Sunday 16 June 2024

Bulk Sign in for Microsoft Teams SIP Gateway

In 2024 we have received a new feature for Standard SIP phones on Teams which has had no fanfare whatsoever. Despite the lack of fanfare, this enhancement promises to alleviate some of the challenges associated with deploying a large number of devices on the Teams SIP Gateway. Microsoft’s official documentation doesn’t provide an exhaustive explanation of this feature, which may leave you scratching your head about exactly what it does and how it works. In this article, I’ll delve into the details, shedding light on what this feature entails. Additionally, I’ll introduce a practical tool that streamlines bulk sign-ins, making the deployment process even easier.

What is Bulk Sign-in anyway?

If you’ve ever connected a SIP Phone to Teams SIP Gateway you will know that the phone has two states:

The Signed out state: This is when your phone has been configured to connect to the provisioning servers within Microsoft’s infrastructure, but has not yet been signed into an account. In this state you’ll usually see something like this on the phone interface:

The Signed in state: In the signed in state you will see the phone number of the user on the screen and there will be whatever buttons are supported by the device. Here’s an example:


To transition Standard SIP phones between these states you usually have to do a sign in dance that involves a web sign-in flow, where you have to know the individual passwords for every phone account. This is both tedious and, in a lot of cases, impractical.

Are you ready to hear the cool part? What if I was to tell you that you can now bulk sign in 100 phones at a time without ever entering a password?? Well, that’s what we are talking about with the new Bulk Sign in process.



As you can imagine, if you’re going to allow someone to sign in a bunch of phones without ever entering a password there are going to have to be some guardrails to ensure that people aren’t able to randomly sign phones in. The prerequisites are as follows:

  • In addition to Teams Administratoryou must use an account that has the Global AdministratorPrivileged Authentication Administrator or the Authentication Administrator role to run the cmdlets (and the Tool I've provided below). Note: You will get an “Access Denied” error when you try to run the bulk sign-in cmdlets.
  • You must apply CommonAreaPhone policy to the accounts that are part of a bulk sign-in request.
  • The accounts must not have Multi Factor Authentication (MFA) enabled.
  • The accounts must have a phone number assigned.
  • The accounts must have the SIP device Calling Policy assigned with AllowSIPDevicesCalling set to True.
  • The BulkSignIn attribute must be set to Enabled in TeamsSipDevicesConfiguration policy.
  • You must have Trusted IP Addresses applied for any external IP Address that Standard SIP phones will be using to access the internet.
  • Account settings: The user account that is used for the device must not have User must change password at next login, or User's password can't be changed selected, or have the minimum password age set to a value more than 0.
  • The phones provisioning URL must include the Azure Entra Tenant ID at the end. This is an additional “/tenantid/<your-tenant-ID-guid>” that is put at the end of the basic provisioning URL. Note: I have found if you leave this out, the error that you will receive is that the Trusted IP address is not assigned. I believe this is because it is unable to associate the phone to a tenant and by extension, the trusted IP will not be found.
  • Phone accounts need a licence that includes Teams Phone capability. In most cases this will be a Microsoft Teams Shared Device Licence, but also can be standard user licensing too.

Like I said, if you expect to sign in devices without passwords you’re going to have to jump through some hoops. Here's the post from Microsoft that you can also check out:


Prerequisite Configuration Steps

Add the Trusted IP Address and Network Addresses in Teams Admin Centre (Locations > Network Topology):

Network Sites:

It’s not entirely clear if you need this configuration; however, you normally do for other Trusted IP configuration so I’m including it. You enter your Network Region and internal subnets:

Trusted IP Addresses:

Trusted IP Addresses are the external IP Addresses that your organisation uses to access the Internet (i.e. the external NATed IP Address of your network). This specifically needs to be the IP Address (or range) that your SIP Phones will be using to access the Internet. When they connect to the SIP Servers on the Microsoft side, the source IP Address will be noted by the service. When you request a specific Phone MAC Address to be logged in as a user account, the service will confirm that the source IP Address of the known MAC address is coming from a Trusted IP Address range.

Note: It may to 24 hours for these settings to take effect. If they haven’t, you will get an error message when you try to sign in the device that looks something like this: “Public IP IPv4 - <IP>, IPv6 -  for the device is not trusted. Please whitelist the public IP in TAC…”


Set the phone number:

Your phones' accounts will all need phone numbers associated with them:

Set-CsPhoneNumberAssignment -Identity -PhoneNumber +61399995555 -PhoneNumberType DirectRouting


Create a Teams IP Phone Policy for Common Area Devices and Assign it to all phones that need to be signed in:

New-CsTeamsIPPhonePolicy -Identity CommonAreaPhone -SignInMode CommonAreaPhoneSignin

Grant-CsTeamsIPPhonePolicy -Identity -PolicyName CommonAreaPhone


Create a Teams SIP Devices Configuration:

This is a new commandlet that was created specifically for the Bulk Sign-in feature. You can either assign it as a Global setting or create a User based policy that you assign directly to accounts.

#Global Setting Example

Set-CsTeamsSipDevicesConfiguration -identity Global -BulkSignIn "Enabled"



Ensure that you have a Teams Calling Policy that allows for SIP Devices to sign-in:

New-CsTeamsCallingPolicy -Identity SIPDevices -AllowSIPDevicesCalling $true -AllowCallRedirect Enabled

Grant-CsTeamsCallingPolicy -Identity -PolicyName SIPDevices


SIP Phone Provisioning:

When you prepare your SIP Phones for connection to the Teams SIP Gateway, you need to load in a provisioning URL that is slightly different than the default one. By this I mean it needs to include your Entra Tenant ID in the URL.




Note: When the Tool boots it will print out what your provisioning URLs should be for your tenant. 

Bulk Sign in

Microsoft has given us some PowerShell commandlets to do the Bulk Sign in Process. The commands require that you import a CSV with the account and the MAC address of the device in it. The format for this file is as follows:

Username, HardwareId,00-04-f2-81-24-b3,00-04-f2-81-24-b4


The file can only contain 100 phones for each import process. So build up your CSV files with 100 devices per file. Once you have your CSV files you need to get them into the system. I found the Microsoft PowerShell here to be a bit clunky to use and I thought that I could improve the experience by building a GUI for it, so that’s what I did. Behold the Teams SIP Gateway Bulk Signin Tool:

Note: In addition to Teams Administrator, you will need to have Global AdministratorPrivileged Authentication Administrator or the Authentication Administrator roles assigned to the account you use to sign the tool into PowerShell. If not, you will get an "Access Denied" error.



Using the tool is dead simple - just click the Browse button and find your CSV file (as described earlier) and open it. When it’s opened, the users will be shown in the tool (the tool will also check the format of the file for you). Now all you need to do is click the “Bulk Sign In” button and the tool will handle the rest. If the phone gets signed in correctly it will change colour to green and if it fails then it will turn red.

The tool will run the New-CsSdgBulkSignInRequest command and Get-CsSdgBulkSignInRequestStatus commands for you and keep track of the batch for you until it completes.

When the tool first loads it will print out a list of the provisioning URLs for you, so you don't have to go searching for your Tenant ID and potentially make any mistakes with the formatting of the URL.

You can also Export a CSV of the results if you would like to keep that for future reference.

Note: When you download PowerShell scripts from the Internet, Microsoft Windows now requires that you open the properties and check the “Unblock” checkbox to allow it to run:


Error Messages Provided by Microsoft 365

Error messages that you may run into when signing your Standard SIP Phones into the system:

Error message

Potential solution

User not found in tenant.

Check the username or User Principal Name (UPN) is correct.

User missing phone number assignment.

Verify the user has a phone number assigned.

User missing AllowSIPDevicesCalling policy assignment

Verify that AllowSIPDevicesCalling policy is set to Enabled. See prerequisite 7.

User missing CAP policy assignment.

Verify that the account has CommonAreaPhone policy assigned. See prerequisite 4.

Device not found in records.

Check if the device was correctly provisioned to SIP Gateway, and the region parameter in bulk sign in request is correct.

BulkSignIn Tag missing for the device

Check to see if the device provisioning URL has the correct tenant ID.

Device is offline.

The device can't be found because it's powered off or disconnected from network. Reconnect the device and try it again.

Public IP not configured as Trusted IP.

The tenant ID listed in the provisioning URL isn't correct or the public IP address of the device isn't listed as a trusted IP address in Teams admin center. See prerequisite 1.

Bulk Sign-in deadline expired.

The device hasn't been signed in to within 72 hours of provisioning (or 168 hours).

Duplicate devices found for bulk sign-in.

Verify the MAC addresses you included in the CSV file are correct and there aren't duplicated addresses. IP addresses of the duplicate devices are returned.

Input hardware-ID is of wrong format

Verify the hardware-ID format. See How to create a bulk sign in request.

On-premises AD configuration failure.

Contact your on-premises Active Directory team.

On-premises AD throttling detected

Try it again but with a smaller number of devices in the batch. Depending on network connectivity, large batches will take more time to complete and may get stuck.

The Password writeback service failed to set a password on the tenant's local directory.

The user account that is used for the device must not have User must change password at next login or User's password can't be changed selected, OR have the minimum password age set to a value more than 0. Verify the password options aren't selected and the minimum password age is set to 0 and try again.


The Wrap Up

There you have it - all you should need to know about using Bulk Sign-in with Standard SIP phones on the Microsoft Teams Gateway. Enjoy the time savings!


0 comments to “Bulk Sign in for Microsoft Teams SIP Gateway”

Post a Comment

Popular Posts