Skip to main content

Microsoft Teams Recommendations

· 13 min read

In the age of remote working and collaboration, Microsoft Teams is one of the most popular tools being used to increase communication and productivity.

Especially those undergoing implementation and migrations from Skype for Business to Microsoft Teams - it is a good opportunity to take a step back and evaluate and clarify your implementation, the recommendations below as good as a place to start as any.

Please keep in mind that like any recommendations, do not blindly follow them, make sure to determine the impact on your users on enabling some of this functionality, there may also be recommendations that you will not be able to apply, do to business constraints.

RecommendationDescription
Add the Microsoft Teams SMTP domain as an allowed list in Microsoft Exchange Online Spam filter protectionWhether you create an Office 365 Group in the admin console or by using Outlook, Exchange Online is used to send notifications of a team member being added to a Group. These messages are generated from your tenant as they represent your default domain SMTP FQDN.Teams uses Microsoft Exchange Online as well to send notifications to team members when they’ve been added. The difference being the domain FQDN of the SMTP message is “@email.teams.microsoft.com” and could be caught by spam filtering. Outlook considers message from Teams as an external sender which is subject to standard security features such as blocking images and certain content.
Allow the following User Agent Strings for Microsoft Teams within the EWS configurationTeams users may not be able to access Teams meetings/connectors though their mailboxes are in Exchange Online.
Assign a valid security group that can be used for controlling who can create Office 365 groups as well as Office 365 services that depends on groups such as Teams, Planner, etcA security group is configured to restrict which users are allowed to create groups. However this security group does not exist anymore which prevents the creation of new groups.
Assign Teams Meeting Room license to your Teams meeting room accountWithout the proper license, you may have some Teams Meeting room features that are not working properly or not available such as the ability to dial-out attendees into your meeting.
Associate registered SBC with Office domainCheck as part of the Direct Routing configuration is missing the domain name associated with one of your SBCs.
Check Skype for Business to Microsoft Teams meeting migration failuresSome of your user’s meeting may not have been successfully migrated from Skype for Business to Teams. Users might be unable to join the affected meetings.
Check Microsoft Stream license is assigned to users if cloud recording is allowedYour users who can do Teams meeting and recordings may not have the necessary Microsoft Stream license to store /upload meeting recordings / playback to Microsoft Stream.
Check the SBC gateway(s) associated with voice routesMakse sure that none or more of your SBC gateway(s) defined in Voice Routes are in disabled state. This could cause unexpected call failures.
Configure your Meeting Room accounts with the recommended setting of AddAdditionalResponseMicrosoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations.
Configure your Meeting Room accounts with the recommended setting of AddOrganizerToSubjectMicrosoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations.
Configure your Meeting Room accounts with the recommended setting of DeleteCommentsMicrosoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations.
Configure your Meeting Room accounts with the recommended setting of RemovePrivatePropertyMicrosoft Teams Rooms will only work in a properly configured Microsoft Teams or Skype for Business environment where the device accounts are set up correctly. To provide optimal meeting experience, you should configure your meeting room accounts meeting the recommendations.
Create meeting room lists for room mailboxes to allow for searching and booking rooms with Microsoft TeamsYou need to create room list distribution group to be able to specify a meeting room when you schedule a Teams meeting.
Create multiple Microsoft Teams IP Phone Policies to cater for the different phones and meeting rooms devices that you have in the organizationTo provide more tailored user interfaces to different phones and meeting room devices that you've, it is recommended to create different IP Phone policies to them.
Create Office 365 Groups ClassificationYou can create classifications that the users in your organization can set when they create an Office 365 group. For example, you can allow users to set "Standard", "Secret", and "Top Secret" on groups they create. Group classifications aren't set by default and you need to create it in order for your users to set it. Use Microsoft Entra ID PowerShell to point your users to your organization's usage guidelines for Office 365 groups.
Define Office 365 Group naming policyTo enforce consistent naming conventions for Office 365 groups created or edited by your users, set up a group naming policy for your tenants in Microsoft Entra ID (Azure AD). For example, you could use the naming policy to communicate the function of a group, membership, geographic region, or who created the group. You could also use the naming policy to help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases.
Enable Advance Threat Protection for TeamsPeople regularly share files and collaborate using SharePoint, OneDrive, and Microsoft Teams. With Office 365 Advanced Threat Protection (ATP), your organization can collaborate in a safer manner. ATP helps detect and block files that are identified as malicious in team sites and document libraries.
Enable connectors in your Exchange Online environmentWhen connectors are disabled in Exchange Online environment this is impacting connectors in Microsoft Teams. Users who are trying to add a connector in both Teams desktop client and a web app version will get the error: “Connectors have been turned off for this mailbox by the admin. Contact your admin if you want to have connectors turned on: Access to Connectors is disabled.”
Enable Teams license for some Office 365 UsersAt the user level, access to Microsoft Teams can be enabled or disabled on a per-user basis by assigning or removing the Microsoft Teams product license. Once the license is disabled, the user access to Microsoft Teams will be prevented and the user will no longer be able to see Teams in the Office 365 app launcher and homepage.
Enable users SharePoint Online, OneDrive for Business and Exchange OnlineFor the full Microsoft Teams experience, every user should be enabled for Exchange Online, SharePoint Online, and Office 365 Group creation.SharePoint Online is required to share and store files in team conversations. OneDrive for Business is required to share and store files in private chats. If users aren't assigned and enabled with SharePoint Online licenses, they don't have OneDrive for Business storage in Office 365. File sharing will continue to work in Channels, but users are unable to share files in Chats without OneDrive for Business storage in Office 365. In Microsoft Teams, security and compliance features like eDiscovery, Content Search, archiving, and legal hold work best in Exchange Online and SharePoint Online environments. For channel conversations, messages are journaled to the group mailbox in Exchange Online, where they're available for eDiscovery. If SharePoint Online and OneDrive for Business (using work or school account) are enabled across the organization and for users, these compliance features are available for all files within Teams as well.
Ensure a public IP associated with FQDN of the SBCsSBC needs to have valid public IP address to make it accessible from Internet by Teams Direct Routing components.
Ensure that the right ports and protocols are open across your network for optimum call experienceSkype for Business Online audio/video calls over TCP traffic do not perform as well as calls over UDP traffic.
Grant Teams Direct Routing users with appropriate Voice Routing PolicyList of users who are enabled for Teams DR/Hybrid Voice but not assigned with any OnlineVoiceRoutingPolicy
Implement Office 365 Groups governanceOffice 365 Groups has a rich set of tools to implement any governance capabilities your organization might require.
Improve Network Performance for Skype for Business Online/Microsoft TeamsThe quality of real-time media (audio, video, and application sharing) over IP is greatly impacted by the quality of end-to-end network connectivity. For optimal Skype for Business Online media quality, it is important for you to make sure there is a high-quality connection between your company network and Skype for Business Online. The best way to accomplish this is to set up your internal network and cloud connectivity based on the capacity of your network to accommodate for peak traffic volume for Skype for Business Online across all connections.
Info: Teams which have external/guest usersYou should review external users who had been invited to Teams in your environment.
Leverage the Teams RBAC to specify different levels of Teams administrative accessUsing Microsoft Entra ID (Azure AD), you can designate administrators who need different levels of access for managing Microsoft Teams. Administrators can manage the entire Teams workload, or they can have delegated permissions for troubleshooting call quality problems or managing your organization's telephony needs.
Limit the number of Office 365 Global AdministratorsHaving too many Office 365 Global Administrators might indicate that you’ve not assigned the right individuals to manage your overall Office 365 environment. This could result in unwanted configuration changes to Office 365 if some of these individuals does not have the right skills or capabilities.
Multi Factor Authentication (MFA) is not enabled for Skype for Business Administrators and/or Office 365 Global AdministratorsMake sure that any account who is in the Global Administrators or Skype for Business Online Administrators group are not enabled for Multi Factor Authentication (MFA). It is recommended to enable MFA for these accounts to add an additional layer of security during the authentication process.
Office 365 Groups usage guidelines has not been put in-placeWhen users create or edit a group, you can show them a link to your organization's usage guidelines. For example, if you require a specific prefix or suffix to be added to a group name.
Old version of Skype for Business Network Assessment Tool detectedUsing an older version of the Skype for Business Network Assessment Tool will impact the data collection. It is recommended to update to the latest version of the tool and run another data collection.
Review Teams meeting policy assigned to your usersMeeting policies are used to control the features that are available to meeting participants for meeting that are scheduled by users in your organization. Different users across your organization might need different meeting features based of what they do and other things. By providing them with the right meeting policy, not only you facilitate them to accomplish their jobs but also you help to optimize the Teams environment and organization resources.
Review the ability for Team owners to invite external users to teamsAllowing Team owners to invite external users to teams could improve work productivity and drive collaboration with external users.
Review the Direct Routing Users whose Skype for Business accounts are hosted in on-premises Skype for Business ServerMicrosoft Teams Direct Routing works only if SfB user accounts is hosted in Skype for Business Online.
Review the Teams user accounts which had some provisioning problemsUsers may experience issue when using Skype for Business Online or Microsoft Teams when they’re not properly provisioned.
Review the Teams users’ calling policyAll users are configured with the default Teams calling policy.
Review your Teams Co-existence mode and upgrade settingsYour current Teams and Skype for Business Global co-existence mode may be set to Island mode which might not be the best co-existence mode for the organization and could be limiting features.
Set AllowGuestsToAccessGroups on unified group setting to TrueThis setting indicates whether or not a guest user can have access to Files or OneNote content in your Teams. This setting does not require an Microsoft Entra ID Premium P1 license.
Set the UsersPermissionToReadOtherUsersEnabled to true in your Azure AD configurationWhen this value is set to false in AAD, Teams owner is unable to add external/internal members in Microsoft Teams, and the following error message is displayed: "We couldn't add member. We ran into an issue. Please try again later." However, members can be added directly to Office 365 groups.
Specify a security group who can create Office 365 groups and its related servicesBecause it's so easy for users to create Office 365 Groups, you aren't inundated with requests to create them on behalf of other people. Depending on your business, however, you might want to control who has the ability to create groups.
Teams Upgrade Status: Candidate - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: Deferred - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: Downgraded - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: Paused- Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: ScheduledForUpgrade - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Teams Upgrade Status: Upgraded - Check the Teams Upgrade Status using Get-CsTeamsUpgradeStatusMicrosoft initiates and performs automatic upgrade to Teams to organizations that meet certain requirements. You need to understand what Teams upgrade means and the impact it would have to your organization.
Validate licenses assigned to Teams Room SystemWithout the proper license, you may have some Teams Meeting room features that are not working properly or not available such as the ability to dial-out attendees into your meeting

Transfer Ownership of an Azure Subscription

· 4 min read

Imagine you want to transfer Azure resources to another person or company? This could be because something may have been created in an external third-party subscription, to begin with, or you have created a product using Azure resources that you have just sold to the highest bidder!

Before you start rolling in that money bin of cash, you need to be able to give that person the Azure resources. The best way to do this is to transfer ownership of an Azure subscription.

It may be best to create a new Azure subscription, and then transfer (using the Move Resources in the Azure Resource Group) the resources to that new subscription. That way it is clean, then the recipient can just migrate the resources to their own Production subscription later, etc as they see fit.

Just a heads up IF you are selling services you have created in Microsoft Azure, whether freelance or professionally make sure you have spent time working on Azure governance to make sure you have a proper Azure Landing Zone stood up for standardization and naming conventions in place if you are a transferring a resource that has a Global Scope (ie these are usually Public-facing, the last thing you want is to transfer the resources to someone else and find out that you can't reuse the same unique name.

Please read this carefully, there are certain limitations when transferring Subscription Ownership - especially across to another tenancy that you need to be aware of, these limitations are the Type of Subscription it is and the type of resources, encryption status, etc.Transfer an Azure subscription to a different Azure AD directory In some cases, you may need to look at alternative ways, such as redeploying or recreating the resources in the other subscription/tenancy manually - via redirecting an Azure DevOps deployment or manual backup export and import.

Transfer a Subscription

Once you are ready to transfer a subscription, you can do the rest, simply through the Azure Portal:

  1. In the Azure Portal, navigate to Subscriptions
  2. Click on the Subscription you want to migrate
  3. Click on Transfer billing ownership
  4. Type in the Recipient's email address, in the email address field
  5. If you are moving the Azure subscription to another Azure AD tenancy (in this article, I am assuming we are), select the 'Move Subscription Tenant toggle: Yes Transfer Billing Ownership
  6. Click on Send Transfer Request, acknowledge the prompt and click Yes
  7. This will send an email to the recipient with a link to transfer the Azure subscription and all the resources. Transfer Billing Ownership

Note: The Transfer Request is not permanent, the recipient has only a few weeks to accept the transfer before you will need to it again, you can see the expires date in the screenshot above.

Note: Something to be aware of, only the user in the new account who accepted the transfer request will have access to manage the resources, they will need to add the necessary groups and rights on their end.

Cancel an Azure Subscription Transfer

If the recipient hasn't accepted the transfer, you can revoke or cancel the transfer request. To do this, do the following:

  1. In the Azure Portal, navigate to Subscriptions
  2. Click on the Subscription you want to migrate
  3. Click on Transfer billing ownership
  4. You will now get a Window indicating the Transfer Request is pending
  5. Click on Cancel the Transfer Request (bottom of the Blade) Transfer Billing Ownership
  6. Accept the prompt to cancel the transfer request.

Note: You can now click on the Transfer billing ownership, to confirm the request was canceled and if needed, open a new request. Just a heads up as well, that canceling the transfer, will also email the recipient.

Microsoft Entra ID Recommendations

· 9 min read

Microsoft Entra ID is the foundation, which Microsoft 365 is built-on.

In the words of Microsoft:

Microsoft Entra ID (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:

  • External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
  • Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Microsoft Entra ID (AAD) is simply not set and forget, especially given the fact that AAD services are constantly evolving in terms of features and improved security.

Below is a table of some Microsoft Entra ID and best practice recommendations.

Please keep in mind that like any recommendations, do not blindly follow them, make sure to determine the impact on your users on enabling some of this functionality, there may also be recommendations that you will not be able to apply, do to business constraints.

RecommendationWhy Consider ThisProbabilityImpactEffort
Change break glass accounts passwords every 90 daysEmergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. We recommend that you maintain a goal of restricting emergency account use to only the times when it is absolutely necessary.HighHighLow
Review possible stale Guest (B2B) accountsGuest accounts do not exist by default and pose a potential data exposure vulnerability if left unused. Guest accounts should only be used with a defined business need and closely monitored to ensure accounts are valid/legitimate.HighModerateLow
Remove invited guests who have not accepted inviteRemove invited guests who have not accepted invite as it helps control the scope of identity and access management as it pertains to provisioning users in Azure AD. In addition, removing stale invites and user from Azure AD is part of the recommended routine account maintenance.HighLowLow
Enable Windows Hello for Business PIN Reset ServiceThe Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.Low to ModerateModerateLow
Ensure security compliance notification mail is setManaging security and compliance is a partnership. You are responsible for protecting your data, identities, and devices, while Microsoft vigorously protects Office 365 services. You can use Office 365 and Enterprise Mobility + Security (EMS) together to help you achieve the appropriate level of protection for your organization.Low to ModerateModerateLow
Add owner to legacy Service PrincipalLegacy service principals without a defined owner create a challenge for management and accountability.Low to ModerateModerateLow
Add owner to applicationAssigning an application owner provides an opportunity for delegation and establishes accountability for management of the resource.Low to ModerateModerateLow
Add owner to cloud-only groupsAssigning a group owner provides an opportunity for delegation and establishes accountability for management of the resource.Low to ModerateModerateLow
Require that users can create security groups is set to noThe creation and management of security groups should be restricted to administrators only to limit proliferation of this security principal. The default setting is to prevent users from creating security groups in the Azure portal and it is recommended to maintain this configuration unless required by a defined business need.Low to ModerateModerateLow
Delete empty cloud-only groupsCloud-only groups that contain no members and are not associated with Azure applications should be deleted as they serve no purpose.Low to ModerateLowLow
Review Dynamic Groups with membershipRuleProcessingState not turned onSometimes you may want to stop the processing of a dynamic group, like when you’re importing a large number of new users or reorganizing your group architecture. To do that, use the MembershipRuleProcessingState parameter to switch processing on and off.Low to ModerateLowLow
Review and consider federating all domainsWhen a domain is federated with Azure AD, several properties are set on the domain in Azure. One important one is IssuerUri. This property is a URI that is used by Azure AD to identify the domain that the token is associated with.Low to ModerateLowLow
Review applications with credentials about to expire or are expiredApplications with expired credentials will prevent its use and should be updated before expiration to avoid an outage. If the application's service principal already has newer credentials remove the no longer valid credentials.ModerateHighLow
Review applications granted with risky OAUTH2 permissionsDepending on the scope of permissions, it can pose a risk to the confidentiality, integrity, or availability of the organization's data. Periodic review of application permission grants can help identity over-privileged applications and establish access controls that align with the principle of least privilege.ModerateHighLow
Configure user passwords to never expireRequesting users to regularly change passwords will lead to weak password practices like patterns or sequential words and numbers.ModerateModerateLow
Review Service Principals using password based credentialsProtect and manage your confidential app credentials for web apps, web APIs and daemon apps. Use certificate credentials, not password credentials (client secrets).ModerateModerateLow
Review Azure AD Guest (B2B) accountsGuest accounts do not exist by default and pose a potential data exposure vulnerability if left unused. Guest accounts should only be used with a defined business need and closely monitored to ensure accounts are valid/legitimate.ModerateModerateLow
Review applications consented by adminsReview applications granted consent by admins to ensure this global configuration is desired, which results in authorization for applications to data for all users in the Azure AD tenant.ModerateModerateLow
Review applications consented by one userReview applications granted consent by a single users to ensure the configuration is desired, which results in authorization for applications to data for individual users as compared to admin consent which is global for the tenant.ModerateModerateLow
Review domain password policies that do not match defaults.Only passwords for user accounts that are not synchronized through directory synchronization can be configured for password policies. By default users do not have a password policy defined.ModerateModerateLow
Specify the usage location property for usersSome Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user.ModerateModerateLow
Require that users can consent to apps accessing company data on their behalf is set to noAllowing users to provide consent for third-party applications risks exfiltration of personally identifiable information (PII) such as email and phone number, as it's associated with the user's profile.HighHighModerate
Review group license errorsThese errors should be resolved and all users should be assigned expected licenses, for avoiding any loss of productivity.HighModerateModerate
Remove email / mailbox from directory role adminsTo help separate internet risks (phishing attacks, unintentional web browsing) from administrative privileges, create dedicated accounts for each user with administrative privileges with no mail enabled to make sure they do not inadvertently open emails or run programs associated with their admin accounts.ModerateHighModerate
Remove Skype address from directory role adminsTo help separate internet risks (phishing attacks, unintentional web browsing) from administrative privileges, create dedicated accounts for each user with administrative privileges with no Skype Enabled to make sure they do not inadvertently open emails or run programs associated with their admin accounts.ModerateHighModerate
Develop plan to migrate or remove legacy Service PrincipalsServicePrincipals with ServicePrincipalType of legacy are not associated with an application and should be migrated to an application to improve manageability.ModerateModerateModerate
Federated domains in Azure AD must have SupportsMFA enabled if ADFS MFA is usedWhen the configured conditional access policy requires multi-factor authentication, Azure AD defaults to using Azure MFA. If you use the federation service for MFA, you can configure Azure AD to redirect to the federation service when MFA is needed by setting -SupportsMFA to $true in PowerShell. This setting works for federated authentication services that support the MFA challenge request issued by Azure ADModerateModerateModerate
Verify all root level domainsEvery new Azure AD tenant comes with an initial domain name, domainname.onmicrosoft.com. You can't change or delete the initial domain name, but you can add your organization's names to the list. Adding custom domain names helps you to create user names that are familiar to your usersModerateModerateModerate
Review user objects no longer syncing with on-premisesUsers present in Windows Server AD and no longer syncing to Azure AD impacts users ability to use services provided by Azure AD (Password reset, access to O365 services and cloud based apps etc.) and it also poses administrative challenge in managing the account.ModerateModerateModerate

How to restrict users to specific boards in Azure DevOps

· One min read

Do you ever want to add external Microsoft Entra ID or other users to specific boards in a project, but not want to give them access to the entire Azure DevOps Project?

Using the steps below, we can restrict users to a specific board.

  1. Invite external users to DevOps org with Stakeholder access.
  2. In the project, create a new Team and do not add it to the existing security group to inherit permissions. Azure DevOps - Boards
  3. Add external users to created Team.
  4. Set permission for created Team properly. In this case, it’s to set View project-level information to Allow. Azure DevOps - Boards
  5. Create a new area path and set the permission for the created Team in Security Azure DevOps - Boards
  6. Assign the area path to the newly created Team.

Azure WebApp 500 Errors reporting from AspNetCoreModule

· One min read

Issue Description

Intermittent issues with Azure WebApp constantly stop functioning, a Stop/Start operation brings it back online.

Root Cause

Further investigation using Azure Application Insights, reveals the Azure WebApp was experiencing a few FailedRequestCount, with HTTP 500 Errors. An exception was thrown by a TaskScheduler. Exception of type 'System.OutOfMemoryException' was thrown.

Resolution

In my case, the service that was running on the Azure WebApp was using .NET Core 2.0, the fix was to upgrade to the latest version.

.NET Core 2.0 is an unsupported version and we highly recommend upgrading to the latest version (3.1). Please take a look at this information of the .NET Core official support policy: https://dotnet.microsoft.com/platform/support/policy/dotnet-core

For .NET Core applications I suggest enabling the stdout logs, as those will capture some important errors: https://learn.microsoft.com/en-us/aspnet/core/test/troubleshoot-azure-iis?view=aspnetcore-2.2#aspnet-core-module-stdout-log-azure-app-service-1

If those OutOfMemory exceptions come with a 5xx status code, I would suggest as well using the AutoHeal feature as it will allow setting rules based on that status code to capture a Memory Dump, you can check more information here: https://azure.github.io/AppService/2018/09/10/Announcing-the-New-Auto-Healing-Experience-in-App-Service-Diagnostics.html