Applies To

Call2Teams - Customers


Latest Note

Microsoft are changing the name of the Phone System Licence to Teams Phone Licence. Please be aware that references to both may continue to co-exist for a time. 


Overview

Set-up and use of the Call2Teams service requires specific changes to be made to the Customer’s Microsoft 365 tenant.

There are two ways these changes are performed:

  • Use of the Call2Teams ‘Sync Now’ function from the portal
  • By direct PowerShell instructions to manually make configuration of the customer tenant

The choice of manual or automated configuration is at the discretion of the customer. The customer can either grant the Call2Teams portal access to make the changes automatically or a competent system administrator can perform the required changes manually using the guidance documentation available in the Call2Teams portal.


TABLE OF CONTENTS


Microsoft 365 Admin Rights

Both Manual and Automated methods require Global Admin rights to the Customer’s Microsoft 365 tenant for the initial setup and any changes to other tenant configurations required on the MS tenant. Skype for Business admin rights are sufficient for subsequent user provisioning.


Scope of the automatic Sync Now function

Set-up and use of the service requires specific changes to be made to the Customer’s Microsoft 365 tenant.

There are two ways these changes are performed:

  • Use of the  ‘Sync Now’ function from the portal
  • By direct PowerShell instructions to manually make configuration of the customer tenant.

The choice of manual or automated configuration is at the discretion of the customer. The customer can either grant the portal access to make the changes automatically or a competent system administrator can perform the required changes manually using the guidance documentation available in the portal.

Microsoft 365 Admin Rights

For the initial setup of the tenant and subsequent tenancy amendments:

The administrator performing the Enable Sync function needs to have Global Admin rights on the Microsoft 365 account.


Subsequent user-level updates: 

Adding or removing users needs a much lower level of access called "Skype for Business admin" rights. 


This is a legacy term as Microsoft have removed the Skype for Business service, but the security role still remains. 

Note: The Teams Administrator role is not the same level of access and cannot be used in place of the Skype for Business admin role.


Find out how to set Skype for Business Administrator rights for a user here: 

link

The automatic Sync Now function

The Sync Now function uses the Microsoft Graph API and Remote PowerShell to make the changes on the customer tenant.


To achieve the access level required by the automated functions, a user with the required admin rights on the target Microsoft 365 account will invoke the process. 

When the user clicks the Sync Now function two requests are made of the user to grant permission to make changes to the Microsoft 365 account using Skype for Business Remote PowerShell functions. By accepting these requests, an access token is taken from the user’s session by the portal and is used by the automatic configuration process. The access token is time limited and currently Microsoft have set a 1-hour life to this token.


No administrator access credentials are stored by the portal.


The automation makes several changes to the customer tenant. These are mainly to configure Direct Routing in Carrier Mode and manage users. Full details of the initial setup part of the process can be found in Microsoft’s deployment guidance here: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-sbc-multiple-tenants


The initial configuration changes include:

  • Adding custom domains to the Microsoft 365 account
  • Using a spare licence create a user to activate the domains for voice services and removing these temporary users after the process is complete.
  • Creating dial-plans
  • Creating SBC Voice Routing Policies.

 

The Sync Now automation also reads data from the customer tenant to discover Users that are licenced for Phone System and voice services.

Additional functions such as setting user’s voice routing policy, phone numbers and voicemail/forwarding policy are performed by the Sync now function.

Only changes pertinent to the configuration of the Microsoft Phone System functions and the Direct Routing set-up are made to the customer tenant.

A log of all activities performed by the automatic configuration process is provided for the customer to review.


Acquiring Microsoft Access Token

If during the Sync Now process the popup window becomes stuck on this message:


then the most likely cause is browser incompatibility.


Please note Internet Explorer is not supported by the Call2Teams portal

Please try the process again using an in-private browser session with one of these browser types:

  • Microsoft Edge
  • Firefox
  • Google Chrome


Other things to try:

  • Ensure any pop-up blockers are disabled.
  • Try the process on a different computer, preferably using a different network access (e.g. tethered to a mobile hotspot).


If the problem persists and the customer needs to log a ticket, please also provide the full URL from the popup window so the team can look at the logs on the Call2Teams servers:



Need Admin Approval Message

If the customer receives a message on login saying "Need admin approval" then their Microsoft tenant Active Directory (AD) has restrictions on the customer's ability to use their Microsoft account for Single Sign On (SSO) to other services.



Call2Teams uses SSO exclusively for portal access so the customer's administrator will need to lift this restriction. 


Refer to this MS article for more information on AD consent for SSO:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent


User access to the Call2Teams portal does not required admin rights on the Microsoft 365 AD account unless they need to make changes to their account with the Sync Now function.


Approval Required Message

This message is most often seen where two-stage or Multi-Factor Authentication has been applied on the Microsoft account. It will require MFA approval from the Microsoft Admin on the hosting domain where challenged:


Microsoft has changed the way that Teams services are configured and have updated the original Skype for Business configuration system to a new Teams configuration system.


The connector Sync Now service has also been updated to work with the new Teams PowerShell and Graph APIs to maintain full compatibility.


Since the 28th of February 2021 the consent box for the Teams sync process has changed. Even if the customer has previously granted consent for the sync process, due to the change in application ID and permission they will need to accept consent again.


The new popup will look similar to the below image:



Consent is required to:

- Access the directory as the customer

- Access Microsoft Teams and Skype for Business data as a the signed in user


Both of these allow the platform to create and manage the relevant voice routing domains and configuration for the service to operate.


Accept permission to continue to have the configuration managed by the Sync Now function.


Diagnostic/Debug Sync

The customer may be asked to perform a ‘Diagnostic Sync’ if there is a problem that requires more information to be made available for technical support.


Do this by holding Alt-Shift when clicking the Sync Now button.


A debug (bug) symbol will show to confirm a debug sync is taking place

The diagnostic sync collects more data about the customer tenant, users and licencing for this purpose; it does not make any changes to the tenant. The enhanced diagnostic sync data will be automatically removed after 14 days.