Configuring Skype for Business Online
Piloting Skype for Business Online
Deploying the Skype for Business Client
Deploying Skype for Business Online
Administering Skype for Business Online
Integration with on-premises Skype
In this chapter, you learn how to deploy Skype for Business Online (SBO) as well as how to administer it. If you jumped ahead to this chapter, please review Chapter 15, “Skype for Business Online Concepts and Implementation,” first, because many of the concepts you need to understand in this chapter are reviewed in that one. SBO, set up and configured, does not require nearly as much administration as Exchange Online or SharePoint Online, but that doesn’t mean you just want to deploy it and see what happens. Ensuring that you have set up your service and configured your clients properly is the best way to ensure that you get the most out of SBO.
Start with what you need to administer SBO. There is no role-based access control (RBAC) or delegated administration in SBO. If you are a global administrator in the tenant, or if you have been configured in customized administration as a Skype for Business administrator, then you can administer SBO.
To grant someone the specific workload administrator capabilities for SBO, use the Office 365 Admin Center portal as follows.
You can also use Windows PowerShell to view the membership of these administrator groups and add members to them. When you are connected to your tenant, run the Get-MsolRole
command to view all the available administrative roles in your tenant (Figure 16-2). Note the highlighted line.
Remember that Skype for Business evolved from Lync, and the internal naming still reflects that. You can view everyone who is a Lync service administrator by running the Get-MsolRoleMember -RoleObjectID 75941009-915a-4869-abe7-691bff18279e | fl
command. The ObjectID in your tenant should be the same as any other, but verify it with the Get-MsolRole
cmdlet to be sure. As shown in Figure 16-3, there are two members in the SBO Admins group, Allison Brown and Don Funk.
Remember that members of the tenant Global Admins group have SBO administrative rights, even though they won’t show up as members of the Lync Service Administrator group.
When you have the appropriate rights, you’re ready to start configuring SBO for your users. Most of what you do you do only once as a part of your initial configuration. Needs might change and require you to make adjustments, or you might want to start rolling out features slowly, but barring changes, the settings you make generally apply to all users in the tenant and are the settings you use going forward. You can use the Skype Admin portal or Windows PowerShell to administer SBO.
To open the Skype Admin Center, log on to the Office 365 Admin Center portal and navigate to the Skype Admin center. Here’s how to get there.
From here, you can see an overview of your tenant and navigate to the various areas for configuring SBO. The dashboard shows you how many users you have licensed for SBO and enabled for dial-in conferencing and how many are cloud users or synced from your on-premises Active Directory. You can also see your organization name, organization ID, creation date, whether sync is enabled from on-premises, and your organization domains, which are configured for Session Initiation Protocol (SIP). From here, the chapter examines each of the areas to configure in the portal.
The Users section lists all the users in your tenant who have been licensed for Skype for Business Online. Remember, that is done in the tenant admin center by a Global Admin or a User Account administrator. To appear in this section, a user must be licensed, and they must have no settings that might prevent them from syncing to SBO.
You probably won’t spend a lot of time administering users in the Users section. If you find that you need to do this, consider what you are doing and why. In the Users section, you can edit the individual details for one or more users, but you should probably either be making those settings globally for your organization or assigning policies to users through Windows PowerShell. If you do need to manage settings for one or more users, and want to use the GUI, select them in the portal and then click the Edit button. Here is what you can do in the Users section.
Under the General settings for a user, you can control audio and video settings, disable their ability to record conversations and meetings, and disable data transfers. Figure 16-5 shows the settings for a user whose default values have not been changed.
The first setting is Audio And Video, as shown in Figure 16-6. You can select the following options from the drop-down menu.
Audio And HD Video is the default setting, which enables users to use both audio for voice and video for conferencing up to the full bandwidth their hardware and network connection can support. That can use up to 200 Kbps for audio and up to 50,000 Kbps for video. HD video shouldn’t consume more than 4096 Kbps per feed, but a conference with several users, all of whom have HD cameras, can use a lot more. Audio And Video still permits both but limits the video bandwidth consumed to a maximum of 1000 Kbps. Audio Only enables audio but disables video, whereas None disables both.
Record Conversations And Meetings is enabled by default. Clear that check box if you don’t want to permit a user to record conversations or meetings.
For Compliance, Turn Off Non-Archived Features is off by default. That means that users can use SBO to transfer files over instant messaging (IM) and share OneNote pages and annotations to Microsoft PowerPoint decks. Because these methods of file transfer are not logged or archived, you might need to disable them if your organization must track all data transfers.
External communications enables users to communicate with others outside of your organization, assuming you have configured your SBO tenant to allow this. At the tenant level, this is off by default, so you don’t have to do anything here if you are not going to configure connectivity to external systems, but if you do want to permit your organization to communicate with other SIP systems, including consumer Skype, yet prevent a user from doing so, this is where you configure those exceptions. By default, all users can communicate with external Skype for Business users and external Skype users after you configure the tenant to permit this. Figure 16-7 shows the options set to permit external federation with both other Skype for Business organizations and the consumer Skype service.
Again, you need to clear those check boxes only if you have permitted external connectivity at the tenant level but want to block a specific user from being able to use that. If it’s permitted here (which is the default) but you have not explicitly enabled external connectivity for the tenant, they cannot communicate with other organizations or consumers.
If you have E5 licenses or subscribe to the SBO Dial-in Conferencing Service separately, you can configure the dial-in conferencing provider and toll and toll-free numbers, reset a user’s PIN, and allow or block anonymous callers in meetings. Figure 16-8 shows these settings.
You have a choice of conferencing providers. If you choose one other than Microsoft, you need to have established service with that provider because that is separate from Skype for Business Online. With Microsoft as your provider, several toll numbers are available across various countries. You can establish a toll-free number for people to dial into, but that incurs additional cost.
Note that the default is not to allow unauthenticated callers to enter a meeting. Unless you select that box, anyone who does not authenticate to SBO, either by using the client or dialing in and using their own PIN, will wait in a lobby until the first authenticated user joins. At that point, all dial-in users are admitted to the call.
You will probably spend the most time here for any user, because this is where you can reset their PIN and generate an email to send them their conference information. This is the same information, minus their PIN, that is appended to any meeting invite they create for an SBO meeting.
The Organization section includes settings that affect your entire organization. Although specific user settings might prevail, if you haven’t made any specific user settings, these apply to all users.
The General tab includes settings for Presence and for push notification to mobile phones. By default, all SBO users’ presence displays to anyone. The other option is to show presence only for a user’s contacts. A user can override this setting with specific settings in the SBO client, but this controls the default behaviors for your tenant if your user does nothing. Figure 16-9 shows the default settings. Remember that users can override what presence information is displayed in their client.
Mobile phone notifications controls whether to use push notifications to mobile clients for incoming IMs, voice mail messages, and missed calls and chats. There are two options, both of which are on by default. The first is to use the Microsoft Push Notification Service, and the second is to use the Apple Push Notification Service. If you leave these on, users can enable or disable notifications on their mobile device, but if you turn them off, they are not available for users at all. Figure 16-10 shows both notification types enabled, which is the default.
External communications includes important settings for you to consider. These options should be set before the first user is enabled for SBO. By default, SBO is a closed system. Users within the tenant can communicate with one another, but no external parties are accessible. However, if you want your users to be able to communicate over IM, voice, and/or video, and to see presence for users in another organization, you can set up Skype federation. You can also set up federation with the Skype consumer service so your users can communicate with users of that public system. This can be very useful for customer service, human resources (HR) functions, and enabling your users to stay in touch with friends and family.
Some organizations might be very open to federation, whereas others might want to control it more tightly or even prevent it completely. Settings here affect the entire organization, but you can permit federation and then restrict specific users from using it. What you cannot do is say that a user can communicate with others in SIP domain X but not SIP domain Y, whereas another user is blocked from SIP domain X and can communicate with SIP domain Y. It can take up to 24 hours for changes in this section to propagate fully throughout the system, so you don’t want to deploy one setting and then change your mind.
In external access, the default is for it to be Off Completely. With this setting, your SBO tenant is a self-contained island. Your users can communicate using SBO with one another, but with no one outside your organization. If set to On Except For Blocked Domains, your user can communicate with other users in any Skype for Business or Lync system that permits external communications, except for those SIP domains you explicitly block. If set to On Only For Allowed Domains, you explicitly add those domains with which you want to have Skype federation. Figure 16-11 shows the external access settings when set to permit federation.
Federation between two SIP organizations, such as two Office 365 tenants or an Office 365 tenant and an on-premises deployment of Skype for Business, is fairly easy to set up, but it does require both SIP organizations to configure the federation. If both organizations use On Except For Blocked Domains, they can communicate, but if one or both of the organizations is using On Only For Allowed Domains, it will have to add the other SIP domain into its allowed list.
You can configure telephone numbers and other settings in the Voice section if your organization has purchased PSTN services as part of its Office 365 subscription. Customers in the United States can purchase Skype for Business PSTN Domestic Calling or Skype for Business PSTN Domestic and International Calling. Different countries regulate their telephony industries differently, so different options might be available or, in some cases, none at all. If your organization is U.S.-based but has users in different countries, you might not be able to assign some or any of the features for Voice and Call Routing because laws vary from one jurisdiction to another, and it’s where the user is based, rather than where the tenant is provisioned, that governs this. Assuming that your tenant is a North American tenant and your company is U.S.-based, and you purchased one of the calling plans, you will see three sections under Voice.
In the Phone Numbers section, if you have a PSTN Calling license, you can assign specific Direct Inward Dialing (DID) telephone numbers to your users and for services. Users, conference room phones, and individual devices can have their own DIDs, called user numbers, and you can get service numbers for conference bridges.
Cloud PBX capabilities enable you to configure voice users for outbound and inbound calling with PSTN connectivity. You might have more users than you have DIDs or users who only need to make outbound calls, or you might want to limit the users who can make calls outside of your organization.
If you have an on-premises connection to the telephone network through a Public Branch Exchange (PBX), you would configure those settings here. This requires you to have configured Skype for Business hybrid connectivity between your Office 365 and your on-premises Skype environments so that cloud users can connect to the telephony network through on-premises hardware (a discussion that is outside the scope of this book).
Call Routing, relevant only if you have a dialing plan, enables you to set up both auto-attendants and call queues.
The Auto-Attendant feature is an automated system that answers the phone, plays a recorded greeting, and then offers callers a menu of choices they can navigate to reach a particular person, department, or other options. You probably have encountered one when calling a company and then promptly held down the zero button on your phone to connect to a person. If you have one or more DIDs, you can create an auto-attendant by clicking the Add New button. Here’s how you can set this up.
In Business Hours Call Handling (which means during the time you selected in the previous menu, including 24/7), you can build out a menu. You have the option of using text to speech or of uploading an audio file for the company greeting, and you can add up to nine menu choices for where to route a call. These can be to individual users, to call queues, or to other auto-attendants if you need another level of menu options. You can set this as shown in Figure 16-15.
Figure 16-16 shows how to upload a prerecorded message in MP3, wave (WAV), or Windows Media Audio (WMA) and then how to disconnect the call.
By default, this includes all users enabled for telephony, as shown in Figure 16-17.
Call queues enable multiple callers to dial in to a single number to reach any one of a group of people. You might use a queue for your help desk, customer service, or any other department with a high volume of incoming calls, when the next available person should be able to address the caller’s needs. To create a call queue, select the Call Queues tab and fill out the appropriate options. Note that in a call queue, there is no text to speech, so you must upload an audio file for the greeting. You can also upload a file for Music On Hold and set values for the maximum number of callers in the queue, the maximum amount of time callers can wait before being forwarded or disconnected, and what to do if the maximums are reached, such as forwarding to a voicemail. Figure 16-18 shows these options.
The next section of the SBO admin portal is Dial-In Conferencing. If you did not purchase E5 licenses or the optional Skype for Business Dial-in Conferencing add-on licenses, you won’t use anything in this section, but if you did, this is the section where you can determine information for your organization and set specific values.
The Microsoft Bridge section displays the telephone numbers activated for your service in each country that is available. It also shows you the primary language and enables you to set a default. In Figure 16-19, Chicago is selected, and you can click the Set As Default link on the right if that is the number you want to use for your default. Just above that, Los Angeles is currently the default.
At the bottom of this page, a link to configure third-party audio conferencing providers appears, as shown in Figure 16-20.
If you already have a conferencing provider, you can use the Click Here link to import and export your user settings from another provider. Remember that this requires you to have conferencing services from that provider, which will include additional charges.
Use the Microsoft Bridge Settings tab to configure the meeting join experience as well as the minimum PIN length for users to log on to their conference bridge. By default, notifications are turned off in all meetings. Meeting owners can turn that on for their meeting and, if they do, this setting determines whether an announcement or a tone is played when someone enters or exits a meeting. With Names Or Phone Numbers selected, you can prompt users to record their name before joining. As an alternative, you can choose a simple tone to be played, although this feature is in preview and might not be available yet in your tenant. Figure 16-21 shows the options to enable notifications and to prompt users to record their name and then to press the pound key.
Each dial-in conferencing user has a PIN that identifies them to the system when they dial in from a landline or mobile phone rather than using the SBO client. In the Security section, you set the PIN length. The default is 5 characters, shown in Figure 16-22.
The last section for Dial-In Conferencing is the Dial-In Users section. This shows your users, the default toll and (optionally) toll-free numbers assigned to them, and their conference ID. If you select a user and then click the Edit button, you see the same interface as you would if you went through Users and then selected the Dial-In Conferencing settings for that user, as shown previously in Figure 16-19.
You can use the Online Meetings page to set up options for online meetings and include your company-specific branding, disclaimers, and links. You also configure Skype Meeting Broadcast settings here.
Meeting invitations can be branded to make them more identifiable and to customize other details. You can include the company logo by providing a link to a graphic file hosted on one of your servers. You can also include custom links to Help and Legal Disclaimer pages you host on a web server. Figure 16-23 shows these options.
Completing the information shown in Figure 16-23 creates a meeting invite that looks like the one in Figure 16-24.
Remember that SBO meetings have a maximum of 250 attendees, but Skype for Business Meeting Broadcast can support up to 10,000 attendees. You can use broadcast meetings to support town hall–type meetings, public webinars, investor briefings, and so on. To use Skype for Business Meeting Broadcast, you have to enable it and configure a few settings. Figure 16-25 shows this setup.
The Tools page includes links to several online tools to help SBO administrators manage or troubleshoot potential issues with SBO.
The Troubleshooting tool is a shortcut to https://support.microsoft.com/en-us/help/2541980/how-to-troubleshoot-sign-in-issues-in-skype-for-business-online, providing tips for troubleshooting sign-in issues, including verifying credentials and network connectivity.
The Connectivity Analyzer tool links to an older Lync Connectivity Analyzer tool for Lync Server 2013 that has been deprecated. Expect to see this link removed soon.
You can use the Remote Connectivity Analyzer tool to diagnose logon and Autodiscover issues.
This tool simply links to the page that shows you how to enable external federation to other SBO organizations as well as to consumer Skype.
The Call Quality dashboard (CQD) provides great information to help you diagnose call quality issues. You can diagnose trouble users might be having that are associated with latency, packet loss, the use of TCP, poor Wi-Fi connectivity, using older clients, poor hardware, and more. See Figure 16-26.
Use Call Analytics, currently in preview mode, to search for specific users and view the quality details of their calls and meetings over the past seven days. You can use this to correlate reports of quality issues against actual metrics and troubleshoot issues. This feature is extremely helpful when someone complains about a specific call. Where the CQD gives you aggregate details, Call Analytics focuses on a specific user’s exact call to determine what was wrong.
The Reports section contains three reports specific to SBO.
If you have a dial plan, this is the call details record for your tenant. It reports the user location, user ID, phone number, caller ID, call type, whether it was a domestic or international call, the destination number dialed, the number type, the start time, the duration, the charge, the currency, and the capability of each call. You can use this to check user activity or reconcile your bill. It can also be exported to Microsoft Excel for further analysis, internal chargebacks, and so on.
The Users Blocked report shows you which numbers users have blocked, including the time and any supplied reason for the block.
The Session Details report enables you to examine specific time frames for specific users. You can see whether it was an audio or a video call, the start and end times, and the client versions for each participant as well as the Conference URL if it was a meeting rather than a direct call. A sample is shown in Figure 16-27.
The Skype for Business Online Admin Center is where most of your administrative work takes place, assuming you will use the default settings provided in SBO. If you want to customize certain policies or restrict your users from certain capabilities, Windows PowerShell is how to do it. You can download and install the Skype for Business Online PowerShell module on your computer; it uses the same setup as you have already performed for managing Exchange and Azure Active Directory through Windows PowerShell. To manage SBO by using Windows PowerShell, follow these steps.
$credential=Get-Credential
A credential dialog box appears; type your UPN and password.
$session=New-CsOnlineSession -credential $credential -verbose
Text confirming the domain, which is derived from your UPN, and the endpoint for your SBO tenant appears.
Import-PSSession $session
There is a significant amount of documentation online for managing SBO by using Windows PowerShell. You can find detailed information in “Using Windows PowerShell to manage Skype for Business Online” at https://technet.microsoft.com/library/dn362831.aspx. The following sections in this chapter focus on what you might actually need to do when getting SBO set up for your users if the default settings are not to your liking. You can apply these policies to some or all of your users, modify settings in them, or create your own. It’s safer if you create your own rather than modifying an existing policy, because you might want to fall back to the manufacturer’s settings, so consider that if none of the included policies meets your needs. As an alternative, export the settings to a text file before you make changes so you can set things back if you need to.
There are two challenges in modifying and applying policies with Windows PowerShell. The first is that many settings are exposed through Windows PowerShell that are not exposed through the GUI. If different groups of admins are provisioning users, make sure that policies are applied to SBO users consistently. Make sure your workflow includes steps for someone to apply any settings or policies that require Windows PowerShell, or script the provisioning so that even those admins who are only comfortable using the GUI can easily apply policies that require Windows PowerShell. The second challenge is that in many cases, policies you wish to apply are not the default. So again, ensure that your workflow includes steps to ensure that the appropriate policies are applied for each of your SBO users before they log on to the service for the first time.
Client policies control a number of settings related to how the SBO client works and what functionality is available or restricted for a user, including such things that, if left to default, might go against your organization’s security or retention policies. Although many client policies are included with SBO, and many settings are contained within them, this chapter focuses on the things customers who want to be a little more circumspect than the default client policy allows most commonly request.
The ClientPolicyDefault client policy is what users get initially. You can view the settings for this policy by using the cmdlet
Get-CsClientPolicy -identity ClientPolicyDefault | fl
From that command, the defaults are as follows.
Identity : Tag:ClientPolicyDefault PolicyEntry : {Name=OnlineFeedbackUrl;Value=http://aka.ms/skypefeedback, Name=SendFeedbackUrl;Value= , Name=EnableTraceRouteReporting;Value=TRUE, Name=PrefetchConfInfo;Value=TRUE...} Description : AddressBookAvailability : WebSearchOnly AttendantSafeTransfer : AutoDiscoveryRetryInterval : BlockConversationFromFederatedContacts : CalendarStatePublicationInterval : ConferenceIMIdleTimeout : CustomizedHelpUrl : http://go.microsoft.com/fwlink/?LinkId=389737 CustomLinkInErrorMessages : CustomStateUrl : DGRefreshInterval : DisableCalendarPresence : DisableContactCardOrganizationTab : DisableEmailComparisonCheck : DisableEmoticons : DisableFeedsTab : DisableFederatedPromptDisplayName : DisableFreeBusyInfo : DisableHandsetOnLockedMachine : DisableMeetingSubjectAndLocation : DisableHtmlIm : DisableInkIM : DisableOneNote12Integration : DisableOnlineContextualSearch : DisablePhonePresence : DisablePICPromptDisplayName : DisablePoorDeviceWarnings : DisablePoorNetworkWarnings : DisablePresenceNote : DisableRTFIM : DisableSavingIM : DisplayPhoto : AllPhotos EnableAppearOffline : EnableCallLogAutoArchiving : EnableClientAutoPopulateWithTeam : True EnableClientMusicOnHold : False EnableConversationWindowTabs : EnableEnterpriseCustomizedHelp : True EnableEventLogging : EnableExchangeContactSync : True EnableExchangeDelegateSync : True EnableExchangeContactsFolder : True EnableFullScreenVideo : EnableHighPerformanceConferencingAppSharing : False EnableHotdesking : EnableIMAutoArchiving : EnableMediaRedirection : EnableMeetingEngagement : False EnableNotificationForNewSubscribers : EnableServerConversationHistory : True EnableSkypeUI : EnableSQMData : EnableTracing : EnableURL : EnableUnencryptedFileTransfer : EnableVOIPCallDefault : False ExcludedContactFolders : HotdeskingTimeout : 00:05:00 IMWarning : MAPIPollInterval : MaximumDGsAllowedInContactList : 10 MaximumNumberOfContacts : MaxPhotoSizeKB : 30 MusicOnHoldAudioFile : P2PAppSharingEncryption : Supported EnableHighPerformanceP2PAppSharing : False PlayAbbreviatedDialTone : RequireContentPin : RequiredOutsideScheduledMeeting SearchPrefixFlags : ShowRecentContacts : True ShowManagePrivacyRelationships : False ShowSharepointPhotoEditLink : False SPSearchInternalURL : SPSearchExternalURL : SPSearchCenterInternalURL : SPSearchCenterExternalURL : TabURL : TracingLevel : Light TelemetryTier : Tier3 PublicationBatchDelay : 0 EnableViewBasedSubscriptionMode : False WebServicePollInterval : HelpEnvironment : Office365 RateMyCallDisplayPercentage : 10 RateMyCallAllowCustomUserFeedback : False IMLatencySpinnerDelay : 1500 IMLatencyErrorThreshold : 1500 SupportModernFilePicker : False EnableOnlineFeedback : False EnableOnlineFeedbackScreenshots :
Sometimes, customers want to restrict certain settings in SBO to reduce what they see as risk or to limit the sort of information that can be exposed through eDiscovery. Several organizations believe that instant messaging conversations, being less formal than email, might contain certain wording or information that a company would not like to be exposed outside, so conversation history is a feature these companies choose to disable. Some information security departments might want to prevent users from sending links through instant messages, especially if they must allow external federation and public connectivity to consumer Skype. In some situations, companies want to disable emoticons because they are considered unprofessional.
You can use one of the included policies, such as ClientPolicyNoSaveIMNoArchivingNoIMURL, or create your own policy and apply it to your users. An example policy that you might create to restrict all of the features mentioned in the preceding command could be created in Windows PowerShell as follows.
New-CsClientpolicy -identity “Restrictive” -DisableEmoticons:$true -DisablePresenceNote:$true -DisableSavingIM:$true -EnableServerConversationHistory:$false -EnableURL:$false
Then, to apply that policy to all users, you would type the following command.
Get-CSOnlineUser -ResultSize Unlimited | Grant-CsClientPolicy -PolicyName Restrictive
For the best user experience, determine what, if any, restrictions you need to apply to your users before you deploy SBO to them. It’s much better to deploy something with limits than to take features away after users experience them. If you are not sure, or if your legal, HR, or security teams have not decided on any restrictions, include them in the pilot and make sure all pilot users understand that some features might not be available after SBO is deployed to production.
The conferencing policies in SBO are intended to control what can and cannot be done in SBO meetings. With multiple people attending an SBO meeting, you want to ensure that any restrictions to meet compliance requirements or to prevent anonymous users from joining meetings are in place. SBO meetings often are used to present confidential information, either through screen sharing or by presenting PowerPoint decks. This might mean you want to restrict who can download files from a meeting or even record meetings. SBO meetings might also use significant bandwidth because they can include 1080p video content, so you might want to place upper limits on the bandwidth available.
The default SBO conferencing policy is called BPOSSModalityAll. To view what this policy includes, run the following Windows PowerShell command.
get-csconferencingpolicy -identity BPOSSAllModality | fl Identity : Tag:BposSAllModality AllowIPAudio : True AllowIPVideo : True AllowMultiView : True Description : AllowParticipantControl : True AllowAnnotations : True DisablePowerPointAnnotations : False AllowUserToScheduleMeetingsWithAppSharing : True ApplicationSharingMode : VideoWithFallback AllowNonEnterpriseVoiceUsersToDialOut : False AllowAnonymousUsersToDialOut : False AllowAnonymousParticipantsInMeetings : True AllowFederatedParticipantJoinAsSameEnterprise : False AllowExternalUsersToSaveContent : True AllowExternalUserControl : True AllowExternalUsersToRecordMeeting : False AllowPolls : True AllowSharedNotes : True AllowQandA : True AllowOfficeContent : True EnableDialInConferencing : False EnableAppDesktopSharing : Desktop AllowConferenceRecording : True EnableP2PRecording : True EnableFileTransfer : True EnableP2PFileTransfer : True EnableP2PVideo : True AllowLargeMeetings : False EnableOnlineMeetingPromptForLyncResources : False EnableDataCollaboration : True MaxVideoConferenceResolution : VGA MaxMeetingSize : 250 AudioBitRateKb : 200 VideoBitRateKb : 50000 AppSharingBitRateKb : 50000 FileTransferBitRateKb : 50000 TotalReceiveVideoBitRateKb : 50000 EnableMultiViewJoin : True EnableReliableConferenceDeletion : True
All the features are enabled, and clients can use the maximum bandwidth their hardware can handle when using video. Several conferencing policies are built in to SBO. At the time of this writing, 35 are available to customers with North American tenants and over 200 in total, and you can create your own. As an SBO administrator, review the policies available to you to see whether the default policy is appropriate for your organization, or you need to apply one of the more restrictive policies, or you need to create your own. They all start with the BPOS name, followed by some text that should give you an idea of their purpose. Review the settings and pick the policy that is right for your organization or create your own.
The mobility policy you apply to users controls whether they can use the SBO Mobile client and which features are enabled or requirements are in place. The default policy, called the Global policy, permits users to connect to SBO by using their mobile client, to use cellular bandwidth for all functions, to save IM history, and so on. There are four other policies for Mobility. Each is named for the type of policy, Mobility, and their names imply the limitations they put into play.
The main things you might wish to use mobility policies for are to reduce the bandwidth the Skype for Business client could use by requiring Wi-Fi connectivity for IP video and file sharing. Those settings can be configured by the user, and with the popularity of unlimited bandwidth plans, this is not something you might need to worry about.
You might only want to disable audio and video for users. This is a setting you control directly within the user settings by using the Set-CsUser
command. If you simply want to disable audio and video for all your users, you can run the following command.
Get-CsOnlineUser -resultsize unlimited | Set-CsUser -AudioVideoDisabled:$false
It’s very important to set Usage Location for users in your tenant correctly. SBO offers VoIP features that might conflict with certain countries’ regulations regarding telephony. It is your responsibility to set the correct country for your users to ensure that your company remains in compliance with the laws and regulations in your area. Do not simply set all users’ locations as US because you are a company based in the United States. Set the location for where a user is based. Usage Location uses the standard two-letter country code for a country. If you wish to use Windows PowerShell, you can set this for users. If all your users are in the same usage location, this is as simple as the following.
Get-MsolUser | Set-MsolUser -UsageLocation US
It will take a few moments for that command to sync from Azure Active Directory to Skype for Business Online, so if you do make a change, give it time to forward sync. If you have users in multiple locations, create a CSV file with UPN and UsageLocation and use the Import-Csv
cmdlet to read the file and feed the Set-MsolUser command like this.
import-csv file.csv | ForEach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $_.UsageLocation }
It’s important for you to pilot SBO. This helps you test any policies or tenant settings you have applied to ensure that you have the required functionality and desired configuration, and to assess your network with real users to ensure that you have the necessary connectivity. For an organization that has no existing SIP solution, such as Lync or Skype on-premises, this is easy. For an organization that has an existing on-premises solution, this can be challenging.
When you have no existing SIP solution in place, you can deploy SBO at your own pace and test it easily. Ensure that your DNS records are in place (internally and externally if your SIP domain is using split-DNS), configure your tenant to meet your corporate needs, apply any policies, assign the users in the pilot group a license for SBO, and deploy the client to their workstations. You can adjust policies and settings as your user testing identifies the need, with no impact on any production system.
When you have an existing solution in place, piloting can be more of a challenge. A SIP namespace can only exist in one infrastructure, so unless you choose to deploy Skype hybrid, you cannot really pilot with your production namespace while it is still in use in your existing solution. There are three ways to solve this problem.
The first option is the easiest and recommended approach. Microsoft already hosts the DNS records you need for the <tenant>.onmicrosoft.com namespace, and that namespace is already in your tenant and enabled for SBO. You just need to set your pilot users’ SIP URI in the proxyAddresses attribute to use that domain and sync that to your tenant.
The second option really doesn’t offer any advantages over the first and requires you to use another DNS namespace, which might mean you need to purchase a new domain name. It also requires you to set up the DNS records to support SBO and still assign the SIP URI in the proxyAddresses attribute. There’s no advantage to this as far as piloting SBO is concerned.
The third option is the most complex but does enable you to test your production namespace, which might be useful to confirm that a cutover will work successfully. That is the only real advantage to this approach. You need to set up a DNS server that not only hosts an authoritative zone for your DNS namespace but can also resolve any Active Directory or other DNS records for your DNS namespace and any other external records your users need to resolve. Set up the DNS server, add the zone and the necessary records, configure forwarding for Internet name resolution, and then configure the clients you will use in the pilot to use this DNS server instead of your normal production servers. Your pilot users will be able to use your production namespace from the on-premises system but will be cut off from the rest of your users.
You need to determine which Skype for Business client software you want your users to use as well as how to deploy it to their workstations. The decision on which client to use comes down to a combination of licensing and features. Office 365 plans that include Skype for Business Online might or might not also include the client software. E3 and higher plans include Office ProPlus, which comes with the Skype for Business 2016 client. E1 plans, as well as stand-alone SBO plans, do not include client software. If you are licensing Office Perpetual, then the version of Office you choose might come with Skype for Business client software, or you might need to download and install the basic client, which is free but does have fewer features.
In short, if you intend to deploy Office ProPlus, you will get the Skype for Business client as part of that install. If you mean to deploy Office Professional 2016, use the Skype for Business 2016 client. If you want to deploy Office Professional 2013, use the Skype for Business 2015 client. If you mean to install Office for Mac, use the Skype for Business on Mac client. If you do not have a license entitlement to the full Skype for Business client, you can use the Skype for Business basic client that is free to use and covers most of the SBO functionality. However, if you want to use the telephone features in SBO, you want to use a full client because the following features do not work with the Skype for Business basic client.
Refer to https://technet.microsoft.com/en-us/library/16b14d59-7737-4f9d-aa4d-83765a18ea07 for the complete list.
During testing and even piloting, manually installing the Skype for Business client software on your test users’ workstations should have been manageable. Smaller organizations might choose to continue with a manual approach because Skype for Business client software is part of the Office ProPlus suite. Users licensed for Office ProPlus, and who have administrative rights on their devices, can log on to the Office 365 portal and install Office ProPlus themselves. Here is how.
The Office ProPlus install provides them with the instructions they need to follow. You still should provide instructions telling them that, in this case, it’s okay for them to click the Run button at the bottom of the page, as shown in Figure 16-29.
They can follow along from there; the application completes automatically. However, if you just want them to install the Skype for Business client, give them these instructions.
This opens the page to install the client. It’s recommended that you install the Skype for Business client that matches your Office install. Usually, that is the Skype for Business 2016 client in 32 bit.
Skype for Business has mobile clients for iOS and Android, so you can use SBO from any mobile phone or tablet. Users can visit the application store appropriate for the platform, search for Skype for Business, and install the mobile client. In the iOS App Store, the Skype for Business client looks like the screenshot in Figure 16-32.
If you use a Mobile Device Management (MDM) solution to manage mobile devices and deploy software to mobile clients, you must permit users to install this application themselves. Due to licensing agreements and restrictions in the app stores, Microsoft does not make the Skype for Business client available to deploy as a package through MDM. Users have to install it from the application store. Do not use one of the packaged installers available online. Microsoft does not support them, and in some cases they have been found to contain malware.
You want to manage your users’ SBO experience by using the tenant settings and the various policies in the service. This is the most efficient way to do so and ensures that your users’ experience is consistent whether they are using a managed Windows machine, a Mac, a mobile client, a tablet, or a personal computer. There are settings for the SBO client that can be managed through Group Policy, but those only apply to domain-joined Windows systems.
You can download the Office 2016 Administrative Template files (ADMX/ADML) from https://www.microsoft.com/en-us/download/details.aspx?id=49030, import them into Active Directory, and use them to manage some client settings. Thirteen machine settings and 14 user settings are available for you to configure, but don’t think that you need to. Most of these settings apply only when you are using an on-premises instance of Skype for Business.
The first time a user launches the Skype for Business client, it asks them for their sign-in address, which is their SIP address. That will look like Figure 16-33.
If a user’s sign-in address (also known as their SIP address) is the same as their User Principal Name (UPN) and primary SMTP address, you need only tell them to enter their email address when prompted and click Sign In. The Skype for Business client uses Modern Authentication, so your users will be automatically signed in to the service.
However, if you have decided to use a different value for UPN than the SIP address, users must go through an additional step before they can authenticate to the service. Their initial attempt to connect to the service will fail because their SIP address does not match their UPN, and they will be prompted a second time to authenticate, with an additional prompt for their password, as shown in Figure 16-34.
When they enter their password and click Sign In, this authentication attempt will also fail, and they will finally be presented with options in the user interface to submit one value for Sign-In address, which is their SIP address, and another for User Name, which is their UPN, and then Password, as shown in Figure 16-35.
Although users only have to do this the first time on their workstation, they have to do it each time they log on to a new workstation. The client behavior this mismatch causes might elicit a significant number of help desk calls, so consider carefully whether any perceived security benefit from using a different value for UPN than for SIP and primary SMTP addresses outweighs the user experience.
With the clients’ software deployed, the service configured, and testing complete, it’s now time to deploy Skype for Business Online. Many companies elect to deploy SBO as the first major workload after they have identity and authentication set up. Whether you have an existing SIP solution in place or not, the amount of work needed to deploy SBO is much less than is required for Exchange Online or SharePoint Online, and it’s a quick and easy way to start using the cloud and show management some return on its investment to move the company to the cloud.
The two most common ways to do this can be referred to as a rollout and a cutover. Companies that do not have an existing SIP solution can do either, whereas companies that want to switch from an existing but older on-premises SIP solution, such as Lync Server or Skype for Business, to Skype for Business Online, perform a cutover.
A rollout deployment can be done on whatever schedule you wish. After you have configured the service to meet your organization’s needs, you can enable users to use SBO in small groups or all at once. All you need to do is license them and they can begin to use the service. If you have not fully assessed or prepared your network for the additional bandwidth SBO uses, you might want to enable users in small groups, or one site at a time, until you get a feel for things. Otherwise, you can license everyone all at once and let them all start using the service together.
A cutover becomes necessary when you have an existing SIP-based solution you intend to stop using and replace with Skype for Business Online. A SIP namespace cannot exist in two SIP infrastructures at the same time, so you need to stop using it in the one so you can start using it in the other. This sort of cutover is usually done over a weekend. When users stop using the existing system at the end of the day on Friday, IT makes the required changes and tests them to confirm all is well, and users come in on Monday and start using the new system.
Cutovers are fairly easy to perform, with minimal risk involved. However, they are cutovers; you stop using one system and start using another. For users, this means they start with an empty contact list. For many users, this is a minor inconvenience, but for some, it is a major issue. Whereas there are third-party solutions that can export a contact list to a file and then reimport contacts from that file after the cutover, there is no way to move contacts from an older system to SBO or to export contacts centrally.
To perform a cutover, perform the following steps.
Lync 2010: %UserProfile%AppDataLocalMicrosoftCommunicator Lync 2013: %UserProfile%AppDataLocalMicrosoftOffice15.0Lync Skype for Business: %UserProfile%AppDataLocalMicrosoftOffice16.0Lync
It’s safe to delete these completely. Any data the client needs is pulled from the service, and the client will re-create the profile for any data it needs to cache. You can also deploy a script to remove the cached data, such as https://gallery.technet.microsoft.com/Delete-Skype-and-Lync-9d8cf887.
How much time you spend testing will vary from one organization to the next, and each company will have its own criteria for testing. At a minimum, test the primary functions of SBO. A high-level testing plan is available at https://support.office.com/en-us/article/Test-your-Skype-for-Business-Online-installation-ae98aef4-5448-43c3-bab0-ba35ff541ca6. It includes the steps a user needs to follow to test each function.
A much more detailed User Acceptance Testing (UAT) plan, with about 200 specific use cases, is included in a UAT spreadsheet published by Shane Hoey to the TechNet Gallery. You can find it at https://gallery.technet.microsoft.com/lync/Skype-for-Business-User-fb20ff12. It is very detailed and well thought out, and it provides tracking of all tests so you can generate a report at the end.
After your Skype for Business Online tenant is set up, tested, and deployed to your clients, the amount of administrative effort it takes to maintain SBO is relatively small. That’s one of the reasons the only two administrative roles for SBO are the Global Admin role and the Skype for Business Administrator role, and there is no delegation or role-based access control (RBAC) in SBO.
If you use the default policies in SBO, there is nothing else you need to do when a user is licensed for SBO. However, if you are applying specific policies to users, then an SBO administrator will need to use Windows PowerShell to assign the appropriate policies, or you might choose to provide your help desk or provisioning team with scripts to do the same.
You might need to tune your policies as business needs evolve, but the primary administrative work includes the following.
If your organization does not deploy PSTN capabilities, you might go weeks at a time without needing to do anything in the SBO portal.
Up until now you have read about Skype for Business Online as a service wholly provided by Office 365. You can deploy a net new service to your users with a roll-out, or you can cutover your users from an existing but older solution to SBO. For organizations with an existing Lync or Skype for Business on-premises deployment, there is a third option.
Skype hybrid connects an existing on-premises Skype for Business Server or Lync Server to an Office 365 tenant and permits them to share a SIP namespace. Administrators can move users from the on-premises infrastructure to online in a staged fashion, enabling you to move to SBO at a more controlled pace. Moving users enables them to maintain their contact list, which might make it very appealing to both users and management because that avoids the most disruptive part of moving to SBO. However, Skype hybrid is not the best choice for many organizations. The amount of work required to set it up is considerable and might not be worth the effort if the goal is to move everyone to SBO and shut down the older on-premises system. The disparity in features between on-premises and online might become a problem for some users if they lose functionality that others keep.
The following on-premises topologies are supported when configuring Skype hybrid.
Your on-premises infrastructure must be deployed in a way that supports external connectivity. You must have at least an Access Edge and an A/V Edge server in the perimeter network and permit connectivity to those servers from Office 365, and from those servers to Office 365.
Your on-premises environment and SBO must be able to communicate with each other. Table 16-1 lists the required connectivity that must be permitted.
Protocol |
TCP or UDP |
Source IP |
Destination IP |
Source Port |
Destination Port |
Notes |
SIP (MTLS) |
TCP |
Access Edge |
Office 365 |
Any |
5061 |
Signaling |
SIP (MTLS) |
TCP |
Office 365 |
Access Edge |
Any |
5061 |
Signaling |
STUN |
TCP |
A/V Edge |
Office 365 |
50000–59999 |
443, 50000–59999 |
Open for audio, video, application-sharing sessions |
STUN |
TCP |
Office 365 |
A/V Edge |
443 |
50000–59999 |
Open for audio, video, application-sharing sessions |
STUN |
UDP |
A/V Edge |
Office 365 |
3478–3481 |
3478–3481 |
Open for audio, video sessions |
STUN |
UDP |
Office 365 |
A/V Edge |
3478–3481 |
3478–3481 |
Open for audio, video sessions |
This is in addition to the connectivity required for SBO clients, as detailed at http://aka.ms/ipaddrs.
The Office 365 administrative portal only shows you DNS settings for using Skype for Business Online. In a Skype hybrid deployment, the DNS records must resolve to the on-premises infrastructure. Refer to https://technet.microsoft.com/en-us/library/dn951397.aspx for more information on the on-premises DNS requirements.
Both the on-premises and the online services must be configured with the same settings for federation, and the same entries in the domain allow or deny lists. Even if you will not federate with any other domains, you must permit federation within the online tenant because Skype hybrid is a form of federation between your on-premises and your online organizations.
There are differences between what you can provide users in your on-premises Skype for Business or Lync Server infrastructure and what you can provide them in Skype for Business Online. If you will deploy Skype hybrid, you need to consider this, because the following features available on-premises are not available to users you move online.
In addition, although a user’s contact list will migrate, their existing meetings must be updated or rescheduled when moving the user from on-premises to online.
If your on-premises infrastructure meets the requirements and your online tenant is ready, you can set up Skype hybrid. Follow these steps.
Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 1 -UseDnsSrvRouting -AllowFederatedUsers
Get-CsHostingProvider
Remove-CSHostingProvider -Identity “Skype for Business Online“
New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root
The wizard confirms prerequisites and then configures hybrid.
Set-CSTenantFederationConfiguration -SharedSipAddressSpace:$true
When you have confirmed that all features are working as expected, you can move users from on-premises to SBO as you need to or back again.
In this chapter, you learned how to deploy and administer Skype for Business Online as well as the Skype for Business clients. You learned how to configure the service by using both the Skype for Business Admin Center GUI and Windows PowerShell, how policies can be used to enforce settings or restrict features to meet your organization’s needs, and how to deploy Skype for Business Online to your users. With this knowledge, you’re ready to go! SBO is a great choice to deploy first to your users and enables them to start using Office 365 services while you are getting Exchange Online and SharePoint Online ready to go.
3.12.123.183