5 Tips for Skype for Business Modern Authentication Scenarios

The world is adopting multi-factor authentication, and Microsoft is rapidly adding support in their server, services, and clients to support it. Microsoft’s name for multi-factor support is Modern Authentication (MA) and support has been added for Skype for Business Server (SfB), Exchange Server, and more recently, the equivalent online cloud services (Exchange Online and Skype for Business Online).

In practice, with potentially a decade of legacy client versions, and a now matrix of possible SfB and Exchange hybrid topologies, supporting MA for all the users in an enterprise requires some planning.

There is plenty of good documentation about how to enable MA both on-premises and online. This article highlights 5 specific things you’ll want to have answers to before enabling MA in an enterprise.

1. Pay Attention to Supported Topologies for Hybrid – Especially the Supported Exchange Topologies

As we all know, Skype for Business (SfB) is highly integrated (and therefore dependent) on Exchange, which increases the matrix of topology scenarios. MA is not supported in all scenarios of Exchange and SfB MA, or requires special configuration. There is a very good TechNet article which clearly describes what mix of Exchange on-premises, SfB on-premises, Exchange Online, and SFBO topologies support MA:

> Skype for Business topologies supported with Modern Authentication (https://technet.microsoft.com/en-us/library/mt803262.aspx#Modern Authentication in Skype for Business)

I want to highlight a couple key points:

  • Exchange Integration and Mobile Clients will not work for SFB on-premises with MA and Exchange on-premises with no MA.
  • Exchange On-Premises and SFBO with MA is Supported (a common scenario). Azure AD needs to be the identity provider for SFBO, and on-premises AD needs to be the identity provider for Exchange on-premises.
  • Multiple Prompts for Users: the TechNet article referenced above calls out an important point that will happen if MA is not enabled equally across all the server resource the SfB clients are using (e.g. the related Exchange resources):

    “It’s very important to note that users may see multiple prompts in some cases, notably where the MA state is not the same across all the server resources that clients may need and request, as is the case with all versions of the Mixed topologies. Also note that in some cases (Mixed 1, 3, and 5 specifically) an AllowADALForNonLynIndependentOfLync registry key must be set for proper configuration for Windows Desktop Clients

2. Plan for Client Support

If SfB has been used in an organization for several years, there are likely a wide variety of clients out in the wild such as older Lync clients on unmanaged devices, Office 2013 and Office 2016 clients, and mix of mobile Android, iOS, and Windows Phone versions.

A summary of the various client applications and the associated modern authentication support for Office 365 is available here: Updated Office 365 modern authentication. In a nutshell, any Skype for Business client version that is not part of Office 2016 (or later) will not have built in support for Modern Authentication.

For the Skype for Business client specifically, here is a summary of that support:

  • Office 2016 – built-in support
  • Office 2013 – and updated client and two registry keys are required (see Enable Modern Authentication for Office 2013 on Windows devices)
  • iOS – yes, but watch the caveat if you are in a SfB hybrid shared namespace scenario (see below)
  • Android – yes, but watch the caveat if you are in a SfB hybrid shared namespace scenario (see below)
  • Windows Phone – not supported yet

The supported client list is similar for Skype for Business Server on-premises

3. App Passwords can be used for Legacy Skype for Business and Lync Clients using Office 365

There is another option for legacy non-MA clients (e.g. Office 2013) clienst This is a somewhat cumbersome option for end users, but a viable option for those users that require legacy clients (client versions that do not natively support MA such as Microsoft Lync and Skype for Business client in Office 2013).

The App Password option involves the end user signing into the Office 365 portal and creating a special app password that is used in legacy clients and bypasses MA. The big drawbacks are that the app password is yet another password the user needs to have available and ready to use. It is auto-generated and difficult to enter on a mobile device.

The process of a end-user configuring an app password is described here: Set up multi-factor authentication for Office 365 users.

One major limitation to be aware of is that this option is not available in hybrid as described here :

App passwords don’t work in hybrid environments where clients communicate with both on-premises and cloud autodiscover endpoints. Domain passwords are required to authenticate on-premises. App passwords are required to authenticate with the cloud.

4. Mobile Clients will not Work if MA is Enabled for SfB Server On-Premises and SfB Online in Hybrid

This one scenario is easy to overlook, so I wanted to highlight it.

From: https://support.microsoft.com/en-us/help/3126604/skype-for-business-mobile-users-can-t-sign-in-when-modern-authenticati

Modern Authentication for mobile clients is not yet supported in the following deployment topologies:

  • Exchange Online with Modern Authentication turned on and Skype for Business on-premises without Modern Authentication turned on.
  • Skype for Business Server 2015 and Skype for Business Online in a split domain hybrid configuration (for example, SharedSIPAddressSpace = true) with Modern Authentication turned on for both Skype for Business Server and Skype for Business Online

5. Update those Mobile Clients

Even with supported MA topologies, I’ve seen mobile clients have sign-in problems after MA has been enabled. Several times updating the mobile client – specially iOS – the latest-and-greatest as solved the issue. There are also mobile client side logs which can be useful in tracking down MA sign-in problems.

For example, one user could not sign in with MFA for the iOS Skype for Business client version  Upgrading to 6.17.3 (released Nov 15, 2017) worked.

More Information

Tip - How to Mute the Audio in a Skype for Business Call

I have talked to several people lately who have had the need to mute the audio coming from a Skype for Business meeting or web conference.  Not mute their microphone, but the speaker/headset audio stream from the conference.  They they are needing to listen to something else  – take another call, listen to music while they just watch the conference, or even trying to participate in two conference calls at the same time.

They have struggled in the Skype for Business 2016 client on how to control this, so I wanted to pass along a couple of tips.

The simplest option to just mute the incoming audio stream is using the volume controls on the call control icon in the client. As shown below, you can either fully mute the audio, or reduce the volume.


Another option is to use the “Hold” control on the same Call Controls (as shown with the ‘pause’ icon in the screen shot above). My web conferences are all VoIP audio, so many users do not realize they can put the audio stream "on hold", just like a regular phone call.  This is nice for momentary interruptions where you just need to pause the audio, do something, and then resume it.

Putting the call on-hold has some pros and cons. When you put the call on hold, a visual indicator updates in your participant entry which let’s other participants know that you have the call on hold and are not available right now, as shown here:


Another advantage is that you can a periodic ‘beep’ reminder that the call is on-hold, so that you know to return to it if you get disrupted or distracted.

A major disadvantage one reader pointed out is that a Skype for Business user can choose to configure their client to Play Music On Hold. Obviously this would be a major distraction for the rest of the participants if you put the call on hold because they would all hear music being played.  The is off by default (and can be disabled by an Administrator client policy), but if you have this enabled, do not put the call on hold.  The ‘play music on hold’ setting is in the Skype for Business ‘Ringtones and Sounds’ setting in the client as shown here:


Another useful feature in this scenario is the Devices button (next to the Hold).  You can use this to transfer the audio to another device (like a headset instead of an external speaker).

The Skinny on Skype for Business and Teams

As expected, at Ignite, Microsoft announced their plans around Skype for Business (SfB) and Teams at this session: https://myignite.microsoft.com/sessions/56548.

Here is what you need to know:

  1. Skype for Business Server will continue and evolve stand-alone product.
    • Brand new refresh of main stream support expected in Q4 of 2018
    • Will also refresh the SfB client during this time
    • Microsoft will continue invest in voice features
    • Will include Team integration in hybrid
  2. Skype for Business Online (SfBO) Features will be available in Teams, and over time the Teams Client will become the client for Users to Consume all Communication and Collaboration Features
    • Features include IM, Presence, Calling, Conferencing, Meetings, Contact & Conversation History, VoiceMail …. all Communication Features!
    • Net new voice investments (client and cloud) will be in Teams
    • Many of the voice and calling features have been built with a new cloud architecture that is expected to provide better quality
    • A screen shot of the new client with the communication features is shown below
  3. Skype for Business Online will still be available as a Separate offering (at least in the short term)
    • There will be a transition period with IT and End-User to transition SfBO users to Teams
    • These controls govern which client is used to consume voice and calling features
  4. Existing SfBO Voice Investments and Configuration will not Change
    • Current Conferencing Bridge numbers in SfBO will not change
    • Current Phone numbers will not change as users transition to teams
  5. Existing SfB and SfBO Phone Devices will Continue to work in Teams
    • Expanding cloud voice and video interop
  6. Skype for Business Room Systems will be Supported
  7. The Skype for Business and and Team Clients can run Side-by-Side, and Users can choose where they consume the communication feautres
    • For example, Can keep chat and calling in Skype if desired

You can see the official blog post here: https://blogs.office.com/en-us/2017/09/25/a-new-vision-for-intelligent-communications-in-office-365/


Skype for Business Online PowerShell Throttling Limits

As many ITPro’s have found out through remote PowerShell scripting against Exchange Online, there are limits. 

The same holds true for Skype for Business Online when using the Skype for Business Online Windows PowerShell Module. These are often an issue when scripting across thousands of objects.  For example, applying a SfBO policy to 15,000 user objects.

The throttling limits are very similar to that in Exchange Online. From experience, here are the hard limits:

  1. 3 concurrent sessions per credential used to connect
  2. 10 concurrent sessions per tenant
  3. Throttle Limits for Resources and Types of Resources
    • A resource is an object, or a type of object such as a Policy, a User, etc….
    • If your PowerShell script is repeatedly taking an action on a specific resource (read/write), or the same type of resource, you will be throttled
    • First, you will get a Warning Message like this one:  “WARNING: Micro delay applied. Actual delayed: 21956 msecs, Enforced: True, Capped delay: 21956 msecs, Required: False, Additional info: ….”
    • Secondly, if your script does not slow down, it will get slower responses to cmdlet’s, etc…
    • Thirdly, if you are really bad, you will be denied access in the form or just no response, or a hard denial depending on the resource and cmdlet.
    • Note: the throttle per resource or resource type happens across all concurrent sessions under the same credential.  Each credential seems to have a resource budget that is consumed regardless of the session.

Special thanks to Gary Hu for his contributions on this blog article.

    Installing on the new Skype for Business Online PowerShell Module on Windows 10

    A new Skype for Business Online PowerShell Module was released on April 19, 2017.

    Recently I commissioned a new Windows 10 desktop client and downloaded and installed this new module. When I went to use it, I received an error while trying to acquire an authentication token (e.g. Get-CsAccessToken) because of a missing Microsoft.IdentityModel.Clients.ActiveDirectory assembly.

    I was somewhat surprised to see Windows 10 not officially listed as a “Supported Operating System” as shown below.

    However, after resolving the missing assembly error, I have been able to use it without any issues. This blog article describes how to resolve this issue.

    Installation of the Skype for Business Online (SfBO) module should go fine, but you will likely get this error when trying to use the SkypeOnlineConnector (e.g. via Import-Module):

    • SkypeOnlineConnector Get-CsAccessToken : Could not load file or assembly ‘Microsoft.IdentityModel.Clients.ActiveDirectory, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35′ or one of its dependencies. The system cannot find the file specified.

    Human translation: either Microsoft.IdentityModel.Clients.ActiveDirectory is missing, or one of its dependencies.

    The Microsoft.IdentityModel.Clients.ActiveDirectory assembly is the Azure Active Directory Authentication Library (ADAL). The SfBO module uses it to authenticate the credentials used in the script against Azure AD. It is installed with the SkypeOnlineConnector Module. The SfBO Connector ships with Version 2.19 of the Microsoft.IdentityModel.Clients.ActiveDirectory.dll as shown below, but the there are other dependencies in this library that need to be installed.

    The ADAL library can be downloaded here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries.

    The client-side SfBO module running on Windows 10 will use the .NET Client version (either V2 or V3 will work; I would use V3 since it’s the latest).

    For some reason the built-in Install-Package cmdlet of the Microsoft PowerShell Package Management cannot find the ADAL library as shown here:

    There is probably an easy fix to that, but instead I just downloaded and used the NuGet Command Line Interface (CLI). It is built into Visual Studio 2017, or you can download it here: https://dist.nuget.org/index.html. Download the “nuget.exe” and call it from the command line as shown here:

    You now need to exit and restart your PowerShell console or ISE session for it to take effect.

    Enabling PSTN Calling for an Office 365 E3 User in 5 Easy Steps

    I frequently encounter the situation where a company (or individual) has an Office 365 tenant with all E3 licenses but they want to enable some users for Skype for Business Online PSTN Calling (the ability to dial-out and receive calls to phone numbers in a geo-region where Skype for Business Online (SfBO) PSTN calling is currently available).

    This article discusses the most basic direct way to accomplish this so that people can understand the basic process and requirements.

    One of the first questions people have is whether they can  purchase a handful of E5 licenses in an “E3 tenant” (an O365 tenant that currently has nothing but E3 licensed users).  The answer is ‘Yes’ – you can purchase one or more E5 licenses and apply those licenses to one or more existing E3 users (upgrade their licenses). The PSTN Calling functionality can also be enabled by purchasing add-on licenses to the E3 license, but in most cases it is just as cost effective (or more cost effective) to use the full E5 license – this is situation I describe here.

    Here are the steps to fully enable PSTN Dial-In / Dial-Out for an existing Office 365 E3 user.

    1.  Purchase and Assign the Necessary Licenses

    For an existing E3 licensed user, there are basically have two licensing options to enable PSTN Calling:

    1. Purchase and assign an E5 license.  Then purchase and assign a PSTN calling add-on license for the user.
    2. Purchase and assign a Cloud PBX add-on license. Then purchase and assign a PSTN calling add-on license for the user.

    As you can see, the significant difference between these two options is that the E5 license includes the Cloud PBX license which provides the ability to then purchase a PSTN calling plan so that the user can make and receive phone calls in regions that have PSTN Calling enabled (in May 2017 this includes the US, France, UK, Spain, and Puerto Rico). The E3 license does not contain the Cloud PBX add-on license, and you must separately purchase it.

    Tip – think of the Cloud PBX license as providing PBX-like call control capabilities, but not the PSTN calling plan (or connectivity) on-top. The PSTN Calling Plans and Cloud PBX licenses go together – the Cloud BPX license is required to have the ability to add a voice calling plan.

    The cost of an E3 license with the Cloud PBX add-on in USD as of May 2017 is:

    • Office 365 E3: $20 / user / month
    • Skype for Business Cloud PBX :  $8.00 / user / month
    • TOTAL:  $28 / user / month

    The cost of an E5 license as of May 2017 is $35 / user / month (USD) which also includes PSTN Conferencing capabilities, MyAnalytics, Advanced Treat Protection, Advanced Information Protection (DLP and encryption), and more features, so it is worth considering for the extra $7 / user / month.

    FYI, as of May 2017, the Skype for Business PSTN Domestic Calling add-on license in the US is $12.00 / user / month.

    Once you have purchased an E5 license (or the equivalent add-on Cloud PBX and PSTN Calling licenses for E3), go into the Office 365 Admin Portal and assign the E5 license to a user.  This is straightforward process (see here if you have any questions: Assign or remove licenses for Office 365 for business).

    Tip – you need to turn off the existing E3 or E1 license before assigning the E5 license or the Office 365 Admin Portal will give you an error about “conflicting plans” – e.g.  Skype for Business Online Plan 1 conflicting with Skype for Business Online Plan 2.

    After assigning the E5 license, it is normal to see this warning:


    In fact, before we can assign the user a phone number, you need to ensure the user has a PSTN Calling Add-On License as described in Step #3.

    Tip – in my experience there is always a delay, and it’s not just a fSkype for Business PSTN Domestic Calling ew minutes.  I’ve typically had to wait many hours. In fact, as stated in the Microsoft Support Article  Assign Skype for Business licenses :

    Latency after assigning licenses: Because of the latency between Office 365 and Skype for Business Online, it can possibly take up to 24 hours for a user to be enabled for PSTN Calling after you assign a license. If after 24 hours, the user isn’t enabled for PSTN Calling please call us.

    2. Acquire and Assign a Skype for Business Online PSTN Calling Add-On License

    The ability for a user to make and receive calls through the phone system is an add-on license on top of the E5 license.  You can purchase this option through the “Billing | Purchase Services” options in the O365 Admin Portal.  There are a couple of options for PSTN Calling based on your region as shown below for the United States:


    For all the various PSTN Calling add-on license plans see PSTN Calling plans for Skype for Business.

    Tip – If you haven’t assigned a CloudPBX or PSTN Calling add-on License to a user, you will see this in the Voice tab of the SfBO Admin Portal


    Once you have obtained a PSTN Calling Add-On License (or CloudPBX license), you should see it in the available licenses in the Office 365 Admin Portal when  you edit a user (under Active Users) to apply it as shown here:


    Once the add-on license is successfully applied to a user and the change replicates to SfBO, you will see the user enabled for Voice in the SfBO Admin Portal as shown here:


    Tip – many times I need to re-launch the SfBO Admin portal from the O365 Admin portal to see this change.  You might get the same result by refreshing the browser.

    Now that a user is licensed for E5 and PSTN calling, you just need to configure an emergency location, and acquire and assign the user a phone number.

    Step 3.  Configure an Emergency Location for the User

    A this point, if you try to assign the a phone number to the user, you will quickly find out that you need to add an Emergency Location for the user before you can assign a number as shown here with this warning:


    This location represents a real physical address where the user consuming PSTN will likely reside and is used in the case the user dials an emergency number (e.g. “911” in North America).

    Configuring Emergency Locations is a straightforward process you can configure under in the “emergency locations” in the SfBO voice settings.  A real example is shown here:


    Tip – this needs to be a real physical address and it is validated against a database of real addresses before you can save and continue.

    Step 4.  Acquire a Phone Number

    Before you can assign a phone number to a user, you need to acquire one. You can do that in the SfBO Admin Portal under “voice” and “phone numbers” and select the “+” sign the Add a New Number. You will be able to select a new DID from the regions where PSTN calling is supported for the location of your Office 365 tenant as shown here:


    You should see the newly acquired DID in the available phone number list.

    Step 5.  Assign a Phone Number

    After successfully configuring an Emergency Location for the user, and acquiring a phone number, we can now assign a phone number to a user.  Go into “Voice | Voice Users” in the SfBO portal as shown here:


    And finally, after selecting the previously acquired phone number and emergency location, you can enable this user for PSTN Calling!


    Tip – all of the above steps showed how to do this in the Office 365 and SfBO Admin Portal but it can all be accomplished through PowerShell (e.g. for configuring many users).

    More Information

    The following Microsoft articles provide more information on PSTN Calling:

    Set Custom Policies in Skype for Business Online

    For those who have worked with Skype for Business Online (SfBO) policies, you know that the policies which govern user behavior and features are pre-configured with a set of default policies for the Office 365 SfBO tenant.

    This was somewhat painful for a couple of reasons:

    • Policies which had a large number of settings (e.g. Conferencing), had to have a huge number of default policies to cover all the combination of features enabled/disabled
    • Organizations could not set a custom specific set of features to create policies which matched their business needs.

    Skype for Business Server 2015 On-premises of course allows the creation of custom policies. Recently Microsoft brought this custom policy capability to Skype for Business Online!

    Recently the ability to create custom policies for these 4 policy types was added to Skype for Business Online:

    1. Conferencing
    2. Client
    3. Mobility
    4. Caller-ID (** not sure if this policy is used yet in SfBO, but the cmdlet’s exist to Set and Get policies of this type)

    This introduces new cmdlet’s to create, grant, remove custom policies, and change settings on existing policies of these types. These are reflected in the traditional associated New & Set cmdlets (see below).

    Key Notes:

    • When a custom policy is created, it is only visible in the tenant it is created it.
    • ** Once a custom policy is created in the tenant, the behavior of the associated ‘Get’ cmdlets for that policy type will only returns the custom policies for that tenant instead of all policies (including the default ones that ship with a new SfBO tenant).   The parameter “-Include SubscriptionDefaults” needs to be included with the Get cmlet to return all of the policies after the creation of at least one custom policies.
    • You cannot use the corresponding ‘Set’ cmdlet’s to change the existing default policies of these types – i.e. that policies that come default with your Office 365 tenant.

    The rest of this article details the default policy for each policy type, and the PowerShell cmdlets to create and configure them. Recently a Microsoft Tech Community article was written which also explains the new custom policies: Custom Policies for Skype for Business Online.

    Note: the cmdlet name is a hyperlink to the TechNet documentation.


    Default Policy Given to a new user: BposSAllModality


    Returns information about the conferencing policies that have been configured for use in your organization. Conferencing policies determine the features and capabilities that can be used in a conference; this includes everything from whether or not the conference can include IP audio and video to the maximum number of people who can attend a meeting.


    Modifies an existing conferencing policy. Conferencing policies determine the features and capabilities that can be used in a conference; this includes everything from whether or not the conference can include IP audio and video to the maximum number of people who can attend a meeting.

    Cmdlet to assign to a user : Grant-CsConferencingPolicy (link to on-premises documentation)


    Default Policy Given to a new user: ClientPolicyDefault

    Returns information about the client policies configured for use in your organization. Among other things, client policies help determine the features of Skype for Business Server 2015 that are available to users; for example, you might give some users the right to transfer files while denying this right to other users.

    Modifies the property values of an existing client policy. Client policies govern certain user features such as the right to transfer files while denying this right to other users.

    Cmdlet to assign to a user : Grant-CsClientPolicy


    Default Policy Given to a new user: MobilityEnableOutsideVoiced


    Retrieves information about the mobility policies currently in use in an organization. Mobility policies determine whether or not a user can use Skype for Business Mobile. These policies also manage a user’s ability to employ Call via Work, a feature that enables users to make and receive phone calls on their mobile phone by using their work phone number instead of their mobile phone number. Mobility policies can also be used to require Wi-Fi connections when making or receiving calls


    Modifies an existing mobility policy. Mobility policies determine whether or not a user can use Skype for Business Mobile. These policies also manage a user’s ability to employ Call via Work, a feature that enables users to make and receive phone calls on their mobile phone by using their work phone number instead of their mobile phone number. Mobility policies can also be used to require Wi-Fi connections when making or receiving calls

    Cmdlet to assign to a user: Grant-CsMobilityPolicy


    The caller-id policies are very new and govern the caller-id feature for users such as whether another another number can be shown as the outbound caller-id. There is no help available (for either the on-premises or online versions), so the command line syntax is shown for each cmdlet.

    Default Policy Given to a new user: <None>


    Get-CsCallerIdPolicy [-Identity <XdsIdentity>] [-BypassDualWrite <$true | $false>] [-LocalStore <SwitchParameter>] [-Tenant <Guid>] [<CommonParameters>]

    Get-CsCallerIdPolicy [-Filter <String>] [-BypassDualWrite <$true | $false>] [-LocalStore <SwitchParameter>] [-Tenant <Guid>] [<CommonParameters>]


    Set-CsCallerIdPolicy [-Identity <XdsIdentity>] [-BypassDualWrite <$true | $false>] [-CallerIDSubstitute <Anonymous | Service | LineUri>] [-Confirm <SwitchParameter>]
    [-Description <String>] [-EnableUserOverride <$true | $false>] [-Force <SwitchParameter>] [-Name <String>] [-ServiceNumber <String>] [-Tenant <Guid>] [-WhatIf
    <SwitchParameter>] [<CommonParameters>]

    Set-CsCallerIdPolicy [-Instance <PSObject>] [-BypassDualWrite <$true | $false>] [-CallerIDSubstitute <Anonymous | Service | LineUri>] [-Confirm <SwitchParameter>]
    [-Description <String>] [-EnableUserOverride <$true | $false>] [-Force <SwitchParameter>] [-Name <String>] [-ServiceNumber <String>] [-Tenant <Guid>] [-WhatIf
    <SwitchParameter>] [<CommonParameters>]

    Cmdlet to assign to a user: Grant-CsClientPolicy

    Generating a List of Available Skype for Business Online PowerShell Cmdlets with Documentation

    The Skype for Business Online (SfBO) PowerShell Module is the primary command line management tool for Administrators.

    New users of this module are often surprised to learn that the cmdlets exposed by this module are not defined in the Skype for Business Online PowerShell module itself. Instead, the SfBO PowerShell Module creates an implicit remote PowerShell session and imports the cmdlet definitions from the Online SfBO tenant. The cmdlet’s made available in this module therefore could vary by tenant (i.e. based on the type of licensed Office 365 tenant), and be changed online in the tenant (i.e. by Microsoft) without releasing a new PowerShell module (which is installed locally).

    Significant changes to the online cmdlet’s are usually well communicated, but as the SfB online service quickly evolves, changes can happen before they are well communicated. For this reason, and to learn what cmdlet’s are available for SfBO administration, I often enumerate the available cmdlet’s in several of my tenants.

    The available cmdlet’s in any SfBO tenant can be easily retrieved using PowerShell by finding the associated local temporary PowerShell module associated with any current SfBO PowerShell session and enumerating the cmdlet’s available in that module.  Displaying a list of cmdlet’s to the PowerShell console is not much use however – it is hard to get a handle on what cmdlet’s are available, what they do, and what differences might exist between tenants (since the last time the cmdlet’s were enumerated).

    Inspired by fellow MVP Pat Richard’s script for retrieving a convenient list of Skype for Business on-premises PowerShell cmdlet (see “All Skype for Business 2015 Cmdlets and the Default RBAC Roles That Can Use Them”) which includes help information such as the Synopsis and a link the online TechNet help for that cmdlet, I wrote a script which does the following:

    1. Retrieves all of the SfB online cmdlets available in the tenant – including the help descriptions and links to the online help for that cmdlet (if it exists).
    2. Optionally produces a nice HTML report of all the available SfBO cmdlet’s using a really useful PowerShell module named “ReportHTML” by Matthew Quickenden (See PowerShell module called Generate HTML Reports by Matthew Quickenden to get this module).
    3. Optionally saves it to a CSV file

    The script is below. By default both the HTML and CSV reports are produced but this can be easily changed with two boolean input parameters to the script representing each type of report.

    Some notes on using this script:

    1. It can take a long time (~10 minutes) to finish – why?  The script is calling Get-Help on every cmdlet it finds to get the description and links to online help. This can take awhile.
    2. Make sure the ReportHTML module installed to make the HTML reporting work.
    3. If you are in a SfB hybrid configuration, the OverrideAdminDomain parameter in the New-CSOnlineSession call will likely be required for the remote SfBO session to be established.  See the nodes in the script.
    4. Some cmdlet’s do not have TechNet documentation. Other cmdlet’s have a TechNet link but it is broken – nothing is posted at that link. Most do have links and they open a separate window with the help.

    An recent example of the HTML report – which represents all of the SfBO cmdlet’s available on an E3 tenant as of March 2017 - is here:

    > http://insidelync.com/Tools/SfBO_Cmdlets.html.



    The Script

    The script is published on the TechNet script gallery here: https://gallery.technet.microsoft.com/Get-a-List-of-Available-6de74e51. This is where I will keep it up-to-date.

        Get-SfBOCmdlets.ps1 – Get’s all the cmdlet’s availalble and their help informaiton for an Online Tenant.

        This powershell script retrieves all the cmdlet’s available in an SfBO tenants,
        including the help description, and link to online cmdlet help, and optionally
        produces a nicely formatted HTML report and CSV file with all the cmdlet information.

        See http://blog.insidelync.com/2017/03/generating-a-list-of-available-skype-for-business-online-powershell-cmdlets-help-information/

        Skype for Business Online Administrative Username/Password for the tenant (manual prompt), and
        optional parameters for the type of output reports desired.

        ProduceHTMLReport – Boolean to produce an HTML report (default = true)
        ProduceHTMLReport – Boolean to produce an HTML report (default = true)

        All the cmdlet’s and information about each one.

        ** Need to modify the New-CSOnlineSession session (see below) for a hybrid SfB domain

       .\Get-SfBOCmdlets.ps1 -ProduceHTMLReport $true -ProduceCSVReport $false

    Written by: Curtis Johnstone

    Special Thanks to Pat Richards for this script: https://www.ucunleashed.com/3691.

    param (
        [bool] $ProduceHTMLReport = $true,
        [bool] $ProduceCSVReport = $true

    Function GetSfBOCmdlets
        Write-Output "About to retrieve available online cmdlets and associated help information"

        Import-Module -Name SkypeOnlineConnector

        $Credential = Get-Credential

        # use the -OverrideAdminDomain parameter for a hybrid SfB domain; see http://www.ucblog.co.uk/?p=25
        $sfBOSession = New-CSOnlineSession -credential $Credential # -OverrideAdminDomain
        $implicit_PS = Import-PSSession $SFBOSession -AllowClobber

        if ($SFBOSession -eq $null)
            Write-Error "There was a problem establishing the remote session to the SfBO tenant. Aborting"

        $global:objectCollection = @()

        $all_cmdlets = Get-Command -Module $implicit_PS.Name | Sort-Object Name

        foreach ($cmdlet in $all_cmdlets)

            $cmdletHelp = $(Get-Help $cmdlet)
            [string] $synopsis = $cmdletHelp.Synopsis
            if ($synopsis -eq $null) { $synopsis = "" }
            if ($synopsis -eq "Provide the topic introduction here.")
                { $synopsis = "" }
            [string] $description = $cmdletHelp.Description
            if ($description -eq $null)
                { $description = "<blank>" }      

            [string] $onlineHelpURI = (($cmdletHelp.relatedLinks.navigationLink | Where-Object {$_.linkText -match "Online Version"}).uri) `
                -replace "EN-US/",""

            $onlineHelpURI = $onlineHelpURI.Trim();

            if ($onlineHelpURI -eq "")
                $hyperLink = "Not available";
                $hyperLinkName = $cmdlet.Name

                # these are magic keywords that the ReportHTML module uses to create hyuperlinks – use the Get-HTMLReportHelp cmdlet for more info
                [string] $hyperLink = "URL01NEW{0}URL02{1}URL03" -f $onlineHelpURI, $hyperLinkName

            $object = New-Object –Type PSObject
            $object | Add-Member –Type NoteProperty –Name CmdletName -Value $cmdlet.Name
            $object | Add-Member –Type NoteProperty –Name Synopsis -Value $synopsis
            $object | Add-Member –Type NoteProperty –Name "TechNet Documentation Link" -Value $hyperLink

            $global:objectCollection += $object

        # clean up remote powershell sessions and resources

        if ($implicit_PS -ne $null)
            { $implicit_PS = $null }

        if ($sfBOSession -ne $null)
            { Remove-PSSession $SFBOSession }
        Write-Output "Finished retrieving online cmdlets"


    Function ProduceHTMLReport
        # requires the ReportHTML module (https://www.powershellgallery.com/packages/ReportHTML)
        Import-Module ReportHTML

        $htmlReportPath = $env:UserProfile + "\Documents"
        $htmlReportFile = $htmlReportPath + "\SfBO_Cmdlets.html"

        # $nc = $global:objectCollection | select CmdletName, Synopsis, "TechNet Documentation Link"

        $nc = $global:objectCollection

        $rpt = @()
        $rpt += Get-HtmlOpenPage -TitleText  ("Skype for Business Online Cmdlets") -LeftLogoName Blank -RightLogoName Blank

        $rpt += Get-HtmlContentOpen -HeaderText "Cmdlets"
        $rpt += Get-HtmlContentTable $nc
        $rpt += Get-HtmlContentClose
        $rpt += Get-HtmlClosePage

        Write-Output "Producing HTML report here: $htmlReportFile"

        $rpt > $htmlReportFile

        # display html report
        Invoke-Item $htmlReportFile
        Sleep 1

    Function ProduceCSVReport
        $csvReportPath = $env:UserProfile + "\Documents"
        $csvReportFile = $csvReportPath + "\SfBO_Cmdlets.csv"

        Write-Output "Producing csv report here: $csvReportFile"

        $global:objectCollection | Export-Csv -Path $csvReportFile -NoTypeInformation -Encoding UTF8

    Write-Output "Script is Starting"
    Write-Output "Produce HTML Report? $produceHTMLReport"
    Write-Output "Produce CSV Report? $produceCSVReport"

    # retrieve the cmdlet listing

    if ($produceHTMLReport)
        { ProduceHTMLReport }

    if ($produceCSVReport)
        { ProduceCSVReport }

    Write-Output "Script complete"


    References and More Information

    The Microsoft Skype for Business Online (SfBO) PowerShell Module

    The ReportHTML PowerShell Module in the PowerShell Gallery – by Matthew Quickenden

    Pat Richards All Skype for Business 2015 Cmdlets and the Default RBAC Roles That Can Use Them

    Getting the Distribution of Skype for Business Online Registrar Pools used in an Office 365 Tenant

    Much like Skype for Business on-premises users, each Skype for Business Online (SfBO) user has a home pool. This home pool consists of multiple SfB servers running in Office 365 data centers. On sign-in, the each SfBO user establishes a Skype for Business session with one of the SfB servers in that home pool.  It is also the users’ home pool for any conferences they host (organize), which determines where the media (audio, video, screen sharing) is broadcast from. These servers reside in different Office 365 data centers, and knowing which online SfB registrar pools are being used, and by which users, can help troubleshoot sign-in issues, configure firewalls, and understand underlying conferencing performance.

    Below is the PowerShell to get a distribution of which online SfBO registrar’s pools are in use for your tenant, and which are used by specific users.

    The PowerShell leverages the Skype for Business Online PowerShell module.  It uses the Get-CsOnlineUser cmdlet to retrieve the home registrar pool for each user, and does a simple grouping to figure out how many users are hosted on that online registrar.

    #  Retrieves the Skype for Business Online Registrar Pool Distribution

    Import-Module -Name SkypeOnlineConnector
    $Credential = Get-Credential
    $SFBOSession = New-CSOnlineSession -credential $Credential # -OverrideAdminDomain
    # http://www.ucblog.co.uk/?p=25

    # supress the output of importing the PS Session (not needed; save in case we do need it)
    $output = Import-PSSession $SFBOSession -AllowClobber

    $fullUserListing = Get-CsOnlineUser

    $registrarPoolDist = @($fullUserListing | Where-Object {$_.RegistrarPool -ne $null} `
        | select RegistrarPool, SipAddress | Group-Object RegistrarPool)

    foreach ($regPool in $registrarPoolDist)
        Write-Output ($regPool.Name + " is hosting " + $regPool.Count + " Skype for Business Online Users.")
        foreach ($user in @($regPool.Group))
            Write-Output ("`t`t User: " + $user.SipAddress)

        Write-Output "`n"

    # clean up
    if ($SFBOSession -ne $null)
        Remove-PSSession $SFBOSession

    Here is the sample output from a small North American E3 tenant with 8 SfBO users:


    We can see the distribution of the number of users hosted in each online registrar pool, and which users are hosted on them.

    The script is published and updated on the TechNet Gallery here: https://gallery.technet.microsoft.com/Getting-the-Distribution-a951d362.