Key Skype for Business Online Policy Settings

As I work more with enterprises adopting Skype for Business (SfB) Online in Office 365, many questions arise about setting user policies which govern which features which compliance, security, and resource usage.

There are many policies (about 12 that applicable to individual SfB Online users), and each type of policy can have many settings (52 for the Conferencing Policy for example), and it is difficult to know what settings are available, what the individual setting enables/disables, and which ones matter the most.

In my experience the 4 most commonly used SfB Online policies are:

  1. Conferencing
  2. External Access
  3. Client
  4. Voice

The importance of each policy type will depend on what features your SfB tenant is leveraging. The bulk of this article lists and explains the key policy settings for each policy type.

Before we get to that it is worth pointing out several significant differences between setting policies in SfB Online and the SfB Server 2015 on-premises equivalent:

  1. Skype for Business Server 2015 gives more granular policy control in the native management GUI’s (primarily the Management console); both in terms of policy features, and the ability to assign it a user. You will likely need to use the Skype for Business Online PowerShell module to manage policy settings if you are doing anything over-and-above the basics. See Using Windows PowerShell to manage Skype for Business Online for more information.
  2. Many default policy settings that apply to individual users derive from the SfB Online tenant settings. For example, if you enable Federation and Public IM (PIC) at the tenant level, all users in the SfB online tenant are assigned the “FederationAndPICDefault” policy under the covers. Any settings in a user level policy will override these default settings.
  3. There are differences in online policy scopes. SfB Online does not have the “Site” scope and primarily used the Global or Tag (per user) scope. This Microsoft TechNet article describes Identities, scopes, and tenants in Skype for Business Online.
  4. New Policies are not Created in Skype for Business Online. With SfB Server 2015 on-premises you can create custom policies to your hearts content (for most policy types). In Skype for Business online existing policies can be changes (with the associated Set cmdlet) but you cannot create new policies. See Managing policies in Skype for Business Online for more information.

Conferencing Policy

The Conferencing policy determines the features and capabilities that can be used in a Skype for Business conference.  It is important because it controls features that span legal & compliance (such as the ability to record the media used in a web conference), security (the ability for anonymous users to participant in a conference), and important management settings that affect the amount of bandwidth consumed during a conference.  The table below highlights the key Conference Policy settings I have used in the past.

Note: Unless otherwise noted, these settings apply to the user who organizes the conference  - the setting enables or disables a feature in conferences the organizing user creates.  However, the user can participate in other conferences where the same feature might be allowed or disallowed based on that conference organizers settings.

Setting Description Default Global Policy Value

AllowAnnotations

Controls whether or not participants are allowed to make on-screen annotations on any content shared, and whether or not whiteboarding is allowed.  Annotations are not archived along with other meeting content.

True
AllowAnonymousParticipantsInMeetings Controls whether anonymous users are allowed to participate in the meeting. If this setting is ‘False’, only AD authenticated users are allowed to attend the meeting True
AllowAnonymousUsersToDialOut Controls whether anonymous users (not authenticated with Active Directory) are allowed to join a conference using dial-out phoning. With dial-out phoning, the SfB conferencing server telephones the user; when the user answers the phone, he or she will be joined to the conference True

AllowConferenceRecording

Controls whether users are allowed to record the meeting (from the client). This setting applies to all users taking part in the conference. False
AllowExternalUserControl

Controls whether external users (either anonymous users or federated users) are allowed to take control of shared applications or desktops.

This setting is enforced at the per-user level for both conferences and peer-to-peer communication sessions, so some users in a session might be allowed to give up control of a shared application or desktop to an external user while other users might not be allowed to give up control

False
AllowExternalUsersToRecordMeeting Controls whether external users (either anonymous users or federated users) are allowed to record the meeting. This setting takes effect only if the AllowConferenceRecording property is set to True. False
AllowExternalUsersToSaveContent

Controls whether external users (that is, users not currently logged-on to your network) are allowed to save handouts, slides, and other meeting content

True
AllowNonEnterpriseVoiceUsersToDialOut Controls whether or users who have not been enabled for Enterprise Voice are allowed to join a conference using dial-out phoning. With dial-out phoning the conferencing server will dial the user via the telphone (PSTN); when the user answers the phone, he or she will be joined to the conference False
EnableAppDesktopSharing

Controls whether participants are allowed to share applications – including their desktop – in a meeting.  The values are either  1)
"Desktop" (users are allowed to share their entire desktop),  2) "SingleApplication"  (users are allowed to share a single application, or 3) "None"  (users are not allowed to share applications or their desktop)

Desktop
EnableDialInConferencing Controls whether users are able to join the meeting by dialing in with a public switched telephone network (PSTN) telephone True
EnableFileTransfer Controls whether file transfers to all the meeting participants are allowed during the meeting. True
EnableP2PRecording Enables users will be able to record peer-to-peer conferencing sessions. It is enforced at the per-user level so one user in a P2P communication session might be allowed to record it while the other user is not. False
MaxMeetingSize Controls the maximum number of people who are allowed to attend a meeting. After the maximum number of participants has been reached, anyone else who tries to join the meeting will be turned away with the notice that the meeting is full. 250

The full Conference Policy settings can be viewed in the ‘Parameters’ section in the Microsoft Technet article for the Set-CsConferencingPolicy cmdlet.

External Access Policy

External access policies have the fewest settings of any of the policies, but are important.  They are the main tool to control whether users can connect externally (outside of the corporate network), and whether the can communicate with users outside of the organization such as contacts in a partner organization running Skype for Business (federated contacts), and contacts in public consumer instant messaging systems.

The table below shows the settings in the External Access policy and the default values for the FederationAndPICDefault Policy which is the default policy in most SfB Online tenants, and when enabled at the tenant level, this policy gets assigned to all the users.

* Note: all the settings below are False in the Global policy.

Setting Description The FederationAndPICDefault Policy Value
EnableFederationAccess Controls whether the user is allowed to communicate with people who have SIP accounts with a federated organization True
EnableOutsideAccess Controls whether the user is allowed to connect to Skype for Business Server 2015 over the Internet (on an external network) True
EnablePublicCloudAccess Controls whether the user is allowed to communicate with people who have SIP accounts with a public Internet connectivity providers such as MSN True
EnablePublicCloudAudioVideoAccess Controls whether the user is allowed to conduct audio/video conversations with people who have SIP accounts with a public Internet connectivity providers. When set to False, audio and video options in Skype for Business Server 2015 will be disabled any time a user is communicating with a public Internet connectivity contact True
EnableXmppAccess Controls whether the user is allowed to communicate with users who have SIP accounts with a federated XMPP (Extensible Messaging and Presence Protocol) partner False

To view all the settings in the SfB External Access Policies, see the Parameters section in the Microsoft TechNet article for the Set-CsExternalAccessPolicy cmdlet.

 

Client Policy

Client policies are the main method to control the behaviour of the Skype for Business client such as whether a user photo is displayed, how the address book is accessed, and whether the presence state “Appear as Offline” is available to the user.

Here are some of the key policy settings:

Setting Description Default Global Policy Value
AddressBookAvailability

Controls how the client Address Book is used – either through the AB Web Query service and/or by downloading a copy of the Address Book (to the client). The Possible values are:

> WebSearchAndFileDownload
> WebSearchOnly,
> FileDownloadOnly

WebSearchOnly
AutoDiscoveryRetryInterval

This setting specifies the amount of time the Skype for Business client waits before trying again to connect to the server after a previous failed attempt. It can be set between 1 second and 60 minutes.

The value needs to be in the format "hours:minutes:seconds".  Eg. to set the interval to 15 minutes the value used for the AutoDiscoveryRetryInterval parameter would be "00:15:00"

<not set>
DisableEmailComparisonCheck Controls whether the Skype for Business client will attempt to verify that any currently running instance of Microsoft Outlook belongs to the same user running Skype for Business.  If set to True (to not check) the client will assume that the SfB client and Outlook are running under the same account and, in turn, and will include contact and calendar data from Outlook.

When set to False, the SfB client will use SMTP addresses to verify that Outlook and Skype for Business are running under the same account. If the SMTP addresses do not match, then contact and calendar data in Outlook will not be used in the SfB client

False
DisableEmoticons Controls whether users will be able to send or receive emoticons in their instant messages. If set to True, users will see the text equivalent of those emoticons. When set to False, users will be able to include emoticons in their instant messages, and to view emoticons in instant messages they receive True
DisableFreeBusyInfo Controls whether free/busy information is retrieved from Microsoft Outlook and displayed in the SfB client contact card. When set to False, free/busy information is displayed in the contact card for contacts in the SfB client False
DisableSavingIM Enables (or disables) the menu bar option to save an instant message session int the SfB client.When set to false, the options to Save an IM session are available in the Conversation window.

Note that setting this value to true removes the menu options that make it easy for users to save instant message transcripts. However, it does not prevent users from copying all the text in a transcript to the clipboard, pasting that text into another application, and then saving the transcript that way

False
DisplayPhoto Determines whether or not photos of both the user, and his or her contacts, will be displayed in the SfB client. Valid settings are:

> NoPhoto – Photos are not displayed in Skype for Business.

> PhotosFromADOnly – Only photos that have been published in AD

> AllPhotos – Either AD photos or custom photos can be displayed.

AllPhotos
EnableExchangeContactSync When set to True, Skype for Business creates a corresponding personal contact in Outlook for each person in the user’s Skype for Business Contacts list True
EnableExchangeDelegateSync When set to true, a user that has been configured with delegate access in Outlook will be allowed to schedule online Lync Calendar meetings for that user (this happens via Lync UCMAPI delegation, without the need of the Enterprise Voice feature) True
EnableIMAutoArchiving When set to true, a transcript of every instant message session that a user takes part in will be saved to the Conversation History folder in Outlook. When set to false, these transcripts will not be saved automatically.

Note: users will always have the option to manually save (copy & paste) instant message transcripts

True
EnableSkypeUI Allows administrators to enable the Skype for Business user interface instead of the Lync interface for the Skype for Business client. True
EnableEventLogging When set to true, detailed information about the Skype for Business client operations will be recorded in the Application event log lon the client. When set to false, only major events (such as the failure to connect to Skype for Business Server) are recorded in the event log False
EnableTracing When set to true, software tracing will be enabled in the Skype for Business client. Software tracing enables a very detailed log of all client operations (including API calls). It is mostly useful to developers and to application support personnel. False
TracingLevel

Enables Administrators to manage event tracing and logging in the Skype for Business client.

Possible values are:

> Off – Tracing is disabled and the user cannot change this setting.

> Light – Minimal tracing is performed, and the user cannot change this setting.

> Full – Verbose tracing is performed, and the user cannot change this setting.

  Light

To view all the settings in the SfB Client Policies, see the Parameters section in the Microsoft TechNet article for the Set-CsClientPolicy cmdlet.

Voice Policy

The Voice Policy is largely used to configure the PSTN calling voice features such as whether to allow call forwarding or whether to allow simultaneous ring for users. It is only applicable if the SfBO tenant is licensed and using Enterprise Voice (PSTN Calling), and the user has an appropriate Office 365 license (currently an E5 license). Note that SfB Online VoIP voice calls (e.g. SfB to SfB client audio) are not governed by this policy.

Setting

Description

AllowCallForwarding

If this parameter is set to True, users assigned to this policy can forward calls. If this parameter is set to False, calls cannot be forwarded.

AllowPSTNReRouting

When this parameter is set to True, calls made to internal numbers homed on another pool will be routed through the public switched telephone network (PSTN) when the pool or WAN is unavailable.

AllowSimulRing

Simultaneous ring is a feature that allows multiple phones to ring when a single number is dialed. Setting this parameter to True enables simultaneous ring. If this parameter is set to False, simultaneous ring cannot be configured for any user assigned to this policy.

CallForwardingSimulRingUsageType

Provides a way for administrators to manage call forwarding and simultaneous ringing. Allowed values are:

* VoicePolicyUsage – The default voice policy usage is used to manage call forwarding and simultaneous ringing on all calls. This is the default value.

* InternalOnly – Call forwarding and simultaneous ringing are limited to calls made from one Lync user to another.

* CustomUsage. A custom PSTN usage will be used to manage call forwarding and simultaneous ringing. This usage must be specified using the CustomCallForwardingSimulRingUsages parameter.

CustomCallForwardingSimulRingUsages

Custom PSTN usage used to manage call forwarding and simultaneous ringing.

EnableBusyOptions

Enables or disables Busy Options for the specified voice policy. Busy Options allows incoming calls to be routed to voice mail or rejected with a "busy" signal when the call’s target user is on the phone. Use the Set-BusyOptions cmdlet to set the option desired.

EnableCallPark

The Call Park application allows a call to be held, or parked, at a certain number within a range of numbers for later retrieval.

EnableCallTransfer

Determines whether calls can be transferred to another number.

EnableDelegation

Call delegation allows a user to answer calls for another user or make calls on the other user’s behalf. For example, a manager can set up call delegation so that all incoming calls ring both his or her phone and the phone of an administrator.

EnableMaliciousCallTracing

Malicious call tracing is a standard that is in place to trace calls that a user designates as malicious. These calls can be traced even if caller ID is blocked. The trace is available only to the proper authorities and not to the user.

EnableTeamCall

Team Call allows a user to designate a group of other users whose phones will ring when that user’s number is called. This feature is useful in teams where, for example, anyone from a team can answer incoming calls from customers.

EnableVoicemailEscapeTimer

When set to True, calls to an unanswered mobile device will be routed to the organization voicemail instead of the mobile device provider’s voicemail. If a call is answered "too soon" (that is, before the value configured for the PSTNVoicemailEscapeTimer property has elapsed) it will be assumed that the mobile device is not available and the call will be routed to the organization voicemail.

The default value is False.

PreventPSTNTollBypass

PSTN tolls are more commonly known as long-distance charges. Organizations can sometimes bypass these tolls by implementing a Voice over Internet Protocol (VoIP) solution that enables branch offices to connect via network calls. Setting this parameter to True will send calls through PSTN and incur charges rather than going through the network and bypassing the tolls.

PstnUsages

A list of PSTN usages available to this policy. The PSTN usage ties a voice policy to a phone route and determines whether a user is allowed to make a specific call to a destination number.

Keep in mind that if you use this parameter to remove all PSTN usages from the policy, users granted this policy will not be able to make outbound PSTN calls.

PSTNVoicemailEscapeTimer

Amount of time (in milliseconds) used to determine whether or not a call has been answered "too soon." If a response is received within this time interval Skype for Business Server 2015 will assume that the mobile device is not available and automatically switch the call to the organization’s voicemail. If no response is received before the time interval is reached then the call will be allowed to proceed.

The default value is 1500 milliseconds.

Tenant

Globally unique identifier (GUID) of the Skype for Business Online tenant account whose voice policy is to be modified. For example:

-Tenant "38aad667-af54-4397-aaa7-e94c79ec2308"

You can return the tenant ID for each of your tenants by running this command:

Get-CsTenant | Select-Object DisplayName, TenantID

 

Here are the default settings for voice policy used in a hybrid voice configuration:

Identity                            : Tag:HybridVoice
PstnUsages                          : {BVTest}
CustomCallForwardingSimulRingUsages : {}
Description                         : LYO Prod HybridVoice voice policy
AllowSimulRing                      : True
AllowCallForwarding                 : True
AllowPSTNReRouting                  : False
Name                                : HybridVoice
EnableDelegation                    : True
EnableTeamCall                      : True
EnableCallTransfer                  : True
EnableCallPark                      : False
EnableMaliciousCallTracing          : False
EnableBWPolicyOverride              : True
PreventPSTNTollBypass               : True
CallForwardingSimulRingUsageType    : VoicePolicyUsage
VoiceDeploymentMode                 : OnPremOnlineHybrid
EnableVoicemailEscapeTimer          : False
PSTNVoicemailEscapeTimer            : 4000
TenantAdminEnabled                  : False
BusinessVoiceEnabled                : False

To view all the settings in the SfB Online Voice policy, see the Parameters section in the Microsoft TechNet article for the Set-CsVoicePolicy cmdlet.  Note: many of the settings documents here apply to on-premises Skype for Business Server 2015 and not SfB Online.

One final note, while researching this article I discovered a recent Microsoft TechNet article by Thomas Binder and Jens Trier Rasmussen that has some useful information about managing SfB Online policies: Policies in Skype for Business online.

Be Sociable, Share!

You must be logged in to post a comment.