M365 – Page 3 – A Cloud Guy

Teams – Outbound Calling policies for Audio conferencing and user PSTN calls

August 31, 2022February 5, 2021 by Kumaran

This one took me a while to understand what is happening and how to resolve it. The Teams audio and calling functions are not something I deal with on a daily basis but it was good learning experience.

One of the Teams tenant I manage kept running out of pooled minutes really quickly. I wasn’t actively monitoring the usage but I did notice the emails from Microsoft that were warning us that the minutes are almost used up and users won’t be able to use the PSTN conferencing services for the rest of the calendar month unless more communication credits were added.

What is the deal here exactly?

Each user assigned an ‘Audio Conferencing’ license which provides a dial-in phone number when they schedule a meeting, is given 60 minutes per month of pooled minutes that can be used for inbound or outbound PSTN dialing for meetings. This ‘Audio Conferencing’ license is only needed for users scheduling the meetings. Meeting attendees who dial in don’t need this license. Depending on how you have deployed Teams in your organization, whether as a full blown phone system or used specifically for meetings, this pooling minutes is only for meetings and is separate from other dial plans(domestic or international) that you may have.

Users with ‘Audio Conferencing’ license are given a default invite number in the same country as what their O365 account’s usage location is set to.

In a example scenario where an organization has 100 users that have ‘Audio Conferencing’ license, 100 X 60 minutes and you get 6000 pooled minutes for your tenant to PSTN dial-in and dial-out of meetings. One the 6000 minutes are consumed users will no longer be able to dial-in or dial-out of the meetings using the number provided in the meetings.

Note: Users can still participate using the Teams meeting clients(Desktop or phone app).

Latest Update: Microsoft is extending the audio conferencing capabilities by removing the cost involved to the SKU.

Why users use the PSTN dial-in numbers for Teams online meetings

Personally I love the Teams app, both on the desktop and the phone. And I can tell Microsoft is adding new functionalities over time. I also like it how I can use the phone app for voice and also launch Teams on my desktop and I get an option to ‘add the device’ to the ongoing call on the phone. This way, I can present using the desktop.

Using this VOIP features via the Teams app(phone or desktop) doesn’t incur additional cost to the organization but there are some scenarios where including a dial-in number to meetings makes sense,

Poor or limited internet connectivity
Users moving in and out of limited data coverage where voice quality may be better
Users having issues with VOIP on their PC and phone app
Users are used to the old ways
- Users lack training in Teams clients(Desktop or phone app)

Determine pooled minutes and usage

To check your PSTN pooled minutes, you can run usage reports in the Teams admin center,

Teams Admin Center –> Analytics & reports –> Usage reports

PSTN minute and SMS(preview) pools
PSTN and SMS(preview) usage

What is burning precious PSTN minutes

Based on the reports and further reading I realized the ‘Call me‘ feature in Teams is apparently a well known and heavily used user loved feature which seems to be a behavior that followed users from using other conferencing tools.

Users can join a meeting and have the meeting call and join them or dial in manually to the meeting.

Screen shot of the Call me option on the Use phone for audio screen.

As I mentioned earlier, the users using this feature didn’t realize they can use their computer audio or the Teams app on their phone. There were others who thought this was a handy feature and more convenient. Well, what they didn’t know or didn’t care is, the outbound calls were eating those pooled PSTN minutes and affecting the entire organization for users who would really need it.

What is the fix?

This can be fixed by educating the users about the VOIP options, using the computer or phone Teams app. And yes, obviously by putting policies in the tenant.

In the Teams admin center, the dial-out from meeting can be controlled on a per-user basis

In the left navigation, select Users, and then select the display name of the user from the list of available users
Under Audio Conferencing, select Edit
Under Dial-out from meetings, select the dial-out restriction option you desire
Select Save

This may resolve the issue by assigning ‘Don’t allow’ policy for the users who are the heavy hitters of the ‘Call me’ feature but more users might start using this feature and you’ll have to constantly monitor the usage.

To prevent this, you can set a tenant level policy based on your requirements and organizational needs. Once the global policy is in place, you can assign a policy on a per-user level.

The following table provides an overview of each policy.

PowerShell cmdlet	Description
DialoutCPCandPSTNInternational	User in the conference can dial out to international and domestic numbers, and this user can also make outbound calls to international and domestic numbers.
DialoutCPCDomesticPSTNInternational	User in the conference can only dial out to domestic numbers, and this user can make outbound calls to international and domestic numbers.
DialoutCPCDisabledPSTNInternational	User in the conference can’t dial out. This user can make outbound calls to international and domestic numbers.
DialoutCPCInternationalPSTNDomestic	User in the conference can dial out to international and domestic numbers, and this user can only make outbound calls to domestic PSTN number.
DialoutCPCInternationalPSTNDisabled	User in the conference can dial out to international and domestic numbers, and this user cannot make any outbound calls to PSTN number besides emergency numbers.
DialoutCPCandPSTNDomestic	User in the conference can only dial out to domestic numbers, and this user can only make outbound call to domestic PSTN numbers.
DialoutCPCDomesticPSTNDisabled	User in the conference can only dial out to domestic numbers, and this user cannot make any outbound calls to PSTN number besides emergency numbers.
DialoutCPCDisabledPSTNDomestic	User in the conference can’t dial out, and this user can only make outbound call to domestic PSTN numbers.
DialoutCPCandPSTNDisabled	User in the conference can’t dial out, and this user can’t make any outbound calls to PSTN number besides emergency numbers.
DialoutCPCZoneAPSTNInternational	User in the conference can only dial out to Zone A countries and regions, and this user can make outbound calls to international and domestic numbers.
DialoutCPCZoneAPSTNDomestic	User in the conference can only dial out to Zone A countries and regions, and this user can only make outbound calls to domestic PSTN number.
DialoutCPCZoneAPSTNDisabled	User in the conference can only dial out to Zone A countries and regions, and this user can’t make any outbound calls to PSTN number besides emergency numbers.

To set the policy on the tenant level, use following cmdlet. Use the pre-defined policy from the table above for the ‘policy name’

Grant-CsDialoutPolicy -PolicyName <policy name> -Global

To check the current policy at the tenant level,

Get-CSOnlineDialOutPolicy -Identity Global

In my scenario, my plan is to set the global dial-out from meetings policy to DialoutCPCandPSTNDisabled. And assign per-user policy based on their needs.

Note: All users of the tenant who don’t have any dial-out policy assigned will get the global policy.

To set the policy on a per-user level,

Grant-CsDialoutPolicy -Identity <username> -PolicyName <policy name>

You can set what is allowed per-user using the Teams admin center as covered earlier or you can use PowerShell to assign a policy to a list of users using this below script.

#Connect-MicrosoftTeams
$list=import-csv "c:\tmp\user.csv"

Foreach($user in $list){

Grant-CsDialoutPolicy -identity $user.UserId -PolicyName "DialoutCPCandPSTNDomestic" #Setting 'DialoutCPCandPSTNDomestic' policy to the users
}

You can also export a report of users and their Dial-Out policy assigned to them,

Get-CsOnlineUser | Select-Object UserPrincipalName,OnlineDialOutPolicy | Export-CSV "C:\tmp\userCallingPolicyReport.csv" -NoTypeInformation

Teams and its audio services are a much more detailed topic and I covered what applied to the issue I faced. Hope you’d be able to as well if you encounter this.

Thank you for stopping by.✌

M365 – Manage Group Creation Permission

May 22, 2022December 1, 2020 by Kumaran

All users can create M365 groups, this is the option enabled by default. Microsoft probably took this approach so as to make sure users can collaborate without any IT assistance.

This is good but when it comes to start managing Teams and the related resources that get created, it can easily become an IT data governance nightmare. If your organization is in its initial phases of Teams rollout, IMO it is better to disable group creation ability for the masses and preferable do a phased approach.

When we disable M365 group creation, it affects all services that rely on groups for access, including:

Outlook
SharePoint
Microsoft Teams
Microsoft Stream
Yammer
Planner
Power BI (classic)
Project for the web

To have a solution that is sort of a best of both worlds scenario, we can designate an Azure AD group with specific users who have the permissions to create M365 groups.

Create an Azure AD Group

To create a new Azure AD group, the New-AzureADGroup cmdlet can be used or can also be created from the Azure AD admin portal. I’m naming the group ‘M365 – Group Creators’

New-AzureADGroup -DisplayName "M365 - Group Creators" -Description "Group that allows users to create M365 groups" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"

Keep in mind this doesn’t prevent users with Azure AD admin roles which has group creation capabilities from creating new groups.

Set Group Creators

The following needs to be run from PowerShell. Make sure AzureADPreview is installed and connected.

Install-module AzureADPreview
Import-Module AzureADPreview
Connect-AzureAD

Run the following commands,

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting

If you get an ‘..already exists’ error, that means your tenant already this setting defined. Proceed with the next steps below,

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "<Name of your security group>").objectid

*EnableGroupCreation and GroupCreationAllowedGroupId*

Use the Set-AzureADDirectorySetting below to set the value in the $Setting variable which has the object ID of the Azure AD group.

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

To determine if the group is allowed to create to groups,

(Get-AzureADDirectorySetting).Values

Only one group can be used to control the ability to create Microsoft 365 Groups. But, other groups can be nested as members of this group.

In case your organization wants to revert back this setting in the future, you can do so by changing $AllowGroupCreation to “True” and the group value to “”

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $true
$Setting["GroupCreationAllowedGroupId"] = ""
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
(Get-AzureADDirectorySetting).Values

Usually the settings takes 30ish minutes to take effect. You can verify this by trying to create a group with a user who is a non-member of the allowed Azure AD group.

If a user who is part of the group creators can’t create a M365 group, it’s worth checking the OWA policy. The Get-OwaMailboxPolicy can be used to check this,

Get-OwaMailboxPolicy | Select GroupCreationEnabled

If the above output shows ‘False’, you can enable this by using the Set-OwaMailboxPolicy cmdlet,

Set-OwaMailboxPolicy -Identity "Name of your OWA Policy" -GroupCreationEnabled $true

Hope this helped you in setting up the policies to disable M365 group creation.

Thank you for stopping by.✌

O365 – Determine Mailbox Folder Size from Exchange Online using PowerShell

May 23, 2022November 23, 2020 by Kumaran

I’m sure all Exchange Online environments have users who are data hoarders in their email environment. Most tenants have policies to limit how big the mailbox can be for various reasons. Users may come back with increasing mailbox sizes so they can hoard more of those outdated data. It is good practice to maintain the folder items. Get-MailboxFolderStatistics helps retrieve information about folders in mailboxes, including number and size of items in the folder and other information.

Before proceeding, make sure you are connected to Exchange Online module,

$credential = Get-Credential
Connect-ExchangeOnline -credential $credential

To determine a folders from a user’s mailbox, the folder size and the number of items in the folders,

$EmailId = Read-Host "Enter user's email address"
Get-MailboxFolderStatistics -Identity $EmailId | Select Name,FolderSize,ItemsinFolder

To determine individual folders and subfolder sizes of a specific user:

$EmailId = Read-Host "Enter user's email address"
Get-MailboxFolderStatistics -Identity $EmailId | Select Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders

To determine inbox folders statistics of a specific user:

$EmailId = Read-Host "Enter user's email address"
Get-MailboxFolderStatistics -Identity $EmailId -FolderScope Inbox | Format-Table Identity,ItemsInFolderAndSubfolders,FolderAndSubfolderSize -AutoSize

To determine and display inbox folder sizes for all mailboxes in the organization

$All = Get-Mailbox -ResultSize Unlimited
$All | foreach {Get-MailboxFolderStatistics -Identity $_.Identity -FolderScope Inbox} | Select Identity,ItemsInFolderAndSubfolders,FolderAndSubfolderSize | ft -AutoSize

and export to CSV file:

$Allmbx = Get-Mailbox -ResultSize Unlimited
$Allmbx | foreach {Get-MailboxFolderStatistics -Identity $_.Identity -FolderScope Inbox | Select Identity,ItemsInFolderAndSubfolders,FolderAndSubfolderSize | Export-Csv "C:\tmp\Inbox_data.csv" -NoTypeInformation -Append}

Get-MailboxFolderStatistics returns IPM subtree folders. This folder structure consists of messages between recipients(Inbox, Sent Items). In the Exchange Online, the Non-IMP subtree is quite larger, as different O365 applications have been using mailboxes to store and process data. Teams, Delve, MyAnalytics, all have their own folders or folder trees inside the Non-IPM root.

To determine Non-IPM subtree folders and their sizes:

$EmailId = Read-Host "Enter user's email address"
Get-MailboxFolderStatistics -Identity $EmailId -FolderScope NonIpmRoot | Format-Table Identity,ItemsInFolderAndSubfolders,FolderAndSubfolderSize -AutoSize

Thank you for stopping by. ✌

Office 365 – Convert User Mailbox to Shared Mailbox

June 5, 2022April 5, 2020 by Kumaran

Scenarios are plenty when O365 admins are requested to convert a user mailbox to a shared mailbox.

Here is one that comes up often,

User/Employee leaves the organization and others in the team need access to the user’s mailbox to keep track of the project they were working on

When we convert a user mailbox to a shared mailbox, the mailbox must have a license assigned and after the conversion is complete, we can remove the license.

One little caveat to the licensing part is, without license assigned to the shared mailbox, its size is limited to 50GB. So, before converting, make sure to check the mailbox’s size and to increase the shared mailbox’s size to 100GB, assign a Exchange Online Plan 2 license.

Note: If you are on Exchange hybrid environment, you’ll have to manage your mailboxes using on-premises Exchange management tools.

To convert a user mailbox to Shared mailbox using PowerShell

Before proceeding further make sure you are connected to Exchange Online,

$o365cred = Get-Credential
Connect-ExchangeOnline -credential $o365cred

To convert to shared mailbox:

$Mbx = Read-Host "Enter user's email address for Shared Mailbox conversion"
Set-Mailbox -Identity $Mbx -Type Shared

The -Type parameter also supports the below values:

Equipment
Regular
Room
Workspace (cloud-only)

Determine if it worked

To make sure the mailbox has been successfully converted:

$sMbx = Read-Host "Enter email address"
Get-Mailbox -Identity $sMbx | fl DisplayName,RecipientTypeDetails

To convert a user mailbox to Shared mailbox using EAC

Exchange admin center also allows converting a user’s mailbox to shared mailbox.

Login to Exchange admin center, in the left navigation menu, click recipients
Click Mailboxes
Search for the mailbox and select it
In the right side details window, Click Convert under Convert to Shared Mailbox
Click Yes in the warning window

*successfully converted to shared mailbox*

Determine if it worked

Login to Exchange admin center, in the left navigation menu, click recipients
Click shared
Search for the mailbox

Hope this post helped you out.

Thank you for stopping by.✌

Office 365 – Update Primary Email Address in Bulk using PowerShell

September 1, 2022December 14, 2019 by Kumaran

In this post, I’ll go over steps on how to update users’ primary email address in bulk.

I had to update the custom domain name address for one of the tenants I manage. When the O365 tenant was setup, I didn’t have my domain name ready for various reasons and the users were setup with @{tenantname}.onmicrosoft.com addresses. Once I added the necessary DNS records for O365 and made sure my new domain name is listed as default in the domain tab(Microsoft 365 admin center -> Settings -> Domains) in the list of , I was ready to update the user accounts with the new domain name.

Before proceeding further make sure you are connected to Exchange Online,

$o365cred = Get-Credential
Connect-ExchangeOnline -credential $o365cred

To bulk update accounts from a csv file:

Note: csv file has User,Emailaddress as column headers. Enter the users’ email address with new domain in the csv file. It is strongly recommended to leave the onmicrosoft.com address in the users’ proxy addresses and specifying the new address as PrimarySmtpAddress with SMTP.

$users = Import-Csv C:\tmp\Update-Email\emails.csv
foreach ($user in $users){

$Mailbox= Get-Mailbox -Identity $user.User
$PrimaryEmail=$Mailbox.PrimarySmtpAddress
$SMTP ="SMTP:"+$user.Emailaddress
Set-Mailbox -Identity $user.User -EmailAddresses $SMTP,$PrimaryEmail -WindowsEmailAddress $user.Emailaddress -MicrosoftOnlineServicesID $user.Emailaddress 

}

To bulk update all accounts in the O365 tenant:

Note: This below script will change all accounts in the tenant from whatever your enter for the $oldDomain to the $newDomain. So, proceed with caution and comply with your change management process and steps.

$oldDomain = Read-Host "Enter existing domain name in '@domainname.com' format"
$newDomain = Read-Host "Enter new domain name in '@domainname.com' format"

$mailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox).where{$_.PrimarySmtpAddress -like "*$oldDomain"}
foreach ($mbx in $mailboxes){

$PrimaryEmail = $mbx.PrimarySmtpAddress
$newSMTPAddress = $mbx.PrimarySmtpAddress -split '@'
$newSMTPAddress = $newSMTPAddress[0] + $newDomain
$SMTP ="SMTP:"+$newSMTPAddress
Write-Host "Processing: $mbx.Name --> $newSMTPAddress"
Set-Mailbox -Identity $mbx.Identity -EmailAddresses $SMTP,$PrimaryEmail -WindowsEmailAddress $newSMTPAddress -MicrosoftOnlineServicesID $newSMTPAddress
}

You can also make this change in bulk in the portal as well,

Select all the users whom you wish you update
Click on Change domains
Select the desired domain name from the drop down at the pop-up window
Click Save changes

Thank you for stopping by.✌