Wednesday, 7 July 2021

Skype for Business User Moves to Teams Failing

The migration path for Skype for Business users to Teams is a well-trodden path. The procedure for doing so involves running the Move-CsUser command from a Skype for Business server and specifying that you want to move the user online. However, when I tried this from a Skype for Business 2015 pool the other day, I ran into some new errors… I hadn't seen these combination of errors before and it was unclear exactly what the problem was as the commands were correct. Here are some examples of the errors I was seeing:


Errors Included (when using OAuth method):

 

VERBOSE: CN=Roger Hybrid,OU=Users-Sync,DC=myteamslab,DC=com

Confirm

Move-CsUser

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

VERBOSE: Validating parameters for move operation.

VERBOSE: Calculating new server information for user [sipfed.online.lync.com].

VERBOSE: Moving user [sip:Roger.Hybrid@myteamslab.com] across deployments.

VERBOSE: Initializing source external move endpoint.

VERBOSE: Creating target external move endpoint.

VERBOSE: Validating the hosted migration override URL provided:

[https://adminau1.online.lync.com/HostedMigration/hostedmigrationService.svc].

VERBOSE: Retrieving AuthorizationServiceUri and ClientId.

Move-CsUser : Hosted Migration Service (https://adminau1.online.lync.com/HostedMigration/HostedMigrationService.svc/OAuth_Bearer) did not return expected status code from request for WWW-Authenticate header.

At line:1 char:1

+ Move-CsUser -Identity roger.hybrid@myteamslab.com -Target sipfed.onli ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidOperation: (CN=Roger Hybrid...teamslab,DC=com:OCSADUser) [Move-CsUser], MoveUserException

    + FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet

 

When moving using credential Auth method:


 

PS C:\Users\Administrator.MYTEAMSLAB> Move-CsUser -Identity roger.hybrid@myteamslab.com -Target sipfed.online.lync.com -MoveToTeams -Credential $cred -HostedMig

rationOverrideUrl 'https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc' -Verbose -Confirm:$False

VERBOSE: CN=Roger Hybrid,OU=Users-Sync,DC=myteamslab,DC=com

VERBOSE: CN=Roger Hybrid,OU=Users-Sync,DC=myteamslab,DC=com

VERBOSE: Validating parameters for move operation.

VERBOSE: Calculating new server information for user [sipfed.online.lync.com].

VERBOSE: Moving user [sip:Roger.Hybrid@myteamslab.com] across deployments.

VERBOSE: Initializing source external move endpoint.

VERBOSE: Creating target external move endpoint.

VERBOSE: Validating the hosted migration override URL provided:

[https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc].

VERBOSE: Retrieving web ticket URL.

VERBOSE: Retrieving live id token.

Move-CsUser : The underlying connection was closed: An unexpected error occurred on a send.

At line:1 char:1

+ Move-CsUser -Identity roger.hybrid@myteamslab.com -Target sipfed.onli ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidOperation: (CN=Roger Hybrid...teamslab,DC=com:OCSADUser) [Move-CsUser], WebException

    + FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet

 

 

From this we have a WWW-Authentication header error and an underlying connection issue error depending on the type of credentials used. These errors went a long way to telling me nothing about what was causing this issue. When all else fails, lets have a look at Wireshark and do some packet peeping. The packets don’t lie and they showed that I was receiving a RST back from Office 365 right after my Client Hello was sent:


 

This immediately made me think that there was some kind of client/server negotiation failing in the TLS connection. So what changed recently with TLS in Office 365? hhhmmm, how about TLS 1.0 and TLS 1.1 being disabled??

As it turns out that was indeed the issue. My server was relatively old and had not been updated to have TLS 1.0 and 1.1 disabled on it. The next question was what could I do to work around this issue?

A classic move from PowerShell which I hoped would work in this case is using the .Net ServicePointManager to control the TLS version used in a PowerShell session. I tried this using the following command:


[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

 

Translation: Use the Transport Layer Security (TLS) 1.2 security protocol for this session.

 

After this I ran a regular OAuth move and it worked!  

$url="https://adminau1.online.lync.com/HostedMigration/hostedmigrationService.svc"

Move-CsUser -Identity roger.hybrid@myteamslab.com -Target sipfed.online.lync.com -MoveToTeams -HostedMigrationOverrideUrl $url -UseOAuth -BypassAudioConferencingCheck –Verbose

 

PS C:\Users\Administrator.MYTEAMSLAB> Move-CsUser -Identity roger.hybrid@myteamslab.com -Target sipfed.online.lync.com -MoveToTeams -HostedMigrationOverrideUrl

$url -UseOAuth -BypassAudioConferencingCheck -Verbose

VERBOSE: CN=Roger Hybrid,OU=Users-Sync,DC=myteamslab,DC=com

 

Confirm

Move-CsUser

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

VERBOSE: Validating parameters for move operation.

VERBOSE: Calculating new server information for user [sipfed.online.lync.com].

VERBOSE: Moving user [sip:Roger.Hybrid@myteamslab.com] across deployments.

VERBOSE: Initializing source external move endpoint.

VERBOSE: Creating target external move endpoint.

VERBOSE: Validating the hosted migration override URL provided: [https://adminau1.online.lync.com/HostedMigration/hostedmigrationService.svc].

VERBOSE: Retrieving AuthorizationServiceUri and ClientId.

VERBOSE: Retrieving OAuth token.

VERBOSE: Initializing source external move endpoint.

VERBOSE: Validating user [sip:Roger.Hybrid@myteamslab.com] online, for on premises to online move.

VERBOSE: Validating user [sip:Roger.Hybrid@myteamslab.com] locally on premises, for on premises to online move.

VERBOSE: Validating read-write permissions on local Active Directory.

VERBOSE: Invoking begin move for user [sip:Roger.Hybrid@myteamslab.com].

VERBOSE: Setting resource data for user [sip:Roger.Hybrid@myteamslab.com].

VERBOSE: Completing move for user [sip:Roger.Hybrid@myteamslab.com].

VERBOSE: Re-homing user [sip:Roger.Hybrid@myteamslab.com] on the source.

VERBOSE: Re-homing user [sip:Roger.Hybrid@myteamslab.com] on the target.

 

There you go. Problem solved!


The Wrap Up

Things are constantly changing in Office 365. Stay on your toes because there can always be something new lurking that can make your migrations fail. Hopefully this helps some of you avoid disaster in your migration! Till next time, keep on migrating.




Read more →

Monday, 3 May 2021

Message Centre to Teams using Power Automate

 This post is made to accompany the YouTube tutorial video here: 

Watch the video to see the configuration in real time! All the steps have been documented in black and white here for your reference.

Note: You will need to have Power Automate licencing in order to run this flow. For more info on Power Apps (including Power Automate) trial licences go here: https://docs.microsoft.com/en-us/powerapps/maker/signup-for-powerapps


Configure API Access:

Before creating the Power Automate flow you first need to create an application registration within Azure AD to allow for authentication and access to the Microsoft Message Centre API.

During this process there are specific values that you will need to take note of in order to provide values for the Power Application connection. These are the TenantID, ClientID,  SecretID which will be generated when you create an App Registration within Azure AD.


Step 1: Setup API Access for the Power Automate Flow

a) Log into the Office 365 Admin Center as a Global Administrator, click Admin Centers in the left-hand menu, and click Azure Active Directory. Alternatively, you could log into http://portal.azure.com with your Office 365 administrator account.


b) In the Azure Administration Console, click Azure Active Directory, and under Manage click App Registrations.


c) Click the "+ New Registration" button:


d) Enter any name for your App such as MessageCentreAPI (must be a minimum of 4 characters):


g) Click the Register button at the bottom of the panel.


h) Once the App has been created, several IDs will be shown for your App.  The "Application (Client) ID" represents the ClientID you need for the flow. The Directory (Tenant) ID is the TenantID that you will also need for the flow.  Copy and save that value to use in your Flow.



i) Click the Certificates and Secrets menu item. Then click "New client secret"



j) In the Add Client Secret screen, enter any name for your key (maximum 16 characters) and select a Duration, after which it will expire (This is an added security feature as you don’t want secrets floating around forever).  Then click Save.


Once saved, the key (or SecretID in our case) will be displayed in the value field. 

Important: The Azure portal will only display the SecretID, at the time when it is initially generated.  You cannot navigate back to this page and retrieve the SecretID again later.



Copy and save that value to use in our Power Automate Flow. Be sure to keep your ClientID and SecretID saved privately and securely. 


Step 2: Grant Required Permissions to Your App

Once you have created the App and saved the ClientID and SecretID, you need to grant permissions to the app so it can access the Message Centre API.  You do this in the Azure portal using the following steps:

a) In the Settings page for your App, click the API Permissions menu item:


b) You will see a default Graph API User.Read permission there. Delete this as you don’t need it:


c) Click Add a Permission:

d) Select Office 365 Management APIs and click Select


e) Select Application Permissions


f) Select the “ServiceHealth.Read” permission:


g) Click Add Permissions

h) Once the permissions have been configured you will still see a warning notification in the Status column because admin consent hasn't been granted yet. Click the “Grant admin consent for <tenant name>” button:


i) Once you have granted consent you will see that the Status has been updated to Granted for <your tenant>:




Step 3: Create Flow from Template:

Within the existing Office 365 templates there is an excellent starter flow that does much of what you need to do. This is called “Email me a weekly summary of Office 365 message center notices” (which really rolls off the tongue):



When you initially open this template it will look like this:



This is a great start but you need to make some changes to make this work the way you need for this scenario. Here is an overview of what you are going to do to each of these components:




 

Step 4: Make changes to the existing template

First thing you need to do it edit the Recurrence time to be 1 day instead of 1 week.


Edit the “Get Office 365 messages” node. Select the “Show Advanced Options” to see all the values that you can edit. In here you need to add the Tenant ID, Client ID and Secret that was created in Azure AD in Step 1.



 Parse Subscribed Services

The original "Parse subscribed services" node from the original template is fine to use without editing. However, it doesn’t have the Category row in it that the Message Centre usually displays (plan for change, stay informed, etc), so this needs to be added:


The schema ends up looking like this:

{
    "type": "object",
    "properties": {
        "value": {
            "type": "array",
            "items": {
                "type": "object",
                "properties": {
                    "AffectedWorkloadDisplayNames": {
                        "type": "array"
                    },
                    "AffectedWorkloadNames": {
                        "type": "array"
                    },
                    "Status": {},
                    "Workload": {},
                    "WorkloadDisplayName": {},
                    "ActionType": {},
                    "AffectedTenantCount": {},
                    "AffectedUserCount": {},
                    "Classification": {},
                    "EndTime": {},
                    "Feature": {},
                    "FeatureDisplayName": {},
                    "Id": {},
                    "ImpactDescription": {},
                    "LastUpdatedTime": {},
                    "MessageType": {},
                    "Messages": {
                        "type": "array",
                        "items": {
                            "type": "object",
                            "properties": {
                                "MessageText": {
                                    "type": "string"
                                },
                                "PublishedTime": {
                                    "type": "string"
                                }
                            },
                            "required": [
                                "MessageText",
                                "PublishedTime"
                            ]
                        }
                    },
                    "PostIncidentDocumentUrl": {},
                    "Severity": {},
                    "StartTime": {},
                    "Category": {},
                    "Title": {}
                },
                "required": []
            }
        }
    }
}

 

Filter Array:

The filter array provided in the template has one filter for looking for the Message Type equaling Message Center. For this daily digest we don’t want to see all the messages but instead we want to see only those from the last day. To do this we will add another filter that only allows messages from the previous day. In this case I am using the last 25 hours to ensure that there is no gap between when a message was added and when the daily reoccurrence fires. To do this click on the Edit in Advanced Mode button and paste in one of the filter options below:


There are two choices on this filter. The first is to only list new items to the list and the second is to list new and updated items.

The filter for new items only for the previous 25 hours looks like this:

@and(equals(item()?['MessageType'], 'MessageCenter'),greater(item()?['StartTime'], addHours(utcNow(), -25)))

The filter for new and updated items for the previous 25 hours looks like this:

@and(equals(item()?['MessageType'], 'MessageCenter'),greater(item()?['LastUpdatedTime'], addHours(utcNow(), -25)))

Choose which ever one suits your needs better.


Conditional – If Statement

After we have filtered the array down it could be that we find that there are no messages. In this case rather than post an empty table we can instead have some text to tell us that there was not messages. To do this create a Condition and check the length of the array. If the array is 0 in length then send the message and if it’s not then continue processing the array.



The expression used here is to check the length of the Filter_array output:

length(body('Filter_array'))

 

If YES

If Yes then send a message “You can relax, there were no new Message Centre message today!”:



If NO

This section will contain the rest of the steps to generate the table and post it. The "If no" section is going to end up looking like the screenshot below. Follow the next steps to create this part of the flow:


 

Create HTML Table

Edit the Create HTML table from the original template to make the values equal those shown below (or you can select the table items that interest you):



In order to get a text list of the Affected Workloads for each Message Centre post you need to split the array and convert it to a string. You do this with the “join” expression:

join(item()?['AffectedWorkloadDisplayNames'],', ')

 

 Compose

Add a new Compose node. This will be used to make some edits to the HTML used in the table.


The expression is expanded in the Expression editor window:


Note: The way the expression pop over is displayed depends on how big your window is. So if it doesn't look like this then expand your window to see all the goodness.


In this compose block we give the HTML table a border to make it look better in Teams. To do this you create an expression where you replace the table tag with a table tag that has a border.

replace(body('Create_HTML_table'),'<table>','<table border="2">')

 

Compose 2


In order to make the table more pretty we give each of the cells 10 pixel padding around it.

replace(outputs('Compose'),'<td>','<td style="padding:10px;">')

 

Compose 3


Finally we make the table super pretty by making the header purple and have white text.

replace(outputs('Compose_2'),'<th>','<th style="padding:10px; background-color:#464EB8; color:white;">')

 

Teams Message

When editing the Teams message text ensure that you're in HTML editing mode and not the plain text editing mode. After doing that you want to enter the following HTML and under the Advanced section add a title (e.g. Daily Message Centre Update):


The HTML:

<html>

<body>

<p>&nbsp</p>

@{outputs('Compose_3')}

</body>

</html>


After doing this you will be done. Delete any remaining nodes that were left over from the initial template and test the flow. 


Daily Digest:

Here is an example of what the output should look like in the designated Teams channel: 



If there are no messages for that day you should see the following message posted in the channel:




Logic Apps


If you have Azure with consumption billing in place then you can also build this same flow and run it for under 1 cent per day using Logic Apps! 




This is a great option if you don't already have Power Automate licencing in Office 365. The one difference is that Logic Apps do not have the template that we used to build the Power Automate version from so there are a couple of extra steps you need to do to build some of the steps. It should be pretty straight forward to figure out based on the information already provided in the Power Automate flow. Here is an example that I built and tested in Logic Apps:




The Wrap Up


Taaa Daaaa, there you have it. Fun times with Power Automate. The great bonus here is that you and your team can now discuss and add conversations around these daily updates to further dig into areas that might be of interest to your business or customers. This can lead to valuable discussions about these changes that are persisted for future review. Enjoy!



Read more →

Thursday, 22 October 2020

Teams Phone Screen Capture Tool

If you’re ever putting together documentation, training material or blog posts on Teams Phones, you don’t want to be in a situation where you are taking photos of the screen of the phone with a camera. Instead it’s always better to get a crisp and clear pixel perfect screen shot. Fortunately, Teams phone devices allow you to do this, however, it’s not very well documented. In this blog post I’m going to take you through the process of taking screen captures on Microsoft Teams phones and also introduce you to a tool that I created for taking screen shots and animated GIFs of your Teams Phone devices.

 

Teams Phone Screen Capture Tool

 

The Teams Phone Screen Capture Tool was created to both make screen captures easier to take and also to create fully marked up animated GIFs of your Teams Phone Screen for documentation, blog posts, training material, etc.


Tool Features:
  • Capture jpeg images of static screen images.
  • Capture animated GIF screen captures
  • Edit the length of captured GIFs
  • Resize captured GIFs
  • Markup captured GIFs with rectangles or circle shapes in multiple colours
  • Currently supports Poly and Yealink devices. AudioCodes is not supported yet due to their current implementation methodology.

 

Version 1.00 – Initial Release


Download from Github

 

 

How to Enable the Screen Capture Feature on Teams Phones

 

The screen capture feature is enabled on each of the Teams phone brands in a slightly different way. I have created a walk through for how it’s done on each device brand.

 

Screen Capture with Poly Teams Phones

 

Step 1: Navigate to Settings > Device Settings > Debug > Screen Capture



Step 2: Navigate to Settings > Device Settings > Admin Only > (Enter Password) > Network Configuration > Web User Interface


Note: The default password is "456".


Step 3: Open the Teams Phone Screen Capture Tool in PowerShell:


IPAddress: Enter the IP Address of the Poly Phone.

Phone Type: Poly

Password: <“456” is the Poly default>

Click the “Show Screen Button”

The tool will then try to connect with the details given. Once connected you should see the screen in real time:


Now you can Save a Screenshot or record an animated GIF.

 

Screen Capture with Yealink Teams Phones


Step 1: Navigate to  Settings > Device Settings > Admin > (Enter Password) > Debug > Screen Capture > Enable

 

Note: The default password is "admin".


Step 2: Open the Teams Phone Screen Capture Tool in PowerShell:


IPAddress: Enter the IP Address of the Yealink Phone

Phone Type: Yealink

Password: <“admin” is the Yealink default>

Click the “Show Screen Button”

The tool will then try to connect with the details given. Once connected you should see the screen in real time:


Now you can Save a Screenshot or record an animated GIF.

  

Screen Capture with AudioCodes Teams Phones


The AudioCodes Teams phones don’t offer the same web-based access to their screen captures taken on a device. For this reason the tool does not support them at the moment. If you do want to take a screen capture on an AudioCodes phone you can but it’s a bit more work. You’ll need an SSH client (Putty will do) and a TFTP client in order to pull down a copy of the screen shot off the phone.


Here are the steps required:

Step 1: Turn on the Screen Capture setting in the phone:  Settings > Device Settings > Device Administratoion > (Enter Password) > Debugging > Screen Capture


Step 2: Access the phone via SSH

Note: The default username/password is "admin"/"admin".


Step 3: Run a TFTP client on your PC



Step 4: Run the commands from the SSH command line:

screencap /sdcard/screen_cap.png

curl -T /sdcard/screen_cap.png tftp://host_ip

 


These commands will make the phone take a screen capture which is saved onto the phone. Then the second command sends the screen capture to your TFTP server which you need to have running and accepting inbound file transfers.

This is not the most elegant of solutions and I hope that AudioCodes adds a web-based method for accessing the screen shots in the future.


GIF Editing Studio


After you have finished capturing the GIF a new window will be displayed that allows you to edit the GIF. The screen looks like this:



If you would like to mark up the GIF with coloured circles or rectangles to highlight something on the screen, you do this by first selecting the frame you want the shape to appear on, then select the "Markup Shape" and "Markup Colour" values, and then you simply click and drag on the image to place the shape where you want it. This will make the shape appear on the particular frame you had selected. If you would like to extend the amount of time it is on the screen for, you select the shape in the "Markup Shapes" list and edit the StartFrame and/or EndFrame column value(s). 

You can also edit the dimensions, location, colour and shape after selecting the shape in the list. Once you have made the changes you want to the selected shape you click the "Update Shape" button and it will save the changes. If you no longer want a shape that you had previously added you select the shape from the list and click the "Delete Shape" button to remove it. Note: when you select a shape in the "Markup Shapes" list the first frame that it appears on will be shown in the image box and the shape will be highlighted in light blue so you know which shape you've selected (if you un-select the shape in the list it's real colour will be displayed).

You can change the length of the animated GIF by changing the "Start Frame" and "End Frame" values underneath the image on the left hand side of the interface. The start and end frames selected will be reflected in the final GIF that is exported from the tool. The "Image Size" value allow you to change the height of the image when you change the height the width will be automatically changed to match. If you are making a long animated GIF then it can be useful to reduce the size of the output in order to keep the file size down on the exported GIF. By default the GIF will loop for an infinite amount of time if you would like it to only loop once you un-check the "Infinite Loop" checkbox.


Teams Admin Portal - Device Setting


You can control the Screen Capture setting that each of the phone brands devices need turned on in order to get access the screen capture images. The setting is found in the Devices > IP Phones > Configuration Profiles (tab) > + Add > Screen Capture:


This allows you to push this setting out to phones if that is how you want to do it. Keep in mind though that the Web User Interface setting required for Poly phones to support screen capturing is not available from the Admin Portal.


The Wrap Up


There you go, a new tool for your screen capturing pleasure. Enjoy!




Read more →

Popular Posts