C to +40° C
• Relative humidity: 5% to 95% relative humidity, non-condensing
• Altitude: Up to 10,000 ft

PACKAGE CONTENTS
• Poly Studio P15 USB video bar
• Removable monitor clamp
• Power supply
• Power cord
• USB-C cable (separate adapter required to connect to USB-A port on PC/Mac, not included)
• Setup sheet

WARRANTY
• 2-year limited warranty included
• Poly+ enhanced support available

Due to the camera’s 4K resolution, it can use digital zoom to still produce a high quality 1080p result. Below I’ve taken a screenshot of the auto-framing to my face, vs turning the tracking mode off to show the full field of view the camera can pick up. Again, this works out of the box without the app which is nice.

To be able to change these settings however, you’ll need the Poly Lens app, which is a free download. It doesn’t need you to sign in, but will provide firmware updates to your Poly devices, along with configuration options around back light compensation, zoom, camera movement, tracking speed and frame size. These settings let you fine tune how the video bar acts with it’s automatic controls.

Other settings worth noting are the Poly Acoustic Fence which creates a virtual bubble around the device, and sounds outside the bubble aren’t heard. I’ve liked a Poly video below around this. There’s also the NoiseBlockAI option which block sounds like typing – which I can confirm nobody could hear me typing on my mechanical keyboard while on an audio call, which was nice rather than wearing a headset for once.

The audio quality that comes out of the video bar I thought was really clear – you can also adjust the bass and treble levels to your liking.

One little bonus I saw in the Poly Lens app was the Soundscaping option – if you want the background noises of the gentle ocean, a babbling brook or a mountain ranch (which sadly isn’t cowboys and cowgirls saying ‘howdy partner!’ with horses neighing, just more water running):

Anyway, the Poly Studio P15 is really a high end device for the home professional that doesn’t want to muck around with trying to get the right angles, or worrying about being out of shot. The videobar sorts all this out for you, while being configurable enough to give some controls around those smarts. It also doubles up as just a really good speaker, and for an environment particularly at home where you might have outside noises or unwanted visitors, turning on the Poly Acoustic Fence can save the people you’re talking to from interruptions and distractions. There’s also two USB 2.0 ports on the back, in case you have other devices to plug in like headset USB dongles.

A really cool solution with some extra bells and whistles to justify upgrading from an average webcam.

SMTP to Exchange Online

SMTP is still needed by certain applications and devices, such as printers, which don’t support Modern Authentication and instead require legacy authentication to talk to a SMTP server.

You are able to use Exchange Online as an SMTP server, but this can be tricky to set up if you’ve hardened your environment by requiring Multi-factor authentication through Security Defaults or Conditional Access.

Microsoft have good documentation on “How to set up a multifunction device or application to send email using Microsoft 365 or Office 365” with the recommended approach to use SMTP, but you may need to poke some security holes through your environment.

Assuming you can get out through your firewalls on port 587 or 25 for SMTP, you’ll need to turn off Azure AD Security Defaults if you have them on. If you do this, understand what you’re turning off and rebuild those same settings in Conditional Access. If you have them off, then you should have Conditional Access policies already.

Personally, I have a ‘Block Legacy Authentication’ conditional access policy which as it says, blocks legacy authentication. For an account I want to send emails from via SMTP, I add it as an exception to this policy.

I then have a second policy ‘Allow Legacy Authentication Internal Only’ which I then target this user at, which still blocks legacy auth unless it’s coming from a trusted IP address. These two rules together then block all users from legacy auth, except the ones on the second policy, and then only if they’re coming from inside my network. The goal of this is to prevent anyone externally using spray attacks against accounts to gain a username and password – although they couldn’t log in anywhere beyond SMTP due to MFA policies, they could still start sending emails that would be from a legitimate email address.

If you have IPs restricted on Exchange Online connectors, that does not appear to affect SMTP auth and you shouldn’t need to add your internal IPs there.

The account you want to use for SMTP sending must have a mailbox license, I use ‘Exchange Online Plan 1’ for one of the cheaper options that is pure mailbox. The SMTP settings are listed here.

You also need to allow SMTP auth across your organisation (not ideal), or on a per account basis (much better security wise, plus it overrides the org default – so you can disable at org level and allow at account level). Microsoft Docs covers this in detail but the command (which requires connecting to Exchange Online via PowerShell first) to allow on a single mailbox is:

Set-CASMailbox -Identity sean@contoso.com -SmtpClientAuthenticationDisabled $false

Once these policies and licenses is in place, you can test. The easiest way I found was a 1 liner PowerShell command. You must use the source mailbox’s account as the from address:

Send-MailMessage –From account@contoso.com –To test@contoso.com –Subject "Test Email" –Body "Test SMTP Service from Powershell on Port 587" -SmtpServer smtp.office365.com -UseSsl -Port 587 -credential $madeupvariable

When testing, I found that after changing the Conditional Access rules to let a specific account go through as legacy auth took several minutes. Azure AD logs also take several minutes to show auth attempts, so don’t rush and change too many things at once trying to do this.

Ideally, nobody would be using SMTP – but in the real world we still have to, so the above will at least keep login records in Azure AD, and limit it to trusted IPs, certain accounts, or any other Conditional Access rules you can come up with to reduce the risk of allowing this.