Securing Born in the Cloud Businesses

Posted on April 25, 2023April 25, 2023 by Jason Isitt

Everyone’s had this recently. Organisations they partner with are becoming (justifiably) more stringent about their security. It creates some thorny problems though:

How do we get the security without bludgeoning our business to death?
How do you improve data protection without making your staff rage quit?
How do we align initiatives I make with broader security standards.

Born in the Cloud

When we’re talking about a Born in the Cloud Business (BITC) we’re talking about this sort of company:

Not much in the way of legacy systems.
Mostly SaaS based tools.
A boat load of BYOD.
Loosey Goosey office security 🙂

Larger organisations like working with businesses like these. They’re small, agile and generally full of rock-star grade experts in their field. But large organisations are also terrified of working with these sorts of companies. The locked-down SOE based work day they’re used to which provide them with a measure of confidence isn’t present in these BITC businesses. The large org wants all the warm fuzzy security but wants to keep the innovation and glint in their partner’s eye.

Security Standards

In Europe this is lot more mature than it is in Australia. There are two different standards that get bandied about:

Essential 8

Here, there are a set of guidelines that the Australian Signals Directorate have adopted and provide as advice. This is called the Essential 8 Maturity Model. It covers several areas and each one has four levels of maturity and organisation can reach (0-3). It was originally envisaged as a straightforward, practical approach to data security but has been “beefed up” to be a lot more complex over time.

ISO:27001

Another standard is ISO 27001. This is a heavyweight standard to attain and can take 6-18 months depending on your complexity, maturity and size.

It covers a range of different technology and policy “controls” that should be applied. You an self-assert your compliance then have that audited externally.

Essential 8 Level 3 (the highest) is a sort of subset of the work you’d need to complete to get to ISO 27001. Essential 8 is used in Australian Federal and State Governments and ISO:27001 is a global standard.

What do I need to do?

We at jtwo have been on the journey of achieving both and we have some general advice on how to get going.

We aren’t security consultants and our professional indemnity doesn’t allow us to be so take this ~~advice~~ with a grain of salt. That should keep our insurers happy 🙂

So with that out of the way Its a big beast but here are some pointers on how to get started. We use Office365 with the E5 licensing so a lot of the tools we need to build this stuff out are there and we already pay for them.

Take it Seriously

You can’t fake this stuff. You have to embrace the idea of security in your bones or you won’t get anywhere. You have to think about the tools, processes and behaviours you use and think about them through a security lens. Once you’ve embraced the idea of security it all starts to look a bit more achievable.

Build Registers

In each of these security standards there are set of lists and registers you need to keep. They involve asset registers (physical and information based) and there’s lots of them. This is particularly the case with ISO27k1.

We use Office365 so we built each of these registers as SharePoint Lists. They are easy to use and they can be used in reporting too.

Embrace a SOE

Everyone hates them, they suck. They make it hard for you to be flexible and innovative. Developers hate them especially. But you should consider them part of your new world order. We use E5 licensing for Microsoft 365 and as part of this we get InTune and Defender. Rolling these out together can help you tick lots of boxes and actually be secure to boot.

MFA Everywhere, All at Once

You probably already do this, in fact if you don’t then do it as soon as you’ve read this. We use O365 and all the identities are in Azure AD. We’ve turned on MFA using Microsoft Authenticator and it does a lot of the heavy lifting.

Policies, Policies, Policies

You’ll need to write and maintain lots of policies. These are generally short (thankfully) but they need to be reviewed periodically and you need to record attestations that people have read, understood and agreed to the policies.

We build our policies as Word Documents and we built a PowerApp that lets people read and agree to the policies. The records for this go in our SharePoint lists for record keeping.

Enforcement

You need to enforce the use of policies, practices and tools. Consider making security compliance part of your staff meetings. Reward people for good behaviour and following policies. Gently (at first) nudge people towards good behaviour if they’re lagging behind.

Office365 and Purview are your friend

While many of the compliance activities you’ll need to do are policy and people based there’s a lot of technology stuff too. As a BITC business you have a lot of this at your fingertips. We use Microsoft 365 and Purview is part of the E5 licensing we have. Its got a bunch of great technology you can use to improve your security. It arranges it as a set of scores so you get the dopamine rush when you move the score up too. If you use M365 and have E5 you should definitely explore this. It will help greatly.

Data Classification

This is a big one and can be hard. Data classification is generally difficult but the Purview classification tools are able to use ML to do the classification work for you. Here’s what our Teams, email and other communication profile looks like…

We should probably tone down on the fruity language.

This is also what our data looks like from the perspective of sensitive information.

You can see that we use what might be considered sensitive information in the content of our comms. This will vary from org to org but you don’t have to do anything to get this, it works out of the box.

Standards Mapping

Another interesting capability is the standards mapping. You can choose a standard like E8L3 or ISO:27001 and apply that template to the controls you have in O365. This will give you a (probably massive) checklist of changes you need to make to meet those standarsd.

Microsoft also have their own standards for security which are applied to your controls. Here’s an example of how it provides a gauge on your security compliance:

Moving this score up will move you along with various standards at the same time.

Posted in Business, Office365, Security, UncategorizedLeave a Comment

Disable-CsAdForest – “Cannot remove the Active Directory settings for the domain due to ‘FE’ still being activated”

Posted on December 9, 2020April 14, 2021 by Arran Peterson

I’ve spent 15 years deploying on-premises versions of Microsoft Unified Communications, namely OCS, Lync & Skype for Business. During that period I did a lot of installations, but never had I done a full removal of the product. I guess that speaks to the usability of Microsoft Voice solutions. Once your in, the years just roll by like a good marriage. All good things must come to an end, now with Teams being purely cloud based no schema objects need to remain in Active Directory.

When attempting to do the final cleanup steps of the environment I was getting the following output when attempting Disable-CSAdDomain:

Disable-CsAdDomain : DomainUnprepareTask execution failed on an unrecoverable error.
At line:1 char:1
+ Disable-CsAdDomain
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:SourceCollection) [Disable-CsAdDomain], DeploymentException
    + FullyQualifiedErrorId : TaskFailed,Microsoft.Rtc.Management.Deployment.UnprepareDomainCmdlet
WARNING: Disable-CsAdDomain encountered errors. Consult the log file for a detailed analysis, and ensure all errors (2)
 and warnings (0) are addressed before continuing.

The HTML report presented me with some red:

Error: Cannot remove the Active Directory settings for the domain due to “FE” still being activated.

I had a few hours of scratching my head. I’d fully un-installed the Skype for Business Server software (minus the administrative tools) from the last Front End in the environment. Even the CMS had been deleted, so why did it think it was still active?! No CMS, means no jersey for a Front End server. I waited for domain replication but still no change.

Solution

The secret is to remove the last Front End server computer object from the domain. Install the tools on something else and re-run the cmdlet. Simple, but not obvious.

Thanks to Michael for the bright idea on this one.

Posted in Office365Tagged MicrosoftTeams, Skype for Business2 Comments

Assign Teams phone numbers using Microsoft Forms, Logic Apps and Azure Automation

Posted on October 6, 2020October 6, 2020 by Arran Peterson

Sometimes provisioning users into Office 365 services requires custom settings to be executed with PowerShell. This can present a problem when the teams responsible for managing the ongoing process have varying levels of understanding. How do you provide a front end user interface for my custom code without the need for the operators to need or know PowerShell?

This is the case for Microsoft Teams. Microsoft Phone System ‘Direct Routing’ feature lets you connect your telephony gateway (SBC) to Microsoft Phone System. With this capability you can configure on-premises telephone numbers with Microsoft Teams client. A subtle difference using Direct Routing for your PSTN connectivity over Microsoft Calling (Telstra Calling in AU) is the inability to assign phone numbers to users via the Teams Admin Portal. The only way to assign the phone number is through a PowerShell cmdlet with parameter ‘OnPremLineURI‘:

Set-CsUser -Identity $UPN -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI $lineURI

So here in lies my problem. Let’s fix it.

Components

Microsoft Forms – The front end UI with required input fields.
Logic App – The glue and manages the process.
Azure Runbook – where my code lives to perform the steps against Office 365 API’s.

Microsoft Forms

This is a pretty basic form. I just need enough information as inputs to execute my PowerShell. The great thing about Microsoft Forms is that it has to be authenticated, the fact that it’s built into Office 365 is that it’s all done by Azure Active Directory.

Note: Unfortunately the simplicity of this form is also its short coming. I would love if we can do some form validation on the input string before it was submitted. Especially on the phone number format and length.

Create the Logic App

Open a new Blank Template in the Logic App Designer and search for Microsoft Forms and use the option ‘When a new response is submitted‘.

Start by getting the form data into the Logic App.

Assign all of the form inputs as variables in your Logic App to then be passed to our Runbook.

Azure Runbook

Create a Runbook, make sure you have defined the parameters (highlighted in lines 1-5). The Logic App will reference these automatically for you when working in the designer.

Note: All the settings we need are part of the Skype for Business PowerShell module which isn’t available in the Azure Automation Gallery. If you install Microsoft Teams module version 1.1.6 you will have the ability to execute New-CsOnlineSession and pull down all the cmdlets into the PS session. At the time of writing I don’t know a way of using a managed identity or client secret for New-CSOnlineSession, so it’s just a standard user account with bypass MFA (yuck).

 Param (
[Parameter (Mandatory = $true)][string]$upn,
[Parameter (Mandatory = $true)][string]$lineURI,
[Parameter (Mandatory = $true)][string]$dialPlan
)

$debug = $false

import-module MicrosoftTeams


if($debug -like $true){
    Write-Output "Connecting to Skype Online..."
}
$creds = Get-AutomationPSCredential -Name "SkypeCreds"
try{
    $sfboSession = New-CsOnlineSession -Credential $creds -OverrideAdminDomain "domain.onmicrosoft.com"
}
Catch{
    $errOutput = [PSCustomObject]@{
        status = "failed" 
        error = $_.Exception.Message
        step = "Connecting to Skype Online"
        cmdlet = "New-CsOnlineSession"
    }
    Write-Output ( $errOutput | ConvertTo-Json)
    exit
}
if($debug -like $true){
    Write-Output "Importing PS Session..."
}
try{
    Import-PSSession $sfboSession -AllowClobber
}
Catch{
    $errOutput = [PSCustomObject]@{
        status = "failed" 
        error = $_.Exception.Message
        step = "Importing PS Session"
        cmdlet = "Import-PSSession"
    }
    Write-Output ( $errOutput | ConvertTo-Json)
    exit
}
if($debug -like $true){
    Write-Output "Processing line: $($upn) "
}
    #Correct User
    if($upn -like $null){
        $sip = (Get-CsOnlineUser -Identity $($user.displayname)).SipAddress
        $upn = $sip.TrimStart('sip:')
    }
    #Correct Number
    if($lineURI -notlike "tel:*"){
        if($lineURI.Length -eq 12){
            $lineURI = "tel:"+$lineURI
        }
        elseif($lineURI.Length -eq 11){
            $lineURI = "tel:+"+$lineURI
        }
    }
if($debug -like $true){
    Write-Output "  INFO: Using values - $($upn) with $($lineURI)" 
    Write-Output "  INFO: Attempting to remove Skype for Business Online settings: VoiceRoutingPolicy" 
}    
    try{
        Grant-CsVoiceRoutingPolicy -PolicyName $NULL -Identity $upn
    }
    Catch{
        $errOutput = [PSCustomObject]@{
            status = "failed" 
            error = $_.Exception.Message
            step = "VoiceRoutingPolicy"
            cmdlet = "Grant-CsVoiceRoutingPolicy"
        }
        Write-Output ( $errOutput | ConvertTo-Json)
        exit
    }
if($debug -like $true){
    Write-Output "  INFO: Attempting to remove Skype for Business Online settings: UserPstnSettings" 
}    
    try{
        Set-CsUserPstnSettings -Identity $upn -AllowInternationalCalls $false -HybridPSTNSite $null | out-null
    }
    Catch{
        $errOutput = [PSCustomObject]@{
            status = "failed" 
            error = $_.Exception.Message
            step = "UserPstnSettings"
            cmdlet = "Set-CsUserPstnSettings"
        }
        Write-Output ( $errOutput | ConvertTo-Json)
        exit
    }
    # https://docs.microsoft.com/en-us/powershell/module/skype/grant-csteamsupgradepolicy?view=skype-ps
if($debug -like $true){    
    Write-Output "  INFO: Attempting to grant Teams settings: user to UpgradeToTeams (TeamsOnly)." #Upgrades the user to Teams and prevents chat, calling, and meeting scheduling in Skype for Business
}    
    try{
        Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity $upn
    }
    Catch{
        $errOutput = [PSCustomObject]@{
            status = "failed" 
            error = $_.Exception.Message
            step = "UpgradeToTeams"
            cmdlet = "Grant-CsTeamsUpgradePolicy"
        }
        Write-Output ( $errOutput | ConvertTo-Json)
        exit
    }
if($debug -like $true){
    Write-Output "  INFO: Attempting to set Teams settings: Enabling Telephony Features & Configure Phone Number"
}
    try{
        Set-CsUser -Identity $UPN -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI $lineURI
    }
    Catch{
        $errOutput = [PSCustomObject]@{
            status = "failed" 
            error = $_.Exception.Message
            step = "SetUser"
            cmdlet = "Set-CsUser"
        }
        Write-Output ( $errOutput | ConvertTo-Json)
        exit
    }
if($debug -like $true){
    Write-Output "  INFO: Attempting to grant Teams settings: TeamsCallingPolicy" #Policies designate which users are able to use calling functionality within teams and determine the interoperability state with Skype for Business
}
    try{
        Grant-CsTeamsCallingPolicy -PolicyName Tag:AllowCalling -Identity $upn
    }
    Catch{
        $errOutput = [PSCustomObject]@{
            status = "failed" 
            error = $_.Exception.Message
            step = "TeamsCallingPolicy"
            cmdlet = "Grant-CsTeamsCallingPolicy"
        }
        Write-Output ( $errOutput | ConvertTo-Json)
        exit
    }
if($debug -like $true){
    Write-Output "  INFO: Attempting to grant Teams settings: Assign the Online Voice Routing Policy"
}
    try{
        Grant-CsOnlineVoiceRoutingPolicy -Identity $upn -PolicyName Australia
    }
    Catch{
        $errOutput = [PSCustomObject]@{
            status = "failed" 
            error = $_.Exception.Message
            step = "VoiceRoutingPolicy"
            cmdlet = "Grant-CsOnlineVoiceRoutingPolicy"
        }
        Write-Output ( $errOutput | ConvertTo-Json)
        exit
    }
if($debug -like $true){
    Write-Output "  INFO: Set Dial"
}
    try{
        
        if($dialPlan -eq "National"){
            Grant-CsTenantDialPlan -PolicyName $null -Identity $upn
        }else{
            Grant-CsTenantDialPlan -PolicyName $dialPlan -Identity $upn
        }
        
    }
    Catch{
        $errOutput = [PSCustomObject]@{
            status = "failed" 
            error = $_.Exception.Message
            step = "DialPlan"
            cmdlet = "Get-CsEffectiveTenantDialPlan"
        }
        Write-Output ( $errOutput | ConvertTo-Json)
        exit
    }

    #Completion Output
    $errOutput = [PSCustomObject]@{
        status = "Completed" 
        error = "None"
        step = "endOfJob"
        cmdlet = "None"
    }
    Write-Output ( $errOutput | ConvertTo-Json)

Link the Runbook to your Logic App

Now we can update the Logic App with our Runbook information.

Output the details via Email

I found the best way to get consistent structured results is to have error handling in your Runbook, and parse this back to the Logic App as outputted JSON with a known schema/structure. A sample output of the JSON can be used to generate a schema, like the example below.

{
    "status":  "failed",
    "error":  "One or more errors occurred.: Unable to find an entry point named \u0027GetPerAdapterInfo\u0027 in DLL \u0027iphlpapi.dll\u0027.",
    "step":  "Connecting to Skype Online",
    "cmdlet":  "New-CsOnlineSession"
}

This enables you to have sufficient levels of diagnostics logs as part of the output. In this case I’m using a email.

The example workflow is below.

Additions

Additional functionality you could include might be:

Check for licenses
- AAD Module in PowerShell, or
- AAD Group Membership in Logic App
License the user via PowerShell or Graph
Send the response in a Teams Notification, rather than email or teams channel.
Email the user on successful completion detailing they have a new phone number.
More error handling
Smaller more specific Runbooks that are executed rather than a large script block, allowing for more conditions to considered per step.

Lets Talk Teams!

We have years of experience deploying unified communication in the Microsoft stack. Reach out, we have a rapid deployment solution for Teams Direct Routing leveraging the public cloud and we have tried and tested a number of flavours of SIP Providers. Trial or PoC a voice solution with minimal effort leveraging public cloud deployments

Learn More

Posted in Azure, Office365Tagged AzureAutomation, Logic Apps, MicrosoftTeams, powershellLeave a Comment

Tips for purchasing your next Teams video solution

Posted on September 30, 2020October 6, 2020 by Arran Peterson

I’ve been asked by many customers over my years implementing Skype for Business or Microsoft Teams voice solutions:

“Which video conferencing equipment should we look into?”

This can be a hard decision for organisations and IF you find that you didn’t do your homework, you can be left in a situation where you have to sweat an expensive asset for a few years, which becomes the ugly child that is unloved and no one wants to play with gathering dust in the corner. Now the current state of Microsoft Teams Room’s (MTR) means that all packaged solutions have the same software, so the experience during a meeting on-screen is consistent. Thanks Microsoft. Where it will differ, is what the capability of the hardware it’s getting peddled on.

The state of the VC market has gone gang busters lately. Microsoft Teams has really pushed the device catalogue forward and now we have multiple vendors continuously pushing their new products out into Microsoft’s certified list of Teams Meeting Room devices. In theory, from a workflow prospective, all of them will look the same during the meeting experience from the touch device and on-screen. Microsoft publish the MTR software and all things being equal, they should all get the updates. No favourites, no bias. So if we remove the software feature list, what do I look for when creating my short list as of 2020? Here are some key physical features that are more hardware specific and do vary amongst solutions that I believe enable a positive experience when using the device. I will generalise an MTR with having common components of a video camera, a table top touch device, with the addition of possibly a sound bar and additional microphones. Here’s a summary of my ‘hot-tips’ to look out for:

Minimal cabling required to touch device on table.
Ability to have 2x HDMI outputs on the ‘CODEC’/NUC to support duel screen workflows.
Ability for table microphone expansion.
Ease of HDMI/USB-C input on the table tap device for screen sharing.

Some other notable mentions:

Double check for auto-focus/human tracking, this should be on most devices now.
Options for additional noise cancelling features to turn on/off never hurts. Vendors talk about AI or ML to remove unwanted sounds that reduce the quality of the audio i.e. keyboard typing, table tapping or air-conditioner static.

Cabling matters

Reducing the cabling required to get to your table top device is just common sense. Nothing is more annoying than trying to run multiple cables (HDMI, ethernet, audio and power) through floor space from the front of room up inside whatever cable management you have at the table. Also, with only a single cable connecting to the table top device it becomes much more flexible and has the ability to be swung round between seating positions to accomodate musical chairs. This cable is usually done with ethernet, a nice and flexible medium that can carry all data and power needs.

HDMI outputs

Not everyone needs dual screens in their meeting rooms, especially if it’s a small huddle room or space. BUT the price of TV screens is by far the easiest and cheapest component to splash on this new rig. Make sure the new rig lists the number of HDMI outputs and ask yourself the question “will this fit within my room?“. Many vendors will offer setups at two price points with the lower seemingly looking like a good investment, but will only give you one screen. This to me, in the year 2020, ‘the year of video conferencing‘, seems to be a bit old school. I’d even go as far to say, rather than buying one Godzilla screen (that Teams will never do native resolution on, think 1080p), look to buy two slightly smaller screens and get more capability in your meeting experience i.e. two screens, one with screen share + one with video feed simultaneously.

Microphones

“MICROPHONES!” or “microphones” (the lack of), can turn a crystal clear, high definition video experience into a ‘bl ub be ri ng’ mess. Acoustics in a room are hard to judge, I’ll admit that I can’t walk into a room and say that “this is going to be your problem, just tweak that before you install”. I don’t know the science behind removing sound echo, just be careful of hard floors, high ceilings, loud air conditioning and busy streets. If you don’t want to change these things or can’t, sometimes more microphone pickups can be away to eliminate the problem somewhat, especially when attendees further away from the microphone have decent call volume (can be herd) but sound distorted or choppy. This is generally a tale tell sign of a room with too much sound bouncing around. The ability to extend your setup with additional microphones on offer in its solution are a good ‘safety-net’ to have. Something that is modular gives you a ‘get out of jail free card’, if it sounds like your meeting is being held in a basketball stadium or toilet (for some reason that is a very distinct sound in a phone call and we all pick it when it’s presented to us…strange).

‘Legacy’ screen sharing

Not to be overlooked. Let’s set the scene, you’re in the heat of the video conferencing battle, 10 minutes passed the meeting start time and your ring-in (visitor) presenter suddenly can’t get the USB wireless dongle thingy to load with the software on their laptop because of reason ‘X’ (i’ll let you imagine one, there’s many). Nothing can beat a quick physical cable to screen share inside the meeting room. Nothing. Modern laptops are ready to have things plugged in for second monitors and this is just that. You wont kill the aesthetics of a room if there is a 1m HDMI or USB-C cable hanging out the back of the table top device. Words like ‘wireless‘, ‘proximity join‘ and ‘dongle’ sound attractive to our tech heads, but no one likes to be the ad-hoc end user support, while the Brady Bunch video tiles of Teams look over you. Secretly muttering disapprovals of how you’re wasting their time, while on mute. If you’re using Teams meetings to communication with your customers and clients, don’t be the latest episode of ‘amateur hour’ live from your very own video feed. Catering for hard-wire means you catch the 10% that don’t have Teams or can’t control the installation of software on their devices. Plus it’s just fast.

Brady Bunch” Video Conferencing — cloudstep.io meeting tiles. Not always smiling this much about being in another video conference.

Oh, there’s also cost. For most of us we need to stretch the money and do more with less, the lesser of organisations have a long standing history of video conferencing and the budget is ripe for the picking. Lucky. As the allocation of dollars from 5 years ago got you a lot less for a lot more. Anything from $3k-$8k gets you a decent kit these days that even your director could probably setup…probably.

What do I suggest?

Okay so take all my considerations for a good piece of kit and who does it end up with? Noting, that I don’t get paid or partner with vendors, nor will some of them talk to me after spreading my opinion over the internet. That being said, I really like them all. But if you made me choose, this is what I’d come back with for a standard meeting room ranging anywhere from 4-15 (ish) people.

Yealink….yes, Yealink. I’ve seen my fair share of Yealink IP phones implemented over my years, they do there duty of making phone calls, the same as the other IP phone brands. So I was never really bothered about what the customers preference was with phones. Make a call, does it ring and could they answer? Microsoft video solutions is a new feather in Yealink’s cap, and I’m happy to say that they meet my demands. While much later to the Microsoft Video Solutions then other VC vendors, they have hit it out the proverbial ‘Arran Peterson Teams Device‘ Park in regards to features I want at a good price point. The ‘MVC II’ range of systems will have me covered, purchase units on the sliding scale based on size of your attendees space. All of which offer you the capability of dual screen workflow.

Cabling – The MTouch II Touch Panel is connected via a single ethernet cable. Look at cable guides for each model, they are easy to follow and help you visualise your setup in the room prior to purchase.

HDMI Out – The MCore Mini-PC has 2x HDMI video output wih CEC Support. (CEC gets you the ability to start a meeting and wake the TV’s up to the correct channel etc). Just like your AppleTV does magically at home.
External Mics – All but the MVCII 400, which has an external mic port on the camera, but i’m not sure what can be used. Maybe anything, maybe nothing…
Screen Sharing – The MTouch II Touch Panel offers both HDMI and USB-C inputs (I like USB-C for all the latest MacBooks we have in our office with a single glorious port).

Icing on the cake

Because we like cake, and if there is more slices to eat let’s know about it now. Or maybe, If you going to make cake, put the icing on it, it makes it extra special. My point is “If your going to buy a solution, go to the effort to make it the best you can“.

Content Camera

I like the idea of Content Camera’s in Teams Meetings. Whiteboards are a way of life in consulting. Explain a complex problem through circles, squares, lines and arrows (rather than hacking about the english language) is a method I use often to convey a complex problem. You need a certified MTR to enable the Content Camera. While it isn’t hard to find a certified webcam to use (theres a few and they aren’t expensive), its much trickier to cable and mount. I have seen little in the way of mounting brackets and extension arms until just recently. Prior, I’d done lots of google searches for keywords like ‘project/camera arm mount’, ‘camera mount thingy’ and so on. Amazon returned nothing great, that didn’t require extensive ‘tinkering‘ which wasn’t enterprise grade and I can’t tell customers go buy this and get your cordless drill out and add more holes etc. I was pleased to see my new favourite child Yealink have tried to make our lives easier with the UVC30 Content Camera Kit. Problem solved! I think a MTR + Content Camera is probably the best solution available and is more useful than an expensive all-in-one Surface Hub.

Wireless sharing dongle thingy

If the Content Camera is the icing, then perhaps a wireless sharing dongle thingy is the sprinkles. If you do want to play with wireless dongles, Yealink have one that will work with all the MVC II range and is included in most bundles. While I haven’t played with the WPP20 at all, the fact its ‘kinda’ thrown in, is a big plus. If your familiar with ClickShare by Barco which is the common standard equipment in this department, you will be happy to know they cost money, and a reasonable amount. Possibly more than one of your TV’s. This is more than I’m willing to part with, so an affordable alternative that keeps the solution all within one vendor support is a positive.

Lets Talk Teams!

Learn More

Posted in Office365Tagged MicrosoftTeamsLeave a Comment

Add VC Accounts to Microsoft Teams Channels with Azure Automation

Posted on January 30, 2019November 4, 2020 by Arran Peterson

At cloudstep.io® HQ Microsoft Teams is a big part of how we organise digital asset structure in the business. We are a consulting firm by trade, as new prospects become paying customers we add them as a team. The default General channel is used for administration and accounts, additional channels are created per project name or scope of works. We find ourselves no longer needing to going into dark corners of SharePoint administration (commonly referred to in the office as ‘SwearPoint!’). We have adopted Microsoft Teams as our preferred web, audio and video conferencing platform for internal and external meetings. Our board room video conferencing unit runs a full version of Windows 10 and Microsoft Teams that we setup as a ‘do it yourself‘ versus the off the shelf room systems. The VC unit requirements we had were:

cloudstep.io®, our web application uses a full desktop browser experience.
Mouse and keyboard are preferred for web navigation inside the app.
VC to have full OS is preferred to eliminate employees having to BYOD and connect either physically or wirelessly for screen presentation.
We can connect to third party conferencing platforms by installing the addons for guest access (zoom, webex, gotomeeting, chime etc) with our partner lead meetings direct onto the machine.
Wirelessly present our Macs, iPads, iPhones, Androids and Windows laptops.
We are all ‘power users‘ and can handle the meeting join experience in Microsoft Teams client without the need for a single ‘click-to-join’ button on the table which the Microsoft Teams Room (MTR) system provides via a touch device.

We have a boardroom account that has a 365 license to be able to leverage the desktop tools. Windows 10 automatically logs in each morning and the Microsoft Teams client is started automatically. The bill of materials is notably:

Intel NUC
Windows 10
- Teams Client
- Office 365 Pro Plus (Word, Excel, PowerPoint, OneNote)
- Windows 10 Calendar (Connect to Office 365 Mailbox)
- AirServer client (ChromeCast, MiraCast, AirPlay)
- Chrome Browser
Office 365 user license
Logitech Meetup camera
Biggest screen we could fit in the room
Microsoft Bluetooth keyboard and mouse

The VC mailbox type is set to ‘room‘ with the following to enhance the experience for scheduled meetings in the board room:

#Add tips when searching in Outlook
Set-Mailbox -Identity $VC -MailTip "This room is equipped to support native Teams & Skype for Business Meetings remember to add meeting invite details via the Teams outlook button in the ribbon." 

#Auto Accept
Set-CalendarProcessing -Identity $VC -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -RemovePrivateProperty $false -DeleteComments $false -DeleteSubject $false –AddAdditionalResponse $true –AdditionalResponse "Your meeting is now scheduled and if it was enabled as a Teams Meeting will be available from the conference room client."

This has worked well in the last 12 months, the only user experience problem we have had is when running a meeting from the VC unit, the account isn’t a member of the team where the data attempting to be presented is stored and therefor cannot see/open the content. A simple solution for this is automation. We looked to investigated two automation solutions available in the Microsoft services offering we have available.

Flow (Office 365 Suite)
Azure Automation (Azure Subscription)

Unfortunately option 1 didn’t have any native integration for triggers based on Office 365 groups or teams creation. So we resorted to a quick Azure Powershell Runbook that executes on a simple schedule. The steps needed to run were:

Get a list of all the teams.
Query them against the UnifiedGroup properties to get…
1. AccessType equals ‘Public‘
2. CreationDate within 2 days
Check the newly created teams group membership for the VC unit username.
If it doesn’t exist add the VC unit as the role ‘member‘.

Write-verbose "Getting Credentials ..." -Verbose
$Credentials = Get-AutomationPSCredential -Name 'Admin-365'
Write-verbose  "Credential Imported : $($Credentials.UserName)" -Verbose

$o365Cred = New-Object System.Management.Automation.PSCredential ($Credentials.UserName, $Credentials.Password)
Write-verbose  "Credential Loaded : $($o365Cred.UserName)" -Verbose
Write-verbose 'Connecting to 365 ...' -Verbose
$Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection
Write-verbose 'Importing UnifiedGroups PowerShell Commands ...' -Verbose
Import-PSSession -Session $Session -DisableNameChecking:$true -AllowClobber:$true | Out-Null
Write-verbose 'Connecting to Teams ...' -Verbose
Connect-MicrosoftTeams -Credential $Credentials

$creationdate = ((Get-Date).AddDays(-2))
$teams = get-team
#$groups = Get-UnifiedGroup |Where-Object {$_.WelcomeMessageEnabled -like "False" -and $_.AccessType -like "Public" -and $_.WhenCreated -ge $creationdate}
$TeamsOutput = @()
foreach ($Team in $Teams){
$UnifiedGroup = Get-UnifiedGroup -Identity $Team.GroupId
    if($UnifiedGroup.AccessType -like "Public" -and $UnifiedGroup.WhenCreated -ge $creationdate){
    Write-verbose "Processing team named: $($UnifiedGroup.DisplayName)" -Verbose
        $VC = Get-TeamUser -GroupId $Team.GroupId | Where-Object {$_.User -like "user@domain.com"} 
        If($VC.count -eq 0){
            Write-verbose "VC not member, adding..." -Verbose
            Add-TeamUser -GroupId $Team.GroupId -User "user@domain.com" -Role Member
        }else{Write-verbose "VC is member already" -Verbose}
    }

$TeamsOutput+=$UnifiedGroup
}
Write-verbose "Total teams processed for selection: $($TeamsOutput.Count)" -Verbose

The result is simple

Next day the board room account is logged in, the Microsoft Teams client will have access to all the teams channels, files, OneNote and apps. This is great for native Teams meetings, but also when we have customers in the board room without the need for an online meeting. The VC account has access to see the required teams and channel data to present to the physical display.

This solution doesn’t have to be for a video conferencing units, you may have some standardised members you want on all groups, or it could be certain owner enforcement or member list.

Hello Microsoft Teams! Bye bye SwearPoint, may you remain in the background forever.

Posted in Azure, Office365Tagged Azure, AzureAutomation, MicrosoftTeams, powershell, Teams, VideoConferencingLeave a Comment