Call2Teams - Customers
Set-up and use of the Call2Teams service requires specific changes to be made to the Customer’s Microsoft 365 tenant.
There are two ways these changes are performed:
- Use of the Call2Teams ‘Sync Now’ function from the portal
- By direct PowerShell instructions to manually make configuration of the customer tenant.
The choice of manual or automated configuration is at the discretion of the customer. The customer can either grant the Call2Teams portal access to make the changes automatically or a competent system administrator can perform the required changes manually using the guidance documentation available in the Call2Teams portal.
TABLE OF CONTENTS
- Applies To
- Office 365 Admin Rights
- Acquiring Microsoft Access Token
- Need Admin Approval Message
- Teams Sync Application Consent
- Scope of the automatic Sync Now function
- Diagnostic/Debug Sync
Office 365 Admin Rights
Both Manual and Automated methods require Global Admin rights to the Customer’s Office 365 tenant for the initial setup and any changes to regions, and Skype for Business admin rights for subsequent user provisioning.
Acquiring Microsoft Access Token
Need Admin Approval Message
If you receive a message when login in saying Need admin approval then your Microsoft tenant active directory (AD) has restrictions on your ability to use your Microsoft account for Single Sign On (SSO) to other services.
Call2Teams uses SSO exclusively for portal access so your administrator will need to lift this restriction.
Refer to this MS article for more information on AD consent for SSO:
User access to the Call2Teams portal does not required admin rights on the Office 365 AD account unless you need to make changes to your account with the Sync Now function.
Teams Sync Application Consent
Scope of the automatic Sync Now function
The Sync Now function uses the Microsoft Graph API and Remote PowerShell to make the changes on the customer tenant.
To achieve the access level required by the automated functions, a user with the required admin rights on the target Office 365 account will invoke the process. When the user clicks the Sync Now function two requests are made of the user to grant permission to make changes to the Office 365 account using Skype for Business Remote PowerShell functions. By accepting these requests, an access token is taken from the user’s session by the portal and is used by the automatic configuration process. The access token is time limited and currently Microsoft have set a 1-hour life to this token.
No administrator access credentials are stored by the portal.
The automation makes several changes to the customer tenant. These are mainly to configure Direct Routing in Carrier Mode and manage users. Full details of the initial setup part of the process can be found in Microsoft’s deployment guidance here: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-sbc-multiple-tenants
The initial configuration changes include:
- Adding custom domains to the Office 365 account
- Using a spare licence create a user to activate the domains for voice services and removing these temporary users after the process is complete.
- Creating dial-plans
- Creating SBC Voice Routing Policies.
The Sync Now automation also reads data from the customer tenant to discover Users that are licenced for Phone System and voice services.
Additional functions such as setting user’s voice routing policy, phone numbers and voicemail/forwarding policy are performed by the Sync now function.
Only changes pertinent to the configuration of the Microsoft Phone System functions and the Direct Routing set-up are made to the customer tenant.
A log of all activities performed by the automatic configuration process is provided for the customer to review.
The customer may be asked to perform a ‘Diagnostic Sync’ if there is a problem that requires more information to be made available for technical support.
Do this by holding Alt-Shift when clicking the Sync Now button
A debug (bug) symbol will show to confirm a debug sync is taking place
The diagnostic sync collects more data about the customer tenant, users and licencing for this purpose; it does not make any changes to the tenant. The enhanced diagnostic sync data will be automatically removed after 14 days.