One of the advantages of the Microsoft cloud services (aka Office 365) is that it upgrades new features quickly – new service functionality is deployed to the cloud and available for consumption as soon as it is ready. Keeping up-to-date on what’s available can be a challenge, and I’ve been getting many questions lately about what management access is currently available in Lync Online (specifically PowerShell) and what Lync features are available (or are missing).
This blog post provides a quick feature overview of what is offered in the various Lync Online plans and dives into practical details and tips for managing Lync Online in the standard multi-tenant version of Office 365. Here is why I will cover:
- What Lync Online Plans and Features are Currently Available?
- Lync Online Management
- Managing Lync Online with PowerShell 101
- Manage Exchange Online in the same PowerShell Console
- Identical Lync Online and On-Premises Cmdlets
- Lync Reporting Cmdlets in Exchange Online
- Common PowerShell Errors
- Lync Admin Center (LAC) and Reporting in the Office 365 Administration Portal
What Plans and Features are Currently Available?
An organization purchases Lync Online in the standard multi-tenant version of Office 365 in one of two ways:
- As part of a pre-packaged or customized Office 365 Plan subscription (e.g. “Office 365 Enterprise E1”)
- As a standalone Lync Online Service Plan (three plans are available – see Compare Lync options)
A table of available Lync functionality across the Office 365 and Standalone plans is available here: Lync Online Service Description. There is also a nifty interactive spreadsheet available which allows you to see feature availability across the plans: see the Office 365 TechCenter – Office 365 service comparison (note: I have noted a couple of errors in it so double-check specific features with other references).
Arguably the four most significant Lync Server 2013 on-premises features currently (November 2013) missing in the Lync Online plans are:
- Enterprise Voice.
- Persistent Chat.
- Unified Messaging (with Exchange Online and Exchange Server).
- Access to Call Detail Records (CDR).
Noteworthy Features Highlights:
- Lync Audio Conferencing (PSTN dial-in) is not currently included in the Lync Online Plans typically available in the Lync Online plans, but it can be purchased from Partner at an additional cost.
- Archiving is generally available and is done through Exchange (so a corresponding Exchange Online subscription or hybrid deployment with Exchange on-premises is required). Archiving is not available for P2P file transfers, audio/video conferencing, and application and desktop sharing.
- XMPP Federation is not available (e.g. Google Talk)
- Server-Side Recording and Playback is not available.
- The Lync VDI plug-in is not supported in an O365 environment.
- SharePoint skill search is currently not available in SharePoint and Lync Online.
Dedicated Lync Online Subscription Plans
There is a dedicated version of Lync Online offered by Microsoft. This is essentially a dedicated full version of Lync hosted by Microsoft. It is generally more expensive than the multi-tenant version of Office 365 but it has Enterprise Voice and Lync audio conferencing (without PSTN dial-in however). Persistent Chat is not available.
More information about the Lync Online dedicates service plans can be found in the Lync Online Dedicated description on TechNet and the available features are described in the Lync Online Feature Availability.
Call Detail Record (CDR) Availability
The monitoring data, including CDR’s, is not available in any of the multi-tenant Lync Online plans. You cannot connect directly to any Lync Online database in any of the subscription plans.
The CDR and Archiving data and access to these database is available in the dedicated online subscription plans. You need to request the ability if you want to connect directly to these databases. See Accessing Lync Online Archiving and Monitoring Data for more information.
Lync Online Management
The current management options for Lync Online include:
- Remote PowerShell Access – this provides the most management functionality and granular capabilities.
- Exchange Online Cmdlets – five Lync Online reporting cmdlets are available if you have a corresponding Exchange Online subscription.
- Lync Admin Center (LAC) – this is a more simple web interface available through the Office 365 Administrator portal.
The TechNet article Lync Online administration and management features across Office 365 and standalone plans has a good overview and more details about what is available today.
Below I go into more detail about managing Lync Online with remote PowerShell and offer some practical tips.
Managing Lync Online with PowerShell 101
PowerShell access to a Lync Online tenant is made possible through a separate Lync Online module for PowerShell 3.0 (see Windows PowerShell Module for Lync Online). This is ~8 Mb download in the form of an executable – just download and run it. This module has two key pre-requisites:
- Windows PowerShell 3.0
- Microsoft Online Services Sign-In Assistant for IT Professionals RTW (included with Windows
- Windows 8 & 8.1 have all the necessary pre-requisites – only the Windows PowerShell Module for Lync Online needs to be installed and loaded in a PowerShell session that was started with Administrator credentials.
- The “Windows PowerShell Module for Lync Online” module does not actually contain any cmdlets. It acts as a connector, enabling the New-CsOnlineSession cmdlet work (see below) and brokering the Administrator credentials through the Online Services Sign-In Assistant.
PowerShell access to Lync Online is achieved through a regular remote PowerShell console session (i.e. it does not have to be in the Lync Management Shell).
The Lync Online cmdlets are only available in the remote PowerShell session established with the Lync Online tenant (the Lync Online cmdlets are actually downloaded and stored in memory for the duration of the session).
Start PowerShell (v3 or higher) and use the following three commands to establish a Lync Online session:
$cred = Get-Credential (provide your Lync Online administrator credentials)
$lyncSession = New-CsOnlineSession -Credential $cred
Import-PSSession $lyncSession -AllowClobber
The last cmdlet imports the Lync Online session into the PowerShell console – including downloading all the Lync Online cmdlets. The AllowClobber parameter will avoid any warning that Lync Online cmdlets will clobber identically named on-premises cmdlets (they are the same cmdlet so it doesn’t matter).
There are currently 48 Lync Online cmdlets available and are described here: http://technet.microsoft.com/en-us/library/jj994021.aspx.
To see all the Lync Online cmdlets that are available use the Get-Module cmdlet to get the name of the loaded Lync Online module (e.g. “tmp_cg1c1fct.ww2”) and then use the Get-Command cmdlet with this module name like this:
Get-Command –Module <LyncOnlineModuleName>
Manage Exchange Online in the same PowerShell Console
You can establish a remote PowerShell session to an associated Exchange Online tenant using the same Administrator credentials using the following 2 cmdlets:
> $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication "Basic" –AllowRedirection
> Import-PSSession $exchangeSession
- You do not need to have any Exchange Management Tools installed locally.
- If you try this from the Lync Server Management Shell you will likely received this error “New-PSSession : [ps.outlook.com] Connecting to remote server ps.outlook.com failed with the following error message : WinRM cannot complete the operation”. Just do it from a regular PowerShell console (not the Lync Management Shell).
Here is a handy PowerShell script that will connect to both a Lync and Exchange Online tenant with the same Administrator credentials:
$credential = Get-Credential "firstname.lastname@example.org"
$lyncSession = New-CsOnlineSession -Credential $credential
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $credential -Authentication "Basic" -AllowRedirection
Write-Host "Do not forget to run these 2 cmdlets at the end of your session:"
Write-Host "–> Remove-PSSession $lyncSession"
Write-Host "–> Remove-PSSession $exchangeSession"
Identical Lync Online and On-Premises Cmdlets
If you are running a hybrid PowerShell session that is both connected to a Lync on-premises deployment and a Lync Online tenant you will want to be careful which Lync organization a cmdlet is running against! It is generally recommended that you do not mix a Lync Online session with a Lync Management Shell on-premises session, but it is safe to do so with a little care.
Tip: the important thing to remember – unless the Tenant parameter is specified in the cmdlet, it will run against the connected Lync on-premises server.
All the Lync Online cmdlets accept a tenant parameter (which is an ugly looking GUID returned by the Get-CsTenant cmdlet). I recommend assigning a local PowerShell variable to be the tenant GUID like this:
$lyncId = Get-CsTenant | Select-Object guid
You can use this variable in other cmdlets to reference the online tenant. For example, this cmdlet would return the global Lync client policy for the Lync Online tenant:
Get-CsClientPolicy -Tenant $lyncId.guid
Lync Online Policy Restrictions
Lync Online ships with predefined policy instances for restricting or enabling features such as external access. New policies can be created (e.g. external access policy) but attempting to grant a custom policy may result in an error such as “..it is restricted for the user service plan: MCOProfessional and country: US combination”.
I believe the idea is to not allow certain Lync Online functionality in specific regions and plans but I have gotten this error with plans and in regions where this functionality should be allowed, so it appears there is a current limitation to only grant users one of the predefined policy instances that ship with your Lync Online subscription. I am still investigating this.
I have a specific example and more information below in the “Common PowerShell Errors” section.
Lync Reporting Cmdlets in Exchange Online
There are currently 5 Lync Online reporting cmdlets available as part of the Exchange Online Cmdlet’s. Why are they here? These 5 cmdlets currently require an Exchange Online subscription and underneath the covers depend on Exchange Online. Here are the 5 cmdlets:
- Get-CsActiveUserReport : shows statistics about the number of active Lync Online users over time.
- Get-CsConferenceReport : shows statistics about the conferences held in Lync Online.
- Get-CsAVConferenceTimeReport : shows statistics about the duration (minutes) used by audio and video conferences.
- Get-CsP2PSessionReport : shows statistics about peer-to-peer sessions that took place in Lync Online.
- Get-CsP2PAVTimeReport : shows statistics about the duration of audio and video in peer-to-peer Lync Online sessions.
Here are some examples of what these cmdlets produce:
TenantName Date ActiveUsers
———- —- ———–
CORP XYZ INCORPORATED 11/1/2013 12:00:00 AM 27
CORP XYZ INCORPORATED 10/31/2013 12:00:00 AM 29
CORP XYZ INCORPORATED 10/30/2013 12:00:00 AM 43
CORP XYZ INCORPORATED 10/1/2013 12:00:00 AM 44
CORP XYZ INCORPORATED 9/24/2013 12:00:00 AM 31
CORP XYZ INCORPORATED 9/21/2013 12:00:00 AM 33
CORP XYZ INCORPORATED 9/20/2013 12:00:00 AM 55
TenantName Date TotalP2P.. P2PIM.. P2PAudio.. P2PVideo.. P2PApplica.. P2PFileTra..
———- —- ———– ———- ———- ———- ———- ———-
CORP XYZ INCORPORATED 10/30/20… 23 23 14 8 9 0
CORP XYZ INCORPORATED 4/27/201… 21 20 17 1 6 1
Common PowerShell Errors
Session Timeout Error
I have gotten this error many times when I attempt to run a Lync Online cmdlet in a session that has been around for too long:
Exception calling "GetSteppablePipeline" with "1" argument(s): "Exception calling "PromptForCredential" with "4"
argument(s): "The length of the UserName should be less than 513.""
At C:\Users\administrator\AppData\Local\Temp\2\tmp_kp1sbcqw.sch\tmp_kp1sbcqw.sch.psm1:1470 char:13
+ $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.C …
Based on experience a session seems to last for about 10-15 minutes before timing out.
The only way I found to fix this is restart Powershell and reestablish the session (I remove the current session before closing PowerShell for good measure).
Restriction Errors while Assigning an External Access Policy
Get-CsOnlineUser curtis.johnstone | Grant-CsExternalAccessPolicy -PolicyName Global
Cannot run the cmdlet: "Grant-CsExternalAccessPolicy" because it is restricted for the user service plan:
MCOProfessional and country: US combination.
+ CategoryInfo : NotSpecified: (:) [Grant-CsExternalAccessPolicy], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Rtc.Management.AD.Cmdlets.AssignOcsExte
+ PSComputerName : webdir0b.online.lync.com
You can create new external access policies, but you can only assign one of those default three – and the error messages suggests it Service Plan / Geographic region restriction:
“Cannot run the cmdlet: "Grant-CsExternalAccessPolicy" because it is restricted for the user service plan:
MCOProfessional and country: US combination”
The Get-CsExternalAccessPolicy policy supports an –ApplicableTo <user> parameter, and indeed it just lists those 3 policies for my users (e.g. Get-CsExternalAccessPolicy -ApplicableTo curtis.johnstone)
“Get-CsExternalAccessPolicy -ApplicableTo curtis.johnstone” returns the following:
Lync Admin Center (LAC) and Lync Reporting in the Office 365 Administration Portal
As you are probably aware, basic administration and management of the Office 365 plan and Lync Online can be done through the Microsoft Office 365 Administration Portal (aka Office 365 admin center): https://login.microsoftonline.com.
Tip: if you get security certificate errors when trying to login to this website, view the website Security Report by clicking the lock icon next to the address bar, and select View Certificates. If the Certificate Authority is “Baltimore CyberTrust Root” and this CA is untrusted follow the instructions at: Lync Online Service SSL certificate changes for client connectivity. Alternatively you can install this root CA directly from the View Certificates dialog if you are absolutely sure it is legit.
From the O365 Admin Portal you can access the Lync Admin Center for basic Lync Online Administration:
From the O365 Admin Portal you can also access the recently released Lync Online reports (click on “reports” in the left-hand dashboard). Currently available reports include the following:
The Office 365 services, including Lync Online, are rapidly improving so check the Office 365 Service Updates regularly for updates: Office 365 Service Upgrades and Service Updates.