Overview
Set-up and use of the service requires specific changes to be made to the Customer’s Microsoft 365 tenant.
There are two ways these changes are performed:
- Use of the ‘Sync Now’ function from the portal
- By direct PowerShell instructions to manually make configuration of the customer tenant.
The choice of manual or automated configuration is at the discretion of the customer. The customer can either grant the portal access to make the changes automatically or a competent system administrator can perform the required changes manually using the guidance documentation available in the portal.
TABLE OF CONTENTS
- Overview
- Office 365 Admin Rights
- Scope of the automatic Sync Now function
- Office 365 Admin Rights
- Scope of the automatic Sync Now function
- Acquiring Microsoft Access Token
- Need Admin Approval Message
- Teams Sync Application Consent
- Scope of the automatic Sync Now function
- Office 365 Admin Rights
- Scope of the automatic Sync Now function
- Diagnostic/Debug Sync
Office 365 Admin Rights
Both Manual and Automated methods require Global Admin rights to the Customer’s Office 365 tenant for the initial setup and any changes to regions, and Skype for Business admin rights for subsequent user provisioning.
Scope of the automatic Sync Now function
Set-up and use of the service requires specific changes to be made to the Customer’s Office 365 tenant.
There are two ways these changes are performed:
- Use of the ‘Sync Now’ function from the portal
- By direct PowerShell instructions to manually make configuration of the customer tenant.
The choice of manual or automated configuration is at the discretion of the customer. The customer can either grant the portal access to make the changes automatically or a competent system administrator can perform the required changes manually using the guidance documentation available in the portal.
Office 365 Admin Rights
Both Manual and Automated methods require Global Admin rights to the Customer’s Office 365 tenant for the initial setup and any changes to regions, and Skype for Business admin rights for subsequent user provisioning.
Find out how to set Skype for Business Administrator rights for a user on this link
Scope of the automatic Sync Now function
The Sync Now function uses the Microsoft Graph API and Remote PowerShell to make the changes on the customer tenant.
To achieve the access level required by the automated functions, a user with the required admin rights on the target Office 365 account will invoke the process. When the user clicks the Sync Now function two requests are made of the user to grant permission to make changes to the Office 365 account using Skype for Business Remote PowerShell functions. By accepting these requests, an access token is taken from the user’s session by the portal and is used by the automatic configuration process. The access token is time limited and currently Microsoft have set a 1-hour life to this token.
No administrator access credentials are stored by the portal.
The automation makes several changes to the customer tenant. These are mainly to configure Direct Routing in Carrier Mode and manage users. Full details of the initial setup part of the process can be found in Microsoft’s deployment guidance here: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-sbc-multiple-tenants
The initial configuration changes include:
- Adding custom domains to the Office 365 account
- Using a spare licence create a user to activate the domains for voice services and removing these temporary users after the process is complete.
- Creating dial-plans
- Creating SBC Voice Routing Policies.
The Sync Now automation also reads data from the customer tenant to discover Users that are licenced for Phone System and voice services.
Additional functions such as setting user’s voice routing policy, phone numbers and voicemail/forwarding policy are performed by the Sync now function.
Only changes pertinent to the configuration of the Microsoft Phone System functions and the Direct Routing set-up are made to the customer tenant.
A log of all activities performed by the automatic configuration process is provided for the customer to review.
Acquiring Microsoft Access Token
If during the Sync Now process the popup window becomes stuck on this message..
..the most likely cause is browser incompatibility.
Please note Internet Explorer is not supported by the portal
Please try the process again using an in-private browser session with one of these browser types:
- Microsoft Edge
- Firefox
- Google Chrome
Other things to try:
- Ensure any pop-up blockers are disabled.
- Try the process on a different computer, preferably using a different network access (e.g. tethered to a mobile hotspot)
If the problem persists and you need to log a ticket, please also provide the full URL from the popup window so the team can look at the logs on the servers:
Need Admin Approval Message
If you receive a message when login in saying Need admin approval then your Microsoft tenant active directory (AD) has restrictions on your ability to use your Microsoft account for Single Sign On (SSO) to other services.
The Portal uses SSO exclusively for portal access so your administrator will need to lift this restriction.
Refer to this MS article for more information on AD consent for SSO:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent
User access to the portal does not required admin rights on the Office 365 AD account unless you need to make changes to your account with the Sync Now function.
Teams Sync Application Consent
Microsoft has changed the way that Teams services are configured and have updated the original Skype for Business configuration system to a new Teams configuration system.
The connector Sync Now service has also been updated to work with the new Teams PowerShell and Graph APIs to maintain full compatibility.
Since the 28th of February 2021 the consent box for the Teams sync process has changed. Even if you have previously granted consent for the sync process, due to the change in application ID and permission you will need to accept consent again.
The new popup will look similar to the below image:
Consent is required to:
- Access the directory as you
- Access Microsoft Teams and Skype for Business data as a the signed in user
Both of these allow the platform to create and manage the relevant voice routing domains and configuration for the service to operate.
Go ahead and accept permission to continue to have the configuration managed by the Sync Now function.
Scope of the automatic Sync Now function
Set-up and use of the service requires specific changes to be made to the Customer’s Office 365 tenant.
There are two ways these changes are preformed:
- Use of the ‘Sync Now’ function from the portal
- By direct PowerShell instructions to manually make configuration of the customer tenant.
The choice of manual or automated configuration is at the discretion of the customer. The customer can either grant the portal access to make the changes automatically or a competent system administrator can perform the required changes manually using the guidance documentation available in the portal.
Office 365 Admin Rights
Both Manual and Automated methods require Global Admin rights to the Customer’s Office 365 tenant for the initial setup and any changes to regions, and Skype for Business admin rights for subsequent user provisioning.
Find out how to set Skype for Business Administrator rights for a user on this link
Scope of the automatic Sync Now function
The Sync Now function uses the Microsoft Graph API and Remote PowerShell to make the changes on the customer tenant.
To achieve the access level required by the automated functions, a user with the required admin rights on the target Office 365 account will invoke the process. When the user clicks the Sync Now function two requests are made of the user to grant permission to make changes to the Office 365 account using Skype for Business Remote PowerShell functions. By accepting these requests, an access token is taken from the user’s session by the portal and is used by the automatic configuration process. The access token is time limited and currently Microsoft have set a 1-hour life to this token.
No administrator access credentials are stored by the portal.
The automation makes several changes to the customer tenant. These are mainly to configure Direct Routing in Carrier Mode and manage users. Full details of the initial setup part of the process can be found in Microsoft’s deployment guidance here: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-sbc-multiple-tenants
The initial configuration changes include:
- Adding custom domains to the Office 365 account
- Using a spare licence create a user to activate the domains for voice services and removing these temporary users after the process is complete.
- Creating dial-plans
- Creating SBC Voice Routing Policies.
The Sync Now automation also reads data from the customer tenant to discover Users that are licenced for Phone System and voice services.
Additional functions such as setting user’s voice routing policy, phone numbers and voicemail/forwarding policy are performed by the Sync now function.
Only changes pertinent to the configuration of the Microsoft Phone System functions and the Direct Routing set-up are made to the customer tenant.
A log of all activities performed by the automatic configuration process is provided for the customer to review.
Diagnostic/Debug Sync
The customer may be asked to perform a ‘Diagnostic Sync’ if there is a problem that requires more information to be made available for technical support.
Do this by holding Alt-Shift when clicking the Sync Now button
A debug (bug) symbol will show to confirm a debug sync is taking place
The diagnostic sync collects more data about the customer tenant, users and licencing for this purpose; it does not make any changes to the tenant. The enhanced diagnostic sync data will be automatically removed after 14 days.