With an Office 365 Skype for Business Online (SfB Online) tenant that has several SfB Administrators, I frequently need to review who has Administrator access – that is – who has the ability to see, and change, SfB settings. This includes everything from SfB service settings, user settings, to permission changes. This blog entry explains the basics for Skype for Business Online administrator permissions and how to easily review them.
SfB Online Administrator permissions leverage the default Office 365 Admin Roles and their associated Permissions in Office 365. Office 365 has predefined administrator roles, and each role has a set of permissions which allow the Office 365 user with that Admin role to do specific actions in SfB online (i.e. access to specific objects or configuration data).
The question then becomes, which Office 365 Admin Roles grant Skype for Business administrator access?
In the Office 365 Admin Center, these O365 admin roles have SfB admin permissions:
- Global administrator
- User management administrator
- Password administrator
- Skype for Business administrator
You can use either the Office 365 Admin Center or PowerShell (via the Skype for Business Online Connector module) to set these permissions.
- One of the big surprises I learned is that all of the above o365 roles grant full access to Skype for Business Online! In other words, there is no difference in administrative access between those roles; any user that has one of the those roles assigned has full administrative access to Skype for Business Online settings.
- Another key point is that those first 3 roles default O365 admin roles grant access to other parts of the O365 tenant, whereas the Skype for Business administrator role limits the administrator assigned to this role to read/write to SfB Online settings, and only read-only to the other Office 365 organization and user information.
- The above pre-defined Office 365 administrator role names in the O365 Admin Center differ slightly from the equivalent role names used when using PowerShell (more information on this later).
Using the Office 365 Admin Center
To view and set SfB Online Administrator permissions in the Office 365 portal roles navigate to “Users | Active Users” node (as of March 2016). This provides the ability to view which O365 users have been assigned predefined O365 Administrator roles. The available views are shown here:
In this view, any O365 user that has been assigned either the “Global admins”, “User management admins”, or “Password admins” roles will have SfB Online Administrator access.
To confuse matters, there is a “Skype for Business administrator” role, but it is not available in this view; however you can view whether a user has this role and assign or remove it by editing the individual O365 user and and selecting Roles as show here:
You can also see this by selecting “EDIT USER ROLES” in the the right-hand pane when you have selected a specific user.
As you can see, trying to answer the question “Who has SfB Administrator access” is cumbersome in the O365 Admin Center. PowerShell to the rescue.
To administer SfB Online via PowerShell you use the Skype for Business Online Connector Module and establish a session to your corresponding O365 tenant. This process is described here: Connecting to Skype for Business Online by using Windows PowerShell.
In PowerShell, SfB Online admin access for a user equates to having one of these 4 roles assigned to their O365 user account:
- “Company Administrator” = the role name representing Global Administrators
- “Lync Service Administrator” = the role name representing Skype for Business Administrators
- “User Account Administrator” = the role name representing User Management
- “Helpdesk Administrator” = this corresponds to the O365 Admin center role “Password administrator”
If you frequently need to see who holds any of these Administrator roles, you are best to script it in PowerShell so that it is easily accessible.
Unfortunately there is no one cmdlet which lists all of the O365 admin roles assigned to a particular office 365 user, so we are going to have to enumerate the membership of the four O365 Admin roles that correspond to SfB administrative permissions.
I wrote a PowerShell script to do that here:
[Parameter(Mandatory = $true)]
$o365AdminRole = Get-MsolRole -RoleName $AdminRole
$o365Admins = Get-MsolRoleMember -RoleObjectId $o365AdminRole.ObjectId
$o365Admins | Select-Object DisplayName, EmailAddress, IsLicensed, RoleMemberType
$cred = Get-Credential
Connect-MsolService -Credential $cred
Enumerate_SfBAdminRole -AdminRole "Company Administrator"
Enumerate_SfBAdminRole -AdminRole "User Account Administrator"
Enumerate_SfBAdminRole -AdminRole “Lync Service Administrator”
Enumerate_SfBAdminRole -AdminRole “Helpdesk Administrator”
I recently had to figure out a Skype for Business (SfB) Online user settings in the O365 Admin Center that was poorly understood – the user setting “For compliance, turn off non-archived features” as shown here:
The purpose of this setting is to allow Administrators to turn off SfB online communication features that cannot have the communication content captured by the in-place hold feature that is used with Exchange integration (the in-place hold is an Exchange feature configured in the Exchange admin center which allows archiving of communication to a special folder in the corresponding Exchange for compliance purposes).
This setting turns off the SfB features that cannot be subject to the in-place hold. Enterprises that are required to preserve digital communication can turn this setting on to ensure all SfB communication can be captured with the in-place holder features.
The SfB online features which are turned off are:
SfB Online accomplishes this by setting the Conferencing Policy for the user to one that does that include the above features.
The default Conferencing Policy is BposSAllModality. After turning this setting on for a user, the Conferencing policy is set to BposSAllModalityNoFT – notice the “NoFT” in the name = “No File Transfer”.
We can see the exactly settings in each conferencing policy using these two cmdlet:
Get-CsConferencingPolicy -Identity BposSAllModality,
Get-CsConferencingPolicy -Identity BposSAllModalityNoFT
Here are the settings for the BposSAllModality:
- AllowSharedNotes : True
- EnableFileTransfer : True
- EnableP2PFileTransfer : True
- DisablePowerPointAnnotations : False
Here are the settings for the BposSAllModalityNoFT:
- AllowSharedNotes : False
- EnableFileTransfer : False
- EnableP2PFileTransfer : False
- DisablePowerPointAnnotations : True
Here is the SfB Online PowerShell cmdlet to change all users to use a specific policy (in this case the BposSAllModality policy):
Get-CsOnlineUser | Grant-CsConferencingPolicy -PolicyName BposSAllModality
Here is the SfB Online PowerShell cmdlet to set a specific user to have a policy (in this case the BposSAllModalityNoFT policy):
Grant-CsConferencingPolicy -identity firstname.lastname@example.org -PolicyName bposSAllModalityNoFT
It’s been 2 weeks since Microsoft released the new Skype for Business iOS app (https://blogs.office.com/2015/10/14/skype-for-business-ios-app-now-available/). This article answers common questions, summarizes the important points you need to know, and includes some tips to get the most out of it.
Basics you Should Know
- This is a one-way upgrade from the Lync 2013 iOS application. There is no going back. It replaces the Lync 2013 app in the Apple Store. It will co-exist with the Lync 2010 app if it is on the device.
- The version works against Skype for Business Server 2015, Lync Server 2013, and Office 365 Skype for Business Online.
- The app requires iOS 8.1 or later and is 121 MB (iPhone app).
- The icon is called “Business” as shown below (not to be confused with the consumer “Skype” app):
- The dial pad automatically adds a country code prefix to the number being dialled. This is determined by the regional setting on your device. You can manually use the backspace button to delete the prefix if need be.
- During the initial app setup you are asked to enter your Mobile Number. This is the number that will be used in the “Call via Work” scenario, or anytime that you to do make an outbound audio or video call by having the Skype4B server call you.
- If setting server-side client policies or need to identify this client in reports, the user agents are:
- iPhone: UCWA/188.8.131.52 iPhoneLync/6.0.1445.0000 – 6.0.1447.0000
- iPad: UCWA/184.108.40.206 iPadLync/6.0.1445.0000 – 6.0.1447.0000
- If you are running against a Lync 2013 Server is will be UCWA/220.127.116.11 instead of “6”.
- 1445 was the original release; 1447 was released on Oct 22nd and addressed several bugs.
- There have been reports of the client crashing during the meeting join process. Make sure you upgrade to the latest release (6.0.1447 on Oct 22nd) if you are experiencing this.
Useful App Settings in the iOS Device Settings
I usually don’t venture into the device settings for applications. For the Skype for Business App there are some useful ones you should consider.
The Contacts settings controls whether contacts from you iOS device are shown in the Search Contacts results in the app. If this is settings is OFF, the contact search results will just contain results from the Global Address List (GAL).
I have been experimenting with the “Background App Refresh” and so far, having it on appears to have little affect on the batter – which is good.
Viewing a Contacts Profile
The profile of any contact can be viewed by just tapping on the contacts name as shown here:
Note : that you cannot access a participant’s Contact Card from the Participant List from the IM chat screen.
Saving Battery Life
With the older Lync iOS clients, signing out was a good idea to save battery life if the client was not going to be used for awhile. This is anecdotal, but I am finding the new Skype for Business iOS app much more battery-friendly while staying signed-in.
Swipe Right & Swipe Left
One of the best pieces of functionality I have discovered is the ability to swipe Left and Right for recent activity under the “recent” group on the main search bar for locating contacts.
A swipe Right and you can immediately launch communication with the recent contact as shown here:
A swipe Left and you can remove the entry from your recent listings as shown here:
One of the most obvious pieces of functionality missing in this initial version (that was available in previous iOS versions) is sharing a PowerPoint presentation during a conference. Application and screen-sharing are still possible – you can share a ppt through screen-sharing.
A number of people have reported missing the ability to control Simultaneous Ring and to set Call Forwarding options.
Microsoft has detailed other pieces of functionality that are missing in this KB article: Some Lync 2013 for iPhone/iPad features are missing in Skype for Business for iOS (https://support.microsoft.com/en-us/kb/3102247).
Meeting Join Crashes?
There were many reports of the app crashing on meeting joins in preview and the initial release. Since the latest release on Oct 22nd, I have personally not had any crashes on or during meeting joins.
The Ability to Make Calls to Skype Users
The new app offers the capability to communicate with anyone who uses Skype (consumer). The other users Skype ID is all the is required. In my experience this is buggy. I did get it to work with one Skype consumer accounts but not another’s. I think this speaks to the Lync/Skype4b and Skype consumer integration issues that have been present for a long time and is not related to the app.
The new iOS is a good, and a better experience than it’s predecessor – a noticeable improvement in UI usability and aesthetics. The in-call and in-meeting experiences are much improved over the Lync 2013 app and it is a well worth the few missing features and bugs which will be addressed in subsequent releases.
Links to More Information
Microsoft Skype for Business for iOS Productivity Guide (http://www.microsoft.com/en-us/download/49185)
- a step-by-step guide to installing and using the iOS guide
Some Lync 2013 for iPhone/iPad features are missing in Skype for Business for iOS (https://support.microsoft.com/en-us/kb/3102247)
Microsoft’s “Skype For Business” iOS App Now Available To All (http://techcrunch.com/2015/10/14/microsofts-skype-for-business-ios-app-now-available-to-all/)
A quick post about a misleading error you might experience in a Lync Server 2013 topology with one Persistent Chat Pool servicing multiple sites and front-end pools. Using one Persistent Chat (PS) pool for multiple sites or pools is a supported Topology configuration, but the errors outlined in this blog post are triggered after deploying Persistent Chat, or a new Lync Site using an existing PS Pool, and forgetting to set a Persistent Chat Site or Pool policy. I assume this experience is the same with Skype for Business Server, but I have not verified that.
Forgetting to set the Persistent Chat Policy can be tricky because to the end-user, the Persistent Chat functionality will show up as available in the client, but an erroneous error message will be shown that says “Your chat room access may be limited due to an outage” as shown in the screen shot below:
When a user attempt to enter a Persistent Chat room, they will receive this error:
From an Administrative point of view this can be easily overlooked because the bulk of the PS chat configuration is done in the Topology Builder. However, there is a group of PS Chat administrative settings in the Lync Control Panel (and also available through Lync cmdlets) that should be configured during your deployment. Specifically pay attention to the “Persistent Chat Policy” tab on the Lync Control Panel. Users must be enabled for Persistent Chat either Globally or with specific policies for each site or pool. Many deployments do not enable Persistent Chat globally, so a PS Chat policy per site which PS Chat enabled is required.
Another aspect that can get overlooked by Administrators is that if the Persistent Chat policy set on Lync user accounts is set to “Automatic” – the default – Lync will use the most granular PS Chat policy that applies, which will be a Pool or Site specific policy (if one exists). If this is the case and a Lync user account is moved from a site or pool with PS Chat enabled to a site or pool with no PS Chat policy defined, they will get the errors shown in the first two screen shots above.
A scenario I have come across several times and usually forget the answer to is:
What configuration does a Lync user require to be enabled for the ‘Call me at’ conference feature?
In this post I will address that question and some common end-user challenges with using this feature.
If you are not familiar with it, the ability to join a conference using the “Call me at” option it is a powerful communication feature. In Microsoft Skype for Business (SfB) and Lync, it allows end-users joining a SfB conference call (i.e. participants) to join the audio portion of the call by having the SfB server call out to whatever number the user specifies. This could be their cell phone, desk phone, or any manually specified phone number – provided the user is enabled for it, and as the Enterprise Voice feature set has been deployed.
When the user launches a Skype meeting, they are presented with some options to join the audio portion of the meeting as shown below. This screen shot shows one of the first sources of confusion – the “Call me at” drop-down box of numbers appears blank:
I have yet to determine if this is a SfB system configuration but I have seen it in the field several times. If this holds true for you, the best solution is user awareness, and fortunately once they click on the “Call me at” option (radio button), they will see a choice of numbers as shown here:
Another challenge with this feature is that if the end-user is not configured on the back-end server (Lync Server 2013 used here), the end-user experience is confusing. Even though the SfB client will allow the user select this join method, it will produce a generic error as shown here:
If you are seeing this error, check to make sure the user is enabled in the Skype for Business (SfB) or Lync Server 2013 deployment. And what settings enable them to use this feature?
Two system settings can be used to enable this conference join option. This is an “either / or” situation. If they are enabled for either of these settings, they will be able to join conference audio using the “Call me at:” feature:
- Enterprise Voice, or,
- Conference Policy Setting (“Allow participants not enabled for Enterprise Voice to dial out”)
For the Enterprise Voice setting, if the user is enabled for “Enterprise Voice” in the Telephony setting of their account, they will have this capability regardless of the Conferencing policy setting. The setting for Enterprise Voice is in the user account in the Lync/SfB Control Panel:
The Lync/SfB Server Conferencing Policy setting which will also give a user this capability is the “Allow participants not enabled for Enterprise Voice to dial out”. It is available in the Lync/SfB Conferencing Policy setting in the Administrative Control Panel as shown below. Lync/SfB policies can apply at different levels (Global, Site, User) so ensure that whatever policy you enable this setting with, is the effective policy applied to the user accounts you want to enable this feature for.
Any SfB user with this Conference policy setting enabled will be able to join via the “Call me at” option even if they are NOT enabled for enterprise voice.
The only other question around this feature is usually from Administrators who want to know how to control which numbers the end-user is given as choices. This is controlled by the same number options that show up in the Lync/SfB address book.
Details of the Skype for Business mobile client were announced today, along with an associated preview program here: https://blogs.office.com/2015/08/11/announcing-the-technical-preview-of-skype-for-business-apps-for-ios-and-android/. Both Skype for Business online and on-premises (Lync and Skype) can sign-up for the preview program if the mobile features are deployed today. To participate, either an IT administrator or tenant administrator nominates 4 of their end-users here: https://www.skypepreview.com/.
Each participate is identified by name with their device type and OS version, and individual instructions are sent to them to participate.
In addition to the details in the Microsoft Office blog post, are are some details to clarify common questions:
- The Skype for Business mobile client replaces (upgrades) the Lync 2013 mobile app on iOS and Android when the end-user upgrades the app from the store.
- The Skype for Business mobile client replaces will GA later this fall. It will be a one-way upgrade – no rolling back.
- The Skype for Business mobile client will work against a Lync 2013 Server, but not a Lync 2010 Server.
- The Lync 2010 mobile client will be a separate mobile client and will be kept and maintained separately.
- Windows Phone users can already download the Skype for Business Windows Phone App here: https://www.microsoft.com/en-us/store/apps/skype-for-business/9wzdncrfjbb2.
The new mobile client follows the same new streamlined UI and workflow theme of the thick client. Looking forward to giving it a whirl!
In case you missed it, on the eve of Microsoft Ignite, the Skype for Business Server 2015 build has been officially released – the RTM version is available for download on MSDN (thanks to fellow MVP Jeff Schertz for alerting me to this):
The download is 1.4 GB. Just a reminder, it is an in-place upgrade from Lync Server 2013 with no additional hardware requirements.
The TechNet documentation was released a couple of days ago and is available here: https://technet.microsoft.com/en-us/library/gg398616.aspx.
Fellow MVP Matt Landis has already done a nice job on a Step by Step Skype for Business Server 2015 In Place Upgrade blog post.
And lastly, Microsoft has already updated the Key Health Indicators for the new Skype release – available here: Key Health Indicators for Lync Server 2013 and Skype for Business Server 2015.
As you are probably aware, Microsoft rolled-out the new Skype for Business client as an Office 2013 in the form of 2 update for the Lync 2013 client (KB2889853 and KB2889923). Just apply the latest Office Professional Plus 2013 updates, and you will get the Skype for Business client update.
Most of you are aware that the UI can either run as the Lync 2013 look-and-feel, or the new Skype for Business look-and-fell (if you are not familiar with it, do a quick search, or visit one of the many good write-up’s like fellow Lync MVP Tom Arbuthnot’s write-up here: Important Changes coming to the Lync 2013 Client UI/UX in the April 2015 Client Patch). In a nutshell, the type of UI ‘skin’ that is used depends on a combination of backend server version, optional server-side client policy, and a registry key.
I ended up writing a quick script to flip the registry value so I could switch back-and-forth for various reasons (testing, helping users). I used this script enough myself that I thought the community would benefit from it.
The purpose of the SFB client registry key is primarily for the first run of the SFB client – i.e. controlling whether the Lync or SFB UI is displayed – until the client policy governs the behavior after the first run. However, if no policy is set and Lync Server 2010/2013 is being used on-premises, you can use this script to keep reverting back to the Skype for Business Client if it is desired – until a policy is set.
Specifically the script will do the following.
- It checks to see if the Skype for Business UI registry value exists (e.g. “HKCU\Software\Microsoft\Office\Lync\EnableSkypeUI”).
- If it does NOT exist, it creates it with a default value of “1” – which is the binary value for enabling the Skype for Business client UI experience.
- If the registry value DOES exist, it changes the value to be the alternate UI. For example:
- If the value is set to use the Lync UI (i.e. “00 00 00 00”), it will change the value to Enable the Skype for Business UI by setting the registry value to “01 00 00 00”.
- If the value is set to use the Skype for Business UI (i.e “01 00 00 00”), it will change the value to Enable the Lync UI by setting the registry value to “00 00 00 00”.
You need access to your registry for this script to work.
Caveat: I hesitated releasing this little script because it does modify the registry on a Windows host/client. I will include the standard ‘registry modification’ disclaimer with this:
Warning: this script modifies the Windows registry (if the current logged on user has permission to do so). If you are not familiar with editing the registry, or are not sure, do not attempt to run it.
I take no responsible for any issues this may cause. Having said all of that, it is tested and I cannot see any harm that it could cause!
Enough warnings, hope it helps.
The past few weeks have been a flurry of activity on the Skype for Business front. If you’ve been busy like me, this post will tell you just what you need to know, clear up some confusion, and get you started with the new Skype for Business client.
A Technical Preview of the new Skype for Business Client is Available
The most significant news is that a Technical Preview of the next release of the Lync client was made available. The new version is rebranded as the Skype for Business (“SfB”) client. Here is what you need to know:
- This is the Lync client under the covers, but it is available with a new optional UI skin that looks like the Skype Consumer client.
- When it is officially released in April, the SfB client will be distributed via a Windows Update (a Cumulative Update in Office 2013).
- When it is released, it is not known yet what the default UI skin will be (the new Skype look, or the Lync look). There are registry key entries and a Lync server side setting that can control which UI is displayed.
- Because it is the Lync client under the covers, it has the look and feel of the Skype consumer client but the security and management controls of the Lync client.
- This Microsoft Office Support Article has some good links to get your users up and running with the SfB Preview Client – Skype for Business change management and adoption.
- Do not confuse this release with the Skype for Business client experience in the Office 2016 Preview – which is a longer leading initiative that will not be released until the second half 2015.
Details of the Technical Preview
- Download for North America: http://www.microsoft.com/en-us/evalcenter/evaluate-skype-for-business
- Outside of North America: https://technet.microsoft.com/en-gb/evalcenter/dn917485
- You’ll need to sign-in with a Microsoft Account
- There is a 64 and 32-bit download – I recommend using the one that matches your Office Version
- It is an update to the Lync 2013 client MSI.
- It is a 270 Mb trial which expires May 1, 2015
- I’ve had troubles downloading this in non-IE browsers (“HTTP Error 400. The size of the request headers is too long”). IE seems to work.
- Can I run the Skype for Business Technical Preview with Office 2010? Yes.
- Can I run the Skype for Business Technical Preview with Microsoft Lync Server 2010? Yes.
- Can I run the Lync 2013 Client side-by-side with the SfB Client? No – the SfB client is an upgrade to your existing Lync 2013 client (replaces it)
The new Skype for Business Client, Server, and Online service will be Generally Available in April.
- This is essentially the release date for Skype for Business that we have been waiting for – not far off!
Office 2016 is available in preview is Available
- Microsoft recently announced the Office 2016 IT Pro and Developer Preview.
- Among other things, this preview contains a release of the Skype for Business experience that is different from the Skype for Business client being released in April and in Technical Preview today. It will not be released until the second half of 2015 as part of the next version of Office for Windows desktop.
There is a lot of information available on what the new SfB client UI looks like, changes in functionality from the current Lync client, and how to change the UI look-and-feel between Skype-mode and Lync-mode:
I’ve fielded a lot of questions about the next release of Microsoft Lync Server – rebranded as Skype for Business – in the last few months. The questions have been difficult to answer because public information has been limited up to this point. Microsoft recently announced that Skype for Business Training is being rolled into the Office 365 Summit series.
This training includes information about the next release of Lync (SFB) including the following:
You can read more information about it here: http://blogs.office.com/2015/01/14/skype-business-sessions-now-included-office-365-summits/.
If you cannot attend in person, there are many Skype for Business Webcasts you can sign-up for and attend by registering here: https://infopedia.eventbuilder.com/index.asp?landingpageid=7p1c8p, including:
- New Windows Desktop Experience
- Reference Architecture and Design Considerations
- Manageability Improvements Overview
- In-Place Upgrade Deep-dive
- SQL Always On Deep-dive Wednesday
- Server Core Improvements Overview
- Reliability & Patching Deep-dive
- Hybrid Configuration Deep-dive
- New Meeting & Web Investments Overview
- Video Interop Server Deep-dive
- Lync/Skype Federation (Phase 2)
- Lessons Learned from Preview
- Software Defined Networks (SDN)
- Developer Platform
This training and information will cover some key feature enhancements such as:
- Support for In-place upgrades
- Call via work (expanded)
- SQL Always On
- New Video Interop capabilities
- More Lync/Skype Federation (i.e. ‘’Phase 2”)
- Better support for Software Defined Networking