In 2024 we have received a new feature for Standard SIP phones on Teams which has had no fanfare whatsoever. Despite the lack of fanfare, this enhancement promises to alleviate some of the challenges associated with deploying a large number of devices on the Teams SIP Gateway. Microsoft’s official documentation doesn’t provide an exhaustive explanation of this feature, which may leave you scratching your head about exactly what it does and how it works. In this article, I’ll delve into the details, shedding light on what this feature entails. Additionally, I’ll introduce a practical tool that streamlines bulk sign-ins, making the deployment process even easier.
What is Bulk Sign-in
anyway?
If you’ve
ever connected a SIP Phone to Teams SIP Gateway you will know that the phone
has two states:
The
Signed out state:
This is when your phone has been configured to connect to the provisioning
servers within Microsoft’s infrastructure, but has not yet been signed into an
account. In this state you’ll usually see something like this on the phone
interface:
The
Signed in state: In
the signed in state you will see the phone number of the user on the screen and
there will be whatever buttons are supported by the device. Here’s an example:
To transition Standard SIP phones between these states you usually have to do a sign in dance that involves a web sign-in flow, where you have to know the individual passwords for every phone account. This is both tedious and, in a lot of cases, impractical.
Are you
ready to hear the cool part? What if I was to tell you that you can now bulk
sign in 100 phones at a time without ever entering a password?? Well, that’s
what we are talking about with the new Bulk Sign in process.
Prerequisites
As you
can imagine, if you’re going to allow someone to sign in a bunch of phones
without ever entering a password there are going to have to be some guardrails
to ensure that people aren’t able to randomly sign phones in. The
prerequisites are as follows:
- In addition to Teams Administrator, you must use an account that has the Global Administrator, Privileged Authentication Administrator or the Authentication Administrator role to run the cmdlets (and the Tool I've provided below). Note: You will get an “Access Denied” error when you try to run the bulk sign-in cmdlets.
- You must apply CommonAreaPhone policy to the accounts that are part of a bulk sign-in request.
- The accounts must not have Multi Factor Authentication (MFA) enabled.
- The accounts must have a phone number assigned.
- The accounts must have the SIP device Calling Policy assigned with AllowSIPDevicesCalling set to True.
- The BulkSignIn attribute must be set to Enabled in TeamsSipDevicesConfiguration policy.
- You must have Trusted IP Addresses applied for any external IP Address that Standard SIP phones will be using to access the internet.
- Account settings: The user account that is used for the device must not have User must change password at next login, or User's password can't be changed selected, or have the minimum password age set to a value more than 0.
- The phones provisioning URL must include the Azure Entra Tenant ID at the end. This is an additional “/tenantid/<your-tenant-ID-guid>” that is put at the end of the basic provisioning URL. Note: I have found if you leave this out, the error that you will receive is that the Trusted IP address is not assigned. I believe this is because it is unable to associate the phone to a tenant and by extension, the trusted IP will not be found.
- Phone accounts need a licence that includes Teams Phone capability. In most cases this will be a Microsoft Teams Shared Device Licence, but also can be standard user licensing too.
Like I said, if you expect to sign in devices without passwords you’re going to have to jump through some hoops. Here's the post from Microsoft that you can also check out: https://learn.microsoft.com/en-us/microsoftteams/sip-gateway-configure
Prerequisite Configuration
Steps
Add the
Trusted IP Address and Network Addresses in Teams Admin Centre (Locations >
Network Topology):
Network
Sites:
It’s not entirely
clear if you need this configuration; however, you normally do for other
Trusted IP configuration so I’m including it. You enter your Network Region and internal subnets:
Trusted
IP Addresses:
Trusted
IP Addresses are the external IP Addresses that your organisation uses to access the Internet (i.e. the external NATed IP Address of your network). This specifically
needs to be the IP Address (or range) that your SIP Phones will be using to access the Internet. When they connect to the SIP Servers on the Microsoft side, the
source IP Address will be noted by the service. When you request a specific
Phone MAC Address to be logged in as a user
account, the service will confirm that the source IP Address of the known MAC
address is coming from a Trusted IP Address range.
Note: It may to 24 hours for these settings to take effect. If they haven’t, you will get an error message when you try to sign in the device that looks something like this: “Public IP IPv4 - <IP>, IPv6 - for the device is not trusted. Please whitelist the public IP in TAC…”
Set
the phone number:
Your
phones' accounts will all need phone numbers associated with them:
Set-CsPhoneNumberAssignment
-Identity CommonAreaPhone@domain.com -PhoneNumber +61399995555 -PhoneNumberType
DirectRouting
Create
a Teams IP Phone Policy for Common Area Devices and Assign it to all phones
that need to be signed in:
New-CsTeamsIPPhonePolicy
-Identity CommonAreaPhone -SignInMode CommonAreaPhoneSignin
Grant-CsTeamsIPPhonePolicy
-Identity CommonAreaPhone@domain.com -PolicyName CommonAreaPhone
Create a Teams SIP Devices Configuration:
This is a new commandlet that was created specifically for
the Bulk Sign-in feature. You can either assign it as a Global setting or
create a User based policy that you assign directly to accounts.
#Global Setting Example
Set-CsTeamsSipDevicesConfiguration
-identity Global -BulkSignIn "Enabled"
Ensure that you have a Teams Calling Policy that allows
for SIP Devices to sign-in:
New-CsTeamsCallingPolicy
-Identity SIPDevices -AllowSIPDevicesCalling $true -AllowCallRedirect Enabled
Grant-CsTeamsCallingPolicy
-Identity CommonAreaPhone@domain.com -PolicyName SIPDevices
SIP
Phone Provisioning:
When you
prepare your SIP Phones for connection to the Teams SIP Gateway, you need to
load in a provisioning URL that is slightly different than the default one. By
this I mean it needs to include your Entra Tenant ID in the URL.
EMEA: http://emea.ipp.sdg.teams.microsoft.com/tenantid/<your-tenant-ID-guid>
Americas: http://noam.ipp.sdg.teams.microsoft.com/tenantid/<your-tenant-ID-guid>
APAC: http://apac.ipp.sdg.teams.microsoft.com/tenantid/<your-tenant-ID-guid>
Bulk Sign in
Microsoft
has given us some PowerShell commandlets to do the Bulk Sign in Process. The
commands require that you import a CSV with the account and the MAC address of
the device in it. The format for this file is as follows:
Username, HardwareId
CommonAreaPhone1@domain.com,00-04-f2-81-24-b3
CommonAreaPhone2@domain.com,00-04-f2-81-24-b4
The file
can only contain 100 phones for each import process. So build up your CSV files
with 100 devices per file. Once you have your CSV files you need to get them
into the system. I found the Microsoft PowerShell here to be a bit clunky to
use and I thought that I could improve the experience by building a GUI for it,
so that’s what I did. Behold the Teams SIP Gateway Bulk Signin Tool:
Note: In addition to Teams Administrator, you will need to have Global Administrator, Privileged Authentication Administrator or the Authentication Administrator roles assigned to the account you use to sign the tool into PowerShell. If not, you will get an "Access Denied" error.
Using the
tool is dead simple - just click the Browse button and find your CSV file (as
described earlier) and open it. When it’s opened, the users will be shown in the tool (the tool will also check the format of the file for you). Now all you need to do is click the “Bulk Sign In” button and
the tool will handle the rest. If the phone gets signed in correctly it will
change colour to green and if it fails then it will turn red.
The tool will run the New-CsSdgBulkSignInRequest command and Get-CsSdgBulkSignInRequestStatus commands for you and keep track of the batch for you until it completes.
When the tool first loads it will print out a list of the provisioning URLs for you, so you don't have to go searching for your Tenant ID and potentially make any mistakes with the formatting of the URL.
You can also
Export a CSV of the results if you would like to keep that for future
reference.
Note: When you download PowerShell scripts
from the Internet, Microsoft Windows now requires that you open the properties and check
the “Unblock” checkbox to allow it to run:
Error Messages Provided by
Microsoft 365
Error messages
that you may run into when signing your Standard SIP Phones into the system:
Error message |
Potential solution |
User not found in tenant. |
Check the username or User Principal Name (UPN) is
correct. |
User missing phone number assignment. |
Verify the user has a phone number assigned. |
User missing AllowSIPDevicesCalling policy
assignment |
Verify that AllowSIPDevicesCalling policy is
set to Enabled. See prerequisite 7. |
User missing CAP policy assignment. |
Verify that the account
has CommonAreaPhone policy assigned. See prerequisite 4. |
Device not found in records. |
Check if the device was correctly provisioned to
SIP Gateway, and the region parameter in bulk sign in request is correct. |
BulkSignIn Tag missing for the device |
Check to see if the device provisioning URL has the
correct tenant ID. |
Device is offline. |
The device can't be found because it's powered off or
disconnected from network. Reconnect the device and try it again. |
Public IP not configured as Trusted IP. |
The tenant ID listed in the provisioning URL isn't
correct or the public IP address of the device isn't listed as a trusted IP
address in Teams admin center. See prerequisite 1. |
Bulk Sign-in deadline expired. |
The device hasn't been signed in to within 72 hours of
provisioning (or 168 hours). |
Duplicate devices found for bulk sign-in. |
Verify the MAC addresses you included in the CSV file
are correct and there aren't duplicated addresses. IP addresses of the
duplicate devices are returned. |
Input hardware-ID is of wrong format |
Verify the hardware-ID format. See How to create a
bulk sign in request. |
On-premises AD configuration failure. |
Contact your on-premises Active Directory team. |
On-premises AD throttling detected |
Try it again but with a smaller number of devices in the
batch. Depending on network connectivity, large batches will take more time
to complete and may get stuck. |
The Password writeback service failed to set a
password on the tenant's local directory. |
The user account that is used for the device must not
have User must change password at next login or User's
password can't be changed selected, OR have the minimum
password age set to a value more than 0. Verify the password options
aren't selected and the minimum password age is set to 0 and try again. |
The Wrap Up
There you
have it - all you should need to know about using Bulk Sign-in with Standard SIP
phones on the Microsoft Teams Gateway. Enjoy the time savings!