Assign Lync Policies to Lync users based on Active Directory Group membership

Published: July 7, 2014.
Updated: September 8, 2014

I’ve been looking for this functionality for quite some time, and with great help from Guy Bachar, we created the following script to help assign Lync policies to Active Directory Security Groups.

This version of the script allows assigning user-scope policies to any all Lync enabled users in a certain Active Directory Group.
The process is easy:

Run the script from a computer or a sever that has both the Lync Management Shell the Active Directory PowerShell Module installed. If they’re not there – The script will let you know.

As you run the script, it will automatically check if you have local admin privileges on this machine and will prompt you to elevate your PS session if you didn’t choose “Run As…”. Many thanks to Ben Armstrong for creating the self-elevating script. We changed it to match our needs here.

Verifying permissions

If all is ok, the script will next ask you to choose your desired AD group: Enter the group’s display name, and in return the script will show you its CN, just to make sure it’s what you’re looking for:

Group2

The script will immediately ask you to choose which type of policy or dial plan you would like to assign from the following 14 options:

1     Voice Policy
2     Client Policy
3     External Access Policy
4     Mobility Policy
5     Archiving Policy
6     Hosted Voicemail Policy
7     Client Version Policy
8     Conferencing Policy
9     Voice Routing Policy
10     Location Policy
11     PIN Policy
12     Presence Policy
13     Persistent Chat Policy
14     Dial Plan

When you choose the type of policy you wish to apply, the script will display the User-scope policies that can be assigned:

2_chosen2After choosing the policy you wish to apply you’ll be prompted to confirm the operation:

Confirm applying policy2

If confirmed, the script will run through all the users in this group and assign the policy.

Notes:

  • Use at your own risk – We tested it, but make sure it works for you too.
  • We’re working on the next version in which you’ll be able to reset a certain groups’ policy to “Global” (-PolicyName $null)
  •  We’re working on some reporting for the next version.

Please use and share and give us your feedback!

Updates:
September 8, 2014, Vesion 2.4.2:
– Fail sae warnings and indications.
– Error messages cleared.
– Anility to default a group to the Global policy.

Download the script here.

 

 

Advertisements

Configure Office 365 UM for on premises Lync Server 2013 and Skype for Business Server 2015

As Office 365 is becoming more and more popular with larger organizations, many Lync \ S4B customers would like to host their voicemail in the cloud. This post will guide you through the steps required to configure Hosted UM on Office 365 for an on premises Lync deployment.

Considering you have a full Lync \ S4B 2013 enterprise voice solution already deployed in you organization, additional prerequisites for this would be:

  • A Lync 2013 Edge server.
  • A spare DDI number for Subscriber Access (Outlook Voice Access).
  • On premises users must be synced to Office 365 by either DirSync or Azure.
  • Office 365 Exchange Online licensing that allows UM.
  • administrative permissions on both the on premises Lync side ad the Office 365 management portal.

It took 7 days to create the world, and seven steps to configure voice mail:

1. Office 365 Admin Center

From the Admin drop-down menu, choose “Exchange”:

Admin-Exchange

Under “Exchange” choose “Unified Messaging”:

UM

In “UM Dial plans”, click the ‘+’ sign to add a new dial plan:

New UM Dial plan

In the new UM Dial Plan window:

  1. Give your dial plan a name.
  2. Configure the extension digit length as used in your organization (In my case: 4).
  3. In Dial plan type: Always choose SIP URI.
  4. Choose your Audio Language.
  5. Enter your country code (No ‘+’, just the code),

UMDialPlan

Click “Save”, the window will close.

You now have a new Dial plan, click “Configure” to continue:

UMDialPlan2

This will open a new window. View your settings in the “General” page. These are not changeable, so if you made a mistake, now would be a good time to start things over.

General

If it’s ok – continue to “dial codes” and enter your country\region code. In my case: 353.

DialCodes

Continue to Outlook Voice Access.
Keep the default greeting and announcement unless you have a pre-recorded file, and go to “E.164 routing numbers for your SIP server”. This is where you enter your Subscriber Access number in an E.164 format. In my case: “+35315556789”.
On the next box, “Outlook Voice Access numbers”, enter the number you entered for the previous box, and the regular display number (e.g. 015556789). Reason is that Outlook voice Access will only correspond to matching numbers, and you would like to have this configured as well:

OVA

Next, go to “Settings” and configure as desired:

Settings

Continue to Dialing rules: You can leave this as it is, or add a rule to allow Outlook to play on phone:
Click the ‘+’ sign to add a new dialing rule:

Dialing rules Add

In the new Dialing rule window:

  1. Name your rule.
  2. Add ‘*’ in “Number pattern” and “Dialed Number”:

New Dialing Rule

Click “OK” to save and go to “Dialing Authorization”. Click the ‘+’ button to add:

dialing auth new

And choose the previously created rule:

select dialing rule gruops

In “Transfer and Search”, I normally change the “Allow callers to search…” to “In the entire organization”:

TransferAndSearch

Click “Save”, and this part of the configuration is done!

2. On premises Lync Server

We’ll be using mostly PowerShell (Lync Management Shell) to configure this. Not a big deal, just make sure you double-check everything for typos…

Start with finding out your current configuration. From an elevated Lync Management Shell, run the following command:
Get-CsAccessEdgeConfiguration
You’re looking for the following parameters:

  1. AllowFederatedUsers (Should be set to True).
  2. EnablePartnerDiscovery (Should be set to True).
  3. RoutingMethod (Should be set to UseDnsSrvRouting)

Should look like this:

Get-CSAccessEdgeConf

If one of the parameters is missing, run the following command:
Set-CsAccessEdgeConfiguration -AllowFederatedUsers $true -EnablePartnerDiscovery $true -UseDnsSrvRouting

Now, add Office 365 Exchange Online as a new hosting provider:
New-CsHostingProvider -Identity “Exchange Online” -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFqdn “exap.um.outlook.com” -IsLocal $False -VerificationLevel UseSourceVerification

This has configured your Edge server to be able to communicate with Office 365.
Verify that it’s replicated to the Edge server by running:
Get-CsManagementStoreReplicationStatus (If replicated to all, should be “UpToDate: True” on all servers),
and last, check that it’s configured and displayed correctly by running:
Get-CsHostingProvider -LocalStore, this should be the result:

get-cshostingprovider

3. Office 365 Management Shell

To continue configuring Lync on premises, we need some details about the Office 365 domains and tenants.
To do so, open a new elevated PowerShell window and connect to Office 365 using the following steps:

Run: $cred = Get-Credential and press Enter.
This will pop up a credential prompt, enter your Office 365 administrator credentials and press Ok:

Credentials

Next, run the following command:
$365 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic –AllowRedirection
This will connect you to Office 365. You might receive a warning saying “WARNING: Your connection has been redirected to the following URI:
https://pod51048psh.outlook.com/powershell-liveid?PSVersion=3.0 “, This is normal.

Last, run:
$importresults = Import-PSSession $365

You should end up with an output similar to this:

Loaded

Now that you’re connected to Office 365, run: Get-Mailbox, to see you recognize what’s going on, and then run: Get-AcceptedDomain. Now let’s pause here for a second:

Take a good look at your domain list. What we’re looking for is the original “.OnMicrosoft.com” domain. This is the one we’re going to use to communicate with Office 365.
Find that domain and mark it:

AcceptedDomains

Whatever your domain is (for example: y0av.onmicrosoft.com), this is what we’ll use in the following steps:

4. Back to Lync Management Shell

Now that we know our “OnMicrosoft” domain, we can configure Lync to communicate with it:

First, we’ll create a new Hosted Voicemail Policy. From Lync Management Sell, run the following:
New-CsHostedVoicemailPolicy -identity Office365UM -Destination exap.um.outlook.com -Description “Office 365 Voicemail” -Organization “YOURDOMAIN.onmicrosoft.com”

Make sure you replaced “YOURDOMAIN” with your domain!

Next step: create a Lync-Exchange contact:
New-csexumcontact -displaynumber <E.164Number>–sipaddress <SIP:Ex365UM@Domain.com> -registrarpool <LyncFE> -ou “<YourDesiredOU>"
So for example, these are my details:

  1. Display Number: +35315556789 (This is the Subscriber Access Number we used on Exchange Online earlier)
  2. Contact’s SIP address: Ex365UM@y0av.com
  3. Lync registrar: LyncFE01.y0av.local
  4. OU: Lync Devices

My command would look like this:
New-csexumcontact -displaynumber +35315556789 –sipaddress SIP:Ex365UM@y0av.com -registrarpool LyncFE01.y0av.local -ou “OU=Lync Devices,DC=y0av,DC=local"

Once running this command, you’ll get an output with the contact’s details. Note the contact’s GUID:

CSexum

This is also found in Active Directory where you created it:
I usually add a description to this contact, as Sys Admins sometimes delete strings they’re not familiar with…

UMContact

Copy the contact’s identity from PowerShell and use it in the following command to grant the policy you created earlier to the user you just created:
Grant-cshostedvoicemailpolicy –identity “CN={92011efc-5608-4c7e-88ed-d79e035c39e6},OU=Lync Devices,DC=y0av,DC=local” –policyname Office365UM

So now we have a UM Policy, and a UM Contact that’s configured with that policy. You can run Get-CsExUmContact to check that:

get-csexumcontact

5. Back to Office 365 Management Shell…

Last thing we need to do before it works, is connect the on premises and the cloud voice policies.
So from the previously used Office 365 Management Shell window, run the following:
Set-UMmailboxpolicy -identity “CloudUMPolicy” -SourceForestPolicyNames “OnPremUMPolicy”
In this scenario we used the same name for both policies – that’ll work too:
Set-UMmailboxpolicy -identity “Office365UM” -SourceForestPolicyNames “Office365UM”
But if you have a different name for each policy – configure that as desired.

6. Back to Lync Management Shell – last time!

The only thing left to do now is grant Lync users with the new hosted voicemail policy and enable them for hosted UM.
You can use any pipe known to humanity to do this, but here’s the basics:

To grant the policy to a user, run:
Grant-cshostedvoicemailpolicy –identity LocalDomain\y0av –policyname Office365UM

To enable the user for Hosted Voicemail, run:
Set-csuser –identity LocalDomain\y0av –hostedvoicemail $true

7. Enable the user for UM

Log on to the Office 365 admin center and enable the user for Unified messaging:

Enable

Assign the UM policy you created earlier:

Enable2

Verify the details on the next screen and that’s it. You’ve voice mail configured.

LyncClient

If you’re having issues enabling users, you might want to check the “Notes from the field” post I published after getting some feedback on this post.