Overview
Set-up and use of the service requires specific changes to be made to the Customer’s Office 365 tenant.
There are two ways these changes are preformed:
- Use of the ‘Sync Now’ function from the portal
- By direct PowerShell instructions to manually make configuration of the customer tenant.
The choice of manual or automated configuration is at the discretion of the customer. The customer can either grant the portal access to make the changes automatically or a competent system administrator can perform the required changes manually using the guidance documentation available in the portal.
Office 365 Admin Rights
Both Manual and Automated methods require Global Admin rights to the Customer’s Office 365 tenant for the initial setup and any changes to regions, and Skype for Business admin rights for subsequent user provisioning.
Scope of the automatic Sync Now function
The Sync Now function uses the Microsoft Graph API and Remote PowerShell to make the changes on the customer tenant.
To achieve the access level required by the automated functions, a user with the required admin rights on the target Office 365 account will invoke the process. When the user clicks the Sync Now function two requests are made of the user to grant permission to make changes to the Office 365 account using Skype for Business Remote PowerShell functions. By accepting these requests, an access token is taken from the user’s session by the portal and is used by the automatic configuration process. The access token is time limited and currently Microsoft have set a 1-hour life to this token.
No administrator access credentials are stored by the portal.
The automation makes several changes to the customer tenant. These are mainly to configure Direct Routing in Carrier Mode and manage users. Full details of the initial setup part of the process can be found in Microsoft’s deployment guidance here: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-sbc-multiple-tenants
The initial configuration changes include:
- Adding custom domains to the Office 365 account
- Using a spare licence create a user to activate the domains for voice services and removing these temporary users after the process is complete.
- Creating dial-plans
- Creating SBC Voice Routing Policies.
The Sync Now automation also reads data from the customer tenant to discover Users that are licenced for Phone System and voice services.
Additional functions such as setting user’s voice routing policy, phone numbers and voicemail/forwarding policy are performed by the Sync now function.
Only changes pertinent to the configuration of the Microsoft Phone System functions and the Direct Routing set-up are made to the customer tenant.
A log of all activities performed by the automatic configuration process is provided for the customer to review.
Diagnostic
The customer may be asked to perform a ‘Diagnostic Sync’ if there is a problem that requires more information to be made available for technical support.
The diagnostic sync collects more data about the customer tenant, users and licencing for this purpose; it does not make any changes to the tenant. The enhanced diagnostic sync data will be automatically removed after 14 days.