close

Microsoft Teams

Microsoft Teams

How to Report Teams Channel Storage with Microsoft Graph API and PowerShell

184-07-05-2021-BLOG-Report-on-Microsoft-Teams-and-Private-Channel-Storage-LOW-1-340×200

It’s no secret that Microsoft Teams uses SharePoint Online to store files shared between team members. Each team has a document library in the SharePoint Online site owned by the Microsoft 365 group for the team, and when a new channel is created, a folder for that channel is created within the document library.

By default, the name of the channel folder is the same as the channel. Details can be retrieved easily using Exchange Online or PnP PowerShell. However, things become more complicated when a channel is renamed.

What’s in a name?

Currently, when a channel gets renamed, its folder does not change (but hopefully will soon!) which makes finding the channel folder more difficult. Private channels create another layer of complexity because of their associated SharePoint Online site.

Within large organizations utilizing Teams, reporting on and then migrating this data is extremely difficult. To help map out how Teams uses SharePoint, I’ve created a simple Graph API / PowerShell script to report Teams channels and their SharePoint locations in a CSV file (you can download the script from GitHub here). Each channel reports the following information:

  • Team ID – The Azure AD object ID of the Team / Group
  • Team Name – The name of the Team
  • Channel Name – The name of the Channel
  • Channel Type – Whether the Channel is standard or private
  • SharePoint URL – URL of the Teams Channel storage location, including folder path
  • Storage Used (Bytes) – The current storage size of the folder

In this article I’ll walk you through the steps and show how you can run the report yourself.

Creating an App Registration

Since the script in question uses Graph API, we need an App Registration to Authenticate and Authorize our queries. To set up the registered app, you’ll want to reference this article I previously wrote for another Graph-based script.

Once you’ve done that, you need to grant the Application permissions for this script as shown in Figure 1:

How to Report Teams Channel Storage with Microsoft Graph API and PowerShell
Figure 1: Require Application Permissions

Running the Script

To run the script, you’ll need to download it to your local machine and run it in PowerShell, providing the following parameters:

  • ClientID – The Application (Client) ID of the App Registration
  • TenantID – The Directory (Tenant) ID of your Azure AD Tenancy
  • ClientSecret – A Client Secret Generated for your App Registration
  • CSVPath – The path and name for the output CSV

With the above information, the script can be run using a command as shown below:

How to Report Teams Channel Storage with Microsoft Graph API and PowerShell
Figure 2: Running the Script

If the script is run successfully, there is no output but you could always add your own progress bar for exceptionally large environments.

Review the Output

Once the script is finished, the output file should show a line entry for each Team and each Channel including the associated folder/library location and storage used. This is in CSV format so it’s easy to filter, can sort if required, and can be saved as an Excel Spreadsheet to perform some more advanced analysis.

Where the Channel Name and Type appears as “N/A,” the entry is for the Team rather than a specific channel. Check out the example output in Figure 3 to get an idea of what to expect:

How to Report Teams Channel Storage with Microsoft Graph API and PowerShell
Figure 3: Output File Example

Summary

This script is straightforward and provides information that, while not hidden, can be cumbersome to collate when attempting to utilize other tools.

This information can potentially become invaluable when auditing your cloud storage, Teams usage, or simply preparing for a migration. Having a quick and uncomplicated way to retrieve the information can make life A LOT easier.

If anything happens to be missing from the output, you can customize the script to add it in. As always, make sure before running and test any code in your production environment prior, so you completely understand what it will do.

Source Practical 365

read more
Microsoft Teams

Understanding The Three Types of Channels in Microsoft Teams

GENERIC-Deploying-Custom-Teams-Group-policy-Assignments-1-340×200

At the Ignite conference in November 2019, Microsoft announced the availability of private channels for Teams. Two years later, we’re looking forward to shared channels, due to be delivered later in 2021. Taken together with regular channels, some folks are now confused as to where they should consider the use of regular, private, or shared channels for collaboration. Let’s try and define the use cases for regular and private channels and set out what might happen with shared channels, acknowledging that these are not yet generally available.

Regular Channels

A team is built from channels. Starting off, a team has a General channel. In fact, the General channel is the core of a team. It cannot be removed or renamed. But that’s OK, because a team can have up to 199 additional regular channels to use to segregate discussions. All team members have full access to whatever’s stored in regular channels.

Ideally, the General channel should be kept for team-wide announcements rather than discussions, which should be in channels dedicated to themes. There’s nothing to stop you keeping everything in the General channel and this can work for low-traffic teams, but once discussions heat up and become active, keeping everything in General often creates a catch-all collection of badly organized topics that’s difficult to navigate. For this reason, it’s best to block the ability to post to the General channel to anyone but team owners (Figure 1).

Restricting team members from posting to the General channel
Figure 1: Restricting team members from posting to the General channel

Posting privileges for other channels works differently. Instead of just owners, you can assign channel moderators and restrict the ability to add new posts to moderators (Figure 2).

Restricting posting to a regular channel (not General)
Figure 2: Restricting posting to a regular channel (not General)

Apart from restricting who can post into channels, the major issue is to decide on how many channels to have within a team. You can have a team with 200 channels (General limited, 199 available for conversations). Without iron discipline on the part of members and owners alike, the team will be a mess. In all likelihood, relatively few channels will be used on a daily basis and the rest will become the digital equivalent of abandoned frontier towns with a few initial conversations and then nothing. In short, it’s better to start with a few channels and grow the number of channels when justified by an obvious demand. It’s also good to have someone act as the DRI to keep an eye on what happens in a channel.

Private Channels

A private channel is a restricted part of a team that’s only available to a subset of team members. There can be up to 30 private channels in a team, each supporting a membership of up to 250 tenant and guest accounts. Managing channel membership looks and feels like managing the membership of a team (Figure 3) with the proviso that someone must join a team first before they can join a private channel within the team. To maintain privacy, team owners must become a member of a private channel to be able to access content belonging to the channel.

Understanding The Three Types of Channels in Microsoft Teams
Figure 3: Managing the membership of a private channel

If someone leaves a team, they lose access to the private channels they had membership of. Teams also removes people from private channel membership if their Azure AD account is disabled.

Private channels are useful in scenarios when some confidential discussions need to happen away from the view of all team members. For example, you might need to discuss the financial structure of a project without exposing all the details to every team member. A private channel does this by providing a space for conversations and a dedicated SharePoint Online site for sharing documents.

Apart from having its own membership (or “roster”), the dedicated SharePoint site is the most distinctive feature of a private channel. Microsoft went with this approach to ensure that they could guarantee the privacy of documents shared within the private channel. The sites used for private channels are created in the same geographic region as the parent team and inherit settings from the parent site (the classification setting is synchronized automatically by Teams). Teams also synchronizes settings and site membership from the host team to the private channel sites to make sure that important controls like sensitivity labels can’t be removed.

Not all Teams apps work with private channels. In fact, while first-party apps like Microsoft Lists work with private channels, others like Planner don’t. Getting an app to work means that the developer needs to support the unique characteristics of private channels, including taking steps to ensure data privacy. Apps like Lists work because they leverage SharePoint Online and use site settings. Other apps aren’t so lucky.

Shared Channels

Shared channels are part of the Microsoft Teams Connect initiative. The current plan is that shared channels will be available “later” in 2021m, depending on how shared channels work out in Microsoft’s Technology Adoption Program (TAP) where real customers work with the technology to make sure it works well in their environments.

Shared channels bring external federation to the table. Instead of using Azure B2B Collaboration (guest accounts) to define who can access a shared channel, an organization will enable federation with other Microsoft 365 tenants to allow teams and individual users to connect to work together. External federation is used for 1:1 calls in Teams today but extending the technology to cover channel conversations and document sharing requires a lot more engineering effort and testing to ensure privacy, compliance, and so on.

Federation might emphasize the importance of the host tenant, meaning the tenant which owns the team and the content belonging to the team. Collaborating with another organization who ends up owning the content is an interesting concept which will have to be parsed out by some, but in effect it’s the same effect as today when a guest account creates some content in a host tenant. Tenant administrators already complain today that they have zero visibility about the actions taken by “their” users when they sign into other organizations to use Teams. Quite how they’ll take it when a complete team joins a shared channel in another organization is unclear. We’ll know in time.

Of course, the downside of federation is that you can collaborate only with people using Teams. Although Teams has many users, it’s still covers a limited subset of the people you might want to work with.

Choice is Good

Going forward, the three channel options available in Teams will be:

  • Regular: Open to all team members, use for day-to-day communication within a team.
  • Private: Open to a defined subset of team members (including guests), use for private conversations and document sharing.
  • Shared: Open to a defined subset of team members and people/teams shared in other federated organizations, use for collaboration.

Of course, things may change, and this is a topic certainly worth revisiting after shared channels become generally available.

Source Practical365

read more
Microsoft Teams

Microsoft 365 exams: The importance of certifications for tenant administrators

125-05_1-1-340×200

Microsoft 365 certification exams have changed and evolved a great deal over the years, and there is more choice than ever before in terms of learning paths and SME categories. Becoming certified is important for many reasons, and as we delve deeper into this increasingly important subject, you’ll begin to understand why.

In this article, we’ll explore how to get started on your Microsoft 365 certification journey; help you better understand how to choose the best certification path; the steps needed to begin your journey and provide more perspective around the value and importance of M365 exams as it relates to personal growth and career development.

A Brief History of Microsoft 365 Exams

A few years ago, I would have shied away from the challenge of taking exams. I did not consider myself an “academic,” therefore exams were not for me, they were for other, smarter people. However, my mindset changed when I shifted my career focus from being an IT generalist to specializing in Office 365. It was the emergence of cloud technology that sparked a drive and a passion in me I’d never known before.

Prior to that, I’d always liked my career, but never loved it. Now, I had a newfound desire to hone my skills and conquer this lifelong aversion to academic achievement to better understand this new frontier.  At that time, there was only one certification path available for Office 365 which was the now-retired Office 365 MCSA.  This comprised two exams shown in Figure 1:

Microsoft 365 exams: The importance of certifications for tenant administrators
Figure 1: The 70-346 and 70-347 exams which comprised the now-retired Office 365 MCSA.

To my delight, I had passed!   I booked the second exam a week later and didn’t do so well, but undeterred, I booked another attempt. I used the score breakdown report from the first attempt to study up on the areas where I needed the most improvement, which was incredibly useful.  On my second attempt, I passed and achieved my MCSA:

Microsoft 365 exams: The importance of certifications for tenant administrators
Figure 2: The MCSA certification badge.

The feeling of pride and sense of achievement was overwhelming, and from there I was hooked! Fortunately, my timing was perfect – I’d achieved the MCSA with a month to spare before it was retired, and Microsoft had recently revamped the Microsoft 365 certifications and introduced new role-based certifications.  My learning obsession was just getting started.

Getting Started with Microsoft 365 Role-Based Certifications

At Ignite 2018, Microsoft announced the new role-based certifications for Microsoft 365.  The certifications are comprised of three tiers:

  • 1-star fundamental level certifications – Ideal for beginners starting their learning journey; strengthens your grasp on the fundamentals within a particular subject matter area of Microsoft 365.
  • 2-star Associate level certifications – Designed to test your competency within a particular subject matter area of Microsoft 365.
  • 3-star Expert level certifications – This certification demonstrates that you are an expert within a particular subject matter area of Microsoft 365.

From a Microsoft 365 perspective, the certification that validates you as an expert is the Microsoft 365 Certified: Enterprise Administrator Expert. There are several paths to achieve expert certification.  You can complete one prerequisite Associate level certification, or complete two exams:

Microsoft 365 exams: The importance of certifications for tenant administrators
Figure 3: Certification paths to the Microsoft 365 Certified: Enterprise Administrator Expert.

This was a welcomed change from Microsoft, as it meant that exam candidates could achieve expert certification by selecting the role path most relevant to them – i.e., Security, Teams, or Modern Desktop.  The criteria for passing the individual exams remained the same, with a score of 700 or more being required.

Preparing For Microsoft 365 Role-Based Exams

So, what are the best ways to prepare for a Microsoft 365 role-based exam?  That will vary from person to person as we all have different learning styles, and you will obviously have an advantage if you already have hands-on experience working with the technologies in the exam outlines.

For study exercises, Microsoft 365 trial tenants can be provisioned and then discarded quite easily to test out the features you’ll need to learn about. If you are looking for more queues from Microsoft, the learning paths they provide for each certification exam are a great resource, and always my go-to whenever I begin studying for a new certification.

For example, if you’re starting your certification journey with the MS-100: Microsoft 365 Identity & Services exam, start working your way through the free learning path first:

Microsoft 365 exams: The importance of certifications for tenant administrators
Figure 4: Various learning paths associated with the MS-100: Microsoft 365 Identity & Services exam.

There are also several exam guidebooks available, both print and online versions.  Many of these come with valuable practice questions, and sometimes even a full mock exam to test your knowledge.  And if you REALLY want to test what you have learned, there are also online practice tests you can purchase.  However, you’ll want to make sure you find authorized practice tests through reputable providers and be wary of questionable sources.

I recently recorded a video with Steve Goodman on this exact topic, where we candidly discuss M365 exam prep – the fundamentals, but also the rationality – i.e., is it worth focusing on exams relevant to what you do today, for example Managing Teams or Security Administration? What’s more important – hands on experience or knowing the best Microsoft answer?

Check out the video below to hear our analysis of those questions, and more:

Don’t Be Afraid to Fail

It’s important to realize there’s no shame if you don’t pass a Microsoft exam on your first attempt.  You can prepare in all the best ways possible, but sometimes it boils down to ‘luck of the draw’ and the questions you’re handed.  If you don’t get through that first time, look at your score report which you will receive at the end of the exam.  This shows you how the exam was broken down, and it will guide you clearly to the areas where you need to brush up on your knowledge.

If your first score just fell a little short of the 700-pass threshold, take the exam again as soon as you can.  If your score was closer to the 450 mark, you’ll want to give yourself more time to prepare and study before you try again.  Have faith though, you will get there!

So, Why Take M365 Exams?

To the all-important question then – are Microsoft 365 certifications important?  The answer most certainly is, ‘yes!’ Becoming certified is a fantastic way to validate your existing skills and gain new ones.  It demonstrates to existing and potential employers that you are passionate about what you do, and that you take your career seriously.

These exams are also important because they ensure you’re keeping your skills up to date in an ever-changing and evolving landscape of exam outlines.  Microsoft recently implemented an annual renewal assessment for certifications so you can continue to validate your competencies in Microsoft 365 technologies.  The process of renewing your certifications is free, simple, and extremely fair, and requires you take an assessment of 25 questions based on the current exam outline (which may have many differences since you first took the actual exam).  The assessment is not subject to exam conditions, so you may do it anywhere, at any time, and if you don’t pass the first time, then you can simply try again.

Additionally, these Microsoft 365 certifications matter even more to many employers who are Microsoft partners, especially partners who are in the process of obtaining certain Microsoft competencies. In fact, many of these Microsoft partner organizations reimburse admins for the cost of the exams.

Above all though, the most important reason is to do it for yourself, because you love learning, and you love working with Microsoft 365 technologies and services.  It’s a great feeling when you pass one of these exams, and it does become addictive – especially with so many shiny badges to collect and share.  It also may lead you to unexpected paths and opportunities – you just never know!

Source Practical365

read more
Microsoft Teams

Creating engaging Teams Meeting demos

07-12-2020-734-p365-Juggling-Teams-LOW-340×200

If you regularly show people Microsoft Teams, such as in demos to colleagues or when training, then there are aspects that are difficult to show if you are on your own. Most of the time, grabbing a colleague to act as your demo partner isn’t too hard if you want to demonstrate calling or video – but showing off meeting functionality can be quite difficult.

If you’ve seen our recent How-To videos, such as how to Live stream Microsoft Teams events to YouTube and social media then you’ll have seen our approach to solving this using virtual meeting participants. So you can do the same, we’ve created an script to create the same setup automatically, and you can also download the virtual meeting attendees to use however you want. And – if you want to create your own virtual meeting attendees, read on to find out how.

Demonstrating features like Together Mode is difficult

Even if you do have several folks on-hand in different locations, willing to wait until you need them during your demo – only to drop in to smile and wave, it is quite difficult to co-ordinate. If you’ve done this yourself, you’ll know some people might get called away or even have technical difficulties – the last thing you want during a demo.

And, because features like Together Mode, Large Gallery View or simply showing people how to manage a meeting with more than a few participants either requires video – or is simply a lot more engaging when there’s video on-screen, simply launching multiple copies of the web browser isn’t a great option.

So what if you could bring in meeting attendees with video that balance the need for it to look reasonably professional, but also make it fun and engaging? A good and easy way to do this is to create several stop-motion videos using characters like minifigures and figurines:

Creating engaging Teams Meeting demos
Example of using Together Mode with virtual meeting attendees

What do you need need to set up virtual meeting attendees?

To do this, we’ll need to create several Windows 10 virtual machines running:

  • Microsoft Teams – to join meetings. You could use a web-browser on each VM, but this won’t allow you to demonstrate features like background effects in-person.
  • OBS Studio – we need software that presents a virtual webcam into the meeting. OBS allows us to play looped video files into its built-in virtual webcam software that can then be shown in Microsoft Teams.
  • Video Files – and of course, you need virtual meeting attendees.
  • Optionally, RDCMan. The new RDCMan (Remote Desktop Connection Manager) from Microsoft’s Sysinternals suite allows you to configure a group of virtual machines, connect to them with a single click and switch between them easily. You’ll find this useful when you need to join the virtual attendees to your meeting and need to quickly connect to and switch between the VMs.

Each virtual machine needs to login to Microsoft Teams as a different demo user (for obvious reasons) and to make the demos look great, you should choose a different video for each virtual user.

If you aren’t extremely technical or don’t want to spend time setting up Windows 10, then use Azure to host virtual machines. As you’ll only need to start up the virtual machines for the period of your demo, it should not exhaust your Azure credits (if you use an MSDN subscription, or a trial) or be costly. An Azure Standard A2 v2 virtual machine running Microsoft’s template for Windows 10 21H1 for each VM works well.

To make it easy for you to set up OBS Studio and the video files for each virtual meeting attendee, all resources and a script to setup each virtual machine ready to use is available on GitHub:

https://github.com/spgoodman/TeamsVirtualUsers

In the repo, you’ll find the video files you’ll have seen in the Practical 365 how-to videos, and several others:

Creating engaging Teams Meeting demos

Using the script to set up each virtual meeting attendee VM

In the GitHub repository above, you’ll find the Install-TeamsVirtualUsers.ps1 script. After creating a new Windows 10 VM, either in Azure, locally on your machine or elsewhere, sign-in with the demo user you’ll login with when joining your demo meeting, with administrator rights.

Download the script and run it from an elevated PowerShell prompt. It will install Chocolatey (a package manager for Windows) to automate the installation of Microsoft Teams and OBS, and download the OBS profile and sample video files:

Creating engaging Teams Meeting demos
Using the Install-TeamsVirtualUsers.ps1 script to setup Teams, OBS and the configuration files on a VM

The installation process will take approximately 15 minutes, and if OBS is already installed, will prompt before overwriting the profile files with the pre-configured OBS profile.

At the end of the setup process, you’ll be prompted to choose the video file (from the samples) you would like to display by default, and you’ll also be prompted to optionally set the VM to automatically sign-in to the console on boot:

Creating engaging Teams Meeting demos
Selecting the virtual meeting attendee and optional auto-login

Automatic login isn’t necessary, but can be useful in saving time, because OBS is set by the script to auto-launch to the system tray with the virtual webcam enabled on startup, and after first login to Microsoft Teams it will (by default) automatically start.

After the script completes, logout and log back into the virtual machine to allow OBS to automatically start with the virtual webcam enabled (or launch it and start the virtual webcam manually), then launch Microsoft Teams.

To ensure you have the right settings for joining subsequent meetings, schedule a test meeting with your virtual meeting users, and then join each one to the test meeting, with video enabled and audio set to off:

Creating engaging Teams Meeting demos
Joining a meeting as a virtual attendee with video on and audio off

Repeat the process for the number of virtual meeting attendees you need, then when preparing for a demo, join them to the meeting like a normal user. You’ll then be able to demonstrate features like Together Mode.

Creating your own videos

If you want to create your own virtual meeting attendee videos the process is straightforward, though can be time consuming. For best effect, you need to create a video of between 5 and 15 seconds that shows your character on a call that starts and ends in approximately the same position.

The easiest way to do this is using a mobile phone camera and a free application, such as Stop Motion Studio on Android. Stop motion is a simple animation technique where a series of photos are taken and in each photo, the object moves slightly. It works well as a virtual attendee, as stop-motion doesn’t need a video frame rate and therefore doesn’t need a lot of CPU power to drive.

Creating engaging Teams Meeting demos
Creating stop motion videos for virtual meeting attendees.

Characters like minifigures and other posable characters are ideal for this, with minifigures being easiest because they can be positioned in-place and do not move.

You can use a light source for consistent lighting, or choose to move the light slightly – for example in the sample videos the lighting changes to simulate ambient light changes in the coffee house “set”. In the comic book character examples, a paper background was used. Of course – the background isn’t crucial, as you can use features like background effects in the meeting itself.

After creating and exporting a stop motion video, you can then load it into OBS on your virtual meeting user VMs. To do this, open up the OBS application, and create a new Scene, then add a single Media Source:

Creating engaging Teams Meeting demos
Configuring the media source for your own virtual meeting attendee video

After creating the scene and source, edit the properties for the media source so that the video is set to Loop and if you have multiple scenes, ensure you set Close file when inactive to avoid using CPU resources unnecessarily.

Finally, if you create your own – let us know either in the comments below or on Twitter. We’d love to see what you create.

Source Practical365

read more
Microsoft Teams

Skype for Business Online is retiring – What does it mean?

070-03-22-2021-BLOG-Skype-for-Business-Online-Retirement-July-31-2021-LOW-300×162

Soon July 31st, 2021, will be upon us, as the official Skype for Business Online (SfBO) retirement day looms closer. So, what does that really mean? It means just that, SfBO will not be available in Microsoft 365 anymore. Teams Only mode will be the only option for users homed in Microsoft 365.

Assisted Transitions from Microsoft

Microsoft will offer assisted transitions for your tenant during specified periods. To find the date specified for you, navigate over to the Teams admin center. During that time, Microsoft will help flip your tenant to Teams Only mode for all users homed in Microsoft 365.

After that period, all other modes like IslandsMeeting First, or Meeting and collaboration will not be available options for your users, as these modes were just steps along the way to Teams Only mode.

Figure 1: Microsoft Teams Upgrade Message.

Do-it-Yourself

If necessary, you do not have to wait for Microsoft to help you with the transition. There are ways to flip your tenant over to Teams Only mode yourself, and those steps are outlined below:

  1. Validate DNS records for all enabled SIP domains.
  2. Make sure SharedSipAddressSpace is set to $False.
  3. Set the global TeamsUpgradePolicy to Teams Only mode.
  4. Make sure users with other TeamsUpgradeEffectiveModes are also updated.
  5. Plan to uninstall the Skype for Business (SfB) client.
  6. If you are in Exchange hybrid mode, consider completing the migration to Exchange Online before going to Teams Only mode.

Before you can set the TeamsUpgradePolicy to Teams Only mode, you need to comb through all active SIP domains and make sure the DNS exists and points to SfBO. If you’ve verified domains in your tenant, but are not using them for SfBO and Teams, you can disable them for this functionality by running the Disable-CsOnlineSipDomain cmdlet. This is a straightforward way to determine if you have any verified domains in your tenant that are SIP-enabled, but not in use. Just make sure you have the latest Teams PowerShell module to perform the below PowerShell operations first, since the SfBO PowerShell module is decommissioned.

For the remaining domains that are SIP enabled, you need to make sure the following DNS records exist:

  • _sip._tls SRV record handles sign in for the SfB client
  •  _sipfederationtls handles federation in Microsoft Teams
  • CNAME lyncdiscover.contoso.com handles sign for the SfB client and specifically the SfB mobile client
  • CNAME sip.contoso.com handles sign in for the SfB client

When these records are implemented, and all are pointing to Microsoft 365, there is one more setting you can triple check which is the SIP shared namespace setting for your tenant. If this setting is set to True, it means that at some point you had a Hybrid SfB setup and never turned it off. Here’s how you check it and set it to False using the Teams PowerShell module:

You are now ready to flip the tenant with the below cmdlet:

If your users explicitly have assigned modes different from the tenant standard, then you need to set these users to Teams Only mode. The Grant-CsTeamsUpgradePolicy article has some good examples of how you can identify all users and their TeamsUpgradeEffectiveMode. From there you can create a list of users where you can use the New-CsBatchPolicyAssignmentOperation to bulk assign the Teams Only mode policy.

Do you need the Skype client after you have moved to Teams Only mode?

It depends. After you’ve moved all users to Teams, the client changes to a meeting mode client where you will find your SfB meetings and Teams meetings. Chat and calling are moved to and handled by Teams. A reason for many organizations to hold on to the SfB client in the past has been:

  • Federation, chat, audio call, and video call with non-guest users
  • Group chat with internal and federated participants
  • Escalate a federated audio call to a screen sharing call

All the above works fine in Teams now, with the latest addition being group chats where you can combine internal and federated users. The requirement is that both sides are in Teams Only mode. If you are collaborating with someone still on SfBS, then you must invite them to a meeting where you join via the SfB web client, or they can join a Teams meeting you invite them to.

Figure 2: Teams Only mode in the SfB Client.

Unless you are participating in a lot of externally invited SfB Server calls, my recommendation is to uninstall the SfB client. Reason being, we’ve seen that the SfB client can sign in and interfere with the Teams audio device and sometimes reinitialize the device driver and hang up your Teams call. It turns out that it’s not so easy to just uninstall the SfB client, since it is part of the Office installation. This means that Office needs to be re-deployed in your organization without the Skype client as part of the deployment package. Until you can initiate the redeployment, consider setting the SfB client to not start at logon.

Where your Exchange mailbox is, matters for success

To achieve the best results when moving over to Teams, ensure you open your Exchange mailbox in Exchange Online. In that instance, the Meeting Migration Service will initiate and convert all SfB meetings to Teams meetings. However, you should be aware that re-invitations will generate for external participants, but internally these updated invitations are suppressed.

If your mailbox is still in Exchange Server on-premises, then you’ll require a hybrid setup so you can assign an Exchange license to the user. By doing it this way the Teams client can still access the calendar and schedule meetings, but they will not automatically be updated from Skype to Teams meetings.

You’ll need to plan the move accordingly and communicate to users that they will need to send updated meeting invitations manually. The good news with moving to Teams though is that all Teams clients do not connect directly to your on-premises mailbox. They connect via Microsoft 365, which means you can harden your on-premises environment and limit the number of IP ranges able to connect to the servers, and no calendar data is cashed in Microsoft 365 when using Teams.

Skype for Business Server (SfBS) Hybrid will still work with all modes

As explained earlier in this article, DNS needs to point online to move your tenant to Teams Only mode. If DNS is pointing on-premises in a hybrid SfBS setup, you can still have users in Island ModeMeeting First, or Meeting First with Collaboration, which I’ve verified with Microsoft. This emphasizes that only SfBO is being retired and not the Skype ecosystem itself. The moment you migrate a user online, then Teams Only mode will be the only option for that user. If you do not migrate the user, then you can choose modes.

Speaking of migration, if you haven’t done so already, you’ll need to install the Teams PowerShell Module on your SfBS Front End servers. Microsoft retired the SfBO PowerShell module and connection point in April 2021, which means if you had a migration routine going or you at some point tested a migration before that date, it will now fail.

The SfBO PowerShell cmdlets are now part of the Teams PowerShell module, and that is why you need to install the module and use it when migrating. A caveat of this scenario is that the SfB Control Panel will also fail to connect to SfBO since it used the SfBO PowerShell module in the backend. This means that you can only migrate users using the Teams PowerShell module now.

Closing note

It’s important to understand that with SfBO being retired, if your users are homed in Microsoft 365 and you’ve already migrated all your users, Teams will be their only option after July 31st, 2021.

At the time of writing, it’s required to assign both the SfBO and Teams license to all users, however, that may change over time. And finally, make sure you go through all verified SIP-enabled domains and add the SfB DNS records to ensure a smooth transition. I hope this article provided some clarity around what the SfB retirement means for you and your users.

Source Practical 365

read more
Microsoft Teams

Teams Meetings Get Webinar Capability

Teams-on-laptop-GENERIC-340×200

Announced for Teams desktop (Windows and Mac) and browser clients in message center notification MC237807 on February 4, deemed to be rolling out in roadmap item 66586, and hyped at Ignite 2021 in sessions like Easy, intuitive webinars with Microsoft Teams, the long-flagged webinar functionality for Teams meetings is coming in April with worldwide deployment due to complete in early May.

Along with other new features like meeting overflow (view-only attendees), being able to run webinars through regular meetings allows Teams to compete externally with products like GoToWebinar and Zoom Webinar or even internally with Teams Live Events.

One thing we still don’t know is if the webinar functionality is tied to the Teams Pro license. Microsoft is staying very quiet on what that license will cover.

Preparing for Webinars

Teams meetings are either personal (organized by someone and limited to those invited) or channel (owned by the team and available to all team members). Webinar meetings can only be personal single events and they can only be created using the Teams calendar app rather than Outlook. If you want to run a multi-day event, you need to create multiple webinars as recurring meetings are not supported. Breakout rooms are also not supported. These gaps might well be closed in the future.

Settings in the Teams meeting policy assigned to user accounts control who can schedule webinar meetings and if webinars are internal-only or accessible by both internal and external attendees. For now, the settings are configurable by PowerShell and are:

  • AllowMeetingRegistration: Controls if a user can create a webinar meeting. The default is True.
  • WhoCanRegister: Controls the attendees who can attend a webinar meeting. The default is EveryoneInCompany, meaning that internal accounts and guest accounts can attend. If you want to organize public webinars, set the value to Everyone.
  • AllowEngagementReport: Controls if the user can download the meeting’s attendance report and the registration report. Make sure this value is Enabled as a big part of running a webinar is knowing about audience acquisition and participation.
  • StreamingModeEnabled: Controls if Teams uses overflow capability once a meeting reaches its capacity (1,000 users with full functionality). Set this to Enabled to allow up to 20,000 extra view-only attendees to join.

Here’s how to update a meeting policy with the required values:

Like any change to Teams policy settings, it can take several hours before the new settings are effective.

One setting that’s missing is control over attendee privacy. Participants in teams meetings can see details of other attendees. This is fine for internal meetings but maybe not for external events. It would be good to be able to control if attendee details are visible to non-presenters.

Creating Your First Webinar

Before creating a webinar meeting, the organizer should know:

  • The webinar topic and date for the event.
  • Decide whether the event is internal or external. Once created, you can’t change the scope.
  • How attendees will register for the webinar. When you create the webinar, Teams creates a registration form or page into which you put content describing the event and data you would like participants to provide, including custom questions. Teams generates a URL for the registration page to include in email or on a web site to have potential attendees register for the event. You can also invite people to attend the webinar just like regular meetings.
  • The presenters. These people need to be invited to the meeting.

As an example, I took the details of a webinar to discuss moving on-premises Exchange servers to the cloud and replicated them in Teams. First, I created the meeting in the Teams calendar app (Figure 1), making sure that the meeting requires registration (to mark it as a webinar). Note that I’ve elected to have “everyone” register for the event, which means that it’s a public webinar.

Figure 1: Creating a webinar as a Teams meeting

Clicking the link to customize the registration form allows the organizer to enter details of the event, speakers, and some custom questions (Figure 2). You can add as many custom questions as you like but remember that each question adds some friction to the enrolment process, so it’s best to keep the questions to a minimum. We’ve set the questions to require answers, meaning that people can’t register until they enter a valid response. Teams includes a bunch of precanned fields which can also be included, like the person’s organization.

Figure 2: Setting up the webinar details

Broadcasting News of the Event

The link to the registration form (use Copy link to retrieve the link) looks something like this:

This link should be included in email or a web page to let people know about the webinar and to allow them to register. Remember that Exchange Online limits the number of outbound messages a mailbox can send in a day to 10,000 recipients and 30 messages per minute. For this reason, organizers of webinars who want to notify large populations of potential attendees should use a commercial email service to broadcast news of the webinar. Figure 3 shows a message ready to go with the registration link embedded in the text.

Creating an invitation email for the webinar
Figure 3: Creating an invitation email for the webinar

Registering for the Webinar

Recipients who click the Register Today link are brought to the Teams registration page (Figure 4) where they can sign up for the webinar and answer the questions posed by the organizer. The result of a successful registration is an entry into the meeting’s registration report and an email Teams sends to the attendee to confirm registration and give the event details, including an .ics file to add the event to their calendar.

Signing up for the webinar
Figure 4: Signing up for the webinar

The organizer can check on potential attendance for the webinar at any time by downloading the registration report. However, if they find someone objectionable (like a person from a competitor) in the registration report, there’s no way to block that person from attending the webinar apart from refusing them access when they turn up in the meeting lobby.

Like the attendance report for normal Teams meetings, the downloaded copy of the registration report is a CSV file (Figure 5).

 Registration report for a Teams webinar
Figure 5: Registration report for a Teams webinar

The norm is that only 30-40% of registered attendees show up for a public webinar with higher attendances expected for internal events. Your mileage might vary. Like the attendance report available for normal meetings, Teams generates the registration data from information held in its online data store.

Run the Meeting

A webinar meeting runs in much the same way as a normal meeting with the usual Teams facilities like meeting recording, polls, meeting notes, reactions, and live captions available. Presenters can share information like presentations and other applications. Teams meeting options govern whether chat is disabled and who can bypass the meeting lobby (for public meetings, make sure that you don’t allow external people to join until the webinar is ready to begin). In late April, organizers will also be able to update meeting options to block attendees from turning their video feed on (including for individual attendees).

In other words, if you can run a regular Teams meeting, with a little extra preparation, you can run a webinar.

Following the Event

Once a webinar completes, the organizer will probably want to review the recording and decide if it can be shared publicly along with any other content to attendees and people who couldn’t attend the event. Because Teams meeting recordings are now stored as MP4 files in OneDrive for Business, it’s easy to share the recording from OneDrive or move it someone more appropriate.

The organizer will probably also want to review the data in the registration and attendance reports to understand how popular the event was and how engaged attendees were during the webinar. For example, did a significant number of people drop out early? The registration report is also a good source for names and email addresses for follow-up calls by sales representatives or others. The attendance report is less reliable because people don’t have to confirm their email address to join a webinar, which means that the data for external attendee lacks verified contact information.

Compliance Glitch

Teams doesn’t store the registration and attendance reports in a location where Microsoft Search can index their content to make it available for eDiscovery. Given that some personal information is gathered for these reports (including custom fields for the registration report), this could be an issue for some organizations.

Easy Webinars Delivered

There’s no doubt that Teams has delivered an easy way to run webinars by leveraging its meeting capabilities with some extra functionality. This is going to be a popular feature. The sole question is how will it be licensed?

Source Practical 365

read more
Microsoft Teams

Microsoft Teams Gets Bounty Program with Rewards up to $30,000

Tasks-Microsoft-Teams-696×391

Microsoft has several bug bounty programs that reward security researchers and hackers who find vulnerabilities across services. In the last example, a Microsoft Teams bounty program is launching. It will follow similar principles to the company’s programs.

The timing of this launch is important because it comes at a time when Microsoft Teams is a fundamental tool for millions of people. Amid the ongoing COVID-19 pandemic, people continue to work remotely, making services like Microsoft Teams essential.

Maintaining security is important for organizations that are working remote. While Microsoft uses the latest cybersecurity technology to keep Teams secure, the chance of attack remains. A bounty program will task researchers with finding any vulnerabilities Microsoft has missed.

It’s a similar idea we have seen the company employ across bounty programs for Azure and Windows services. Specifically, Microsoft will pay researchers if they are able to find security issues within Microsoft Teams.

Rewards

Hackers can be paid between $6,000 and $30,000, with the later reward for high-impact vulnerabilities. These are issues that require immediate attention by Microsoft. Below are the rewards Microsoft is offering:

  • “Scenario-Based Bounty Awards: This new program includes 5 scenario-based awards for vulnerabilities that have the highest potential impact on customer privacy and security. Rewards for these scenarios range from $6,000 to $30,000 USD.
  • General Bounty Awards: In addition, we offer bounty awards for other valid vulnerability reports for the Teams desktop client that do not qualify for the scenario-based awards. Rewards for these reports range from $500 to $15,000 USD.
  • Teams Online: Submissions for Teams online services will continue to be awarded under the Online Services Bounty Program.
  • Researcher Recognition Program Points: Valid reports for Microsoft Teams research are now eligible for a 2x bonus multiplier under the Researcher Recognition Program. Points earned contribute toward your eligibility for the annual MSRC Most Valuable Security Researcher list.”

Researchers must take a test on Teams through a subscription they hold. When a bug is found, hackers must be able to demonstrate the bug on the latest version of the Microsoft Teams desktop client.

Tip of the day:

Due to the various problems that arise with microphones, it can often be necessary to perform a mic test, but those wondering how to hear yourself on mic in Windows 10 are often left stumped. Microsoft’s OS doesn’t make it especially intuitive to listen to microphone playback or play the microphone through speakers. In our tutorial we show you how to hear yourself on mic with just a few clicks.

Source Winbuzzer

read more
Microsoft Teams

Microsoft Delivers Live Transcription with Speaker Attribution for Teams (Finally)

Teams-dish-of-the-day-GENERIC-340×200

Literally months after announcing Live Transcription for Teams meetings in message center notification MC220987 (August 26 2020, updated Nov 10), Microsoft published a blog post on March 23 to say that the functionality is now generally available. Making the transcript available completes the work to create a meeting recap to highlight important information shared in calls and adds to an array of recent improvements introduced to make Teams meetings run smoother.

Transcription is available for those with Office 365 E3 and, E5, Microsoft E3 and E5, and Microsoft 365 Business Standard and Business Premium plans. Currently, transcription works for personal meetings. It’s not available for channel meetings, Meet Now meetings, or 1:1 calls. Meeting transcription is only available in the Teams desktop client.

Meeting transcription (automatic captions) is a feature of Stream. When Teams transitioned storage of meeting recordings to OneDrive for Business, the ability to generate transcriptions was lost. That gap is now closed, which is a relief because all new Teams meeting records are now stored in OneDrive unless an organization explicitly chooses to stay with Stream.

Change in Plan

One notable change since Microsoft first published MC220987 is that recording is no longer combined with transcription. Two separate options appear in the Teams meeting menu (Figure 1). You can start a recording without generating a transcript or start transcription without recording a meeting. Separate notices are used to advise meeting participants when recording and transcription are active.

Separate options for recording and transcribing Teams meetings
Figure 1: Separate options for recording and transcribing Teams meetings

Policy Control for Transcription

Before a meeting organizer or presenter can transcribe a meeting, the Teams meeting policy assigned to their account must have the AllowTranscription setting enabled (its companion setting is AllowCloudRecording to control the ability to record a meeting). The AllowTranscription setting can only be changed with PowerShell. To check the settings of the Global (default) policy, run the Get-CsTeamsMeetingPolicy cmdlet (included in the Teams PowerShell module):

To update the policy, run the Set-CsTeamsMeetingPolicy cmdlet:

Capturing Speech During Meetings

Transcription is an AI-generated record of what is spoken during a meeting. Processing occurs in almost real time to display text during meetings (Figure 2) and to make a full transcript available soon after a meeting is over.

Transcribed text displayed during a Teams meeting
Figure 2: Transcribed text displayed during a Teams meeting

In their blog post, Microsoft says that “Delivering live transcription with high accuracy, minimal latency, and cost efficiency at enterprise scale has been one of the toughest challenges in the industry. Over the last two years we’ve made significant strides in solving this problem and have dramatically improved our models for accuracy using meeting context in real time and cutting edge AI.”

Microsoft also notes that an AI model is created for each meeting to take account of the meeting topic, participants, and attachments to improve the accuracy of text recognition, especially with jargon. Microsoft says that the models used for meeting transcription are removed after a meeting is over and not used to improve their AI.

There’s no doubt that capturing and transcribing conversations during a meeting is a mind-bendingly difficult computation task. The computational challenges will become even harder as Microsoft expands coverage to additional languages from its current limitation of U.S. English.

I’m not sure how Teams detects US English as it doesn’t seem to have any difficulty interpreting my Irish accent. Perhaps it’s fairer to say that transcription works when people speak a transatlantic U.S.-style English and won’t if someone starts to speak French, German, Italian, or another language.

A glance at the transcript shown in Figure 2 illustrates how difficult it can be to capture an accurate transcript. If the meeting is full of different voices, if participants don’t have good microphones and the audio feed is indistinct in any way, you’ll see oddities in the transcript (like “The seat back on the Moon” – I have no idea what was said there). Noise suppression in the Teams desktop client seems to help as I have noted better results when people use the desktop rather than the browser or mobile clients.

Using Meeting Transcripts

When a meeting finishes, the meeting transcript is available almost immediately. Open the meeting in the Teams calendar app and the transcript is available in the meeting recap or via the Recordings & Transcripts tab. Figure 3 shows an example of a transcribed meeting which happened in three parts, one for each segment. In this case, the meeting organizer is reviewing the transcript, so the delete option is available. Other participants can view and down transcripts, but they can’t delete a transcript.

Viewing a transcript of a Teams meeting
Figure 3: Viewing a transcript of a Teams meeting

Transcripts are downloadable in Video Text Track (VTT) or Microsoft Word (docx) format. VTT files are text-format files where individual contributions are noted with a detailed timestamp. For example:

The Word format is more readable because it is less structured and more valuable because the transcript is easier to edit. In both cases, the content is exactly what is displayed during the meeting. The availability of the downloaded files makes it possible to edit obvious errors and add missing content before releasing a formal record of a meeting.

Guest users don’t have access to the Teams calendar app, so they can’t access the transcript once a meeting is over.

Privacy

The default for transcription is to use speaker attribution. In other words, as people speak, their contributions are identified in the transcript using their name. Users can hide their identity for transcripts and live captions in the Captions and transcripts section of client settings (Figure 4).

Setting the privacy option for speaker attribution in Teams transcripts and live captions
Figure 4: Setting the privacy option for speaker attribution in Teams transcripts and live captions

When a user chooses not to identify themselves in transcripts, Teams inserts the generic “Speaker” attribution with a number, so the transcript contains text for “Speaker 1,” “Speaker 2,” and so on.

Like many other Teams settings, caching means that it can take a while before the option to allow or deny identification in transcripts becomes active.

Transcripts and Compliance

Microsoft’s blog says: “Teams live transcription files are stored in the meeting organizer’s Exchange Online account and only the organizer and tenant admin have permissions to delete it.” It’s certainly true that only the meeting organizer or Teams administrator can remove transcripts; the assertion that Exchange Online stores the transcripts is not.

After running a meeting to generate a transcript, I first used PowerShell to detect recent updates to folders in my Exchange Online mailbox and then the MFCMAPI utility to examine the items in those folders.

Teams stores transcript items in the ApplicationDataRoot/93c8660e-1330-4e40-8fda-fd27f9eafe10/MeetingTranscriptCollection folder in the NonIPMRoot (hidden part) of the mailbox. Each item refers to a transcript. If we examine the properties stored for the transcript, we find some JSON content (Figure 5).

A Teams transcript item stored in an Exchange Online mailbox viewed through MFCMAPI
Figure 5: A Teams transcript item stored in an Exchange Online mailbox viewed through MFCMAPI

Pasting the JSON into a PowerShell variable, we can see what it holds:

There’s no transcript text present. Instead, we have the thread link for the meeting to bring us to the Teams data store in Azure. I suspect that the item held in Exchange is simply a pointer to the Teams data store which allows the Teams calendar app to locate the transcript and load it when required to display in meeting details.

If Exchange Online mailboxes stored transcript text, transcripts would be indexed and discoverable. No trace of text in any transcript that I generated could be found using a content search. Microsoft is therefore correct that some information about transcripts is stored in the organizer’s mailbox, but it’s not the full data. Not indexing the full text of transcripts creates a compliance gap for eDiscovery investigators which I hope Microsoft will close in the future.

Good New Feature

Overall, there’s lots to like about meeting transcription. Some people get better results than others, but experience will guide people to using better setups when transcription is important. Automated transcripts might be imperfect and include some interesting but incorrect interpretations of what people say during meetings. However, having Teams generate a transcript is a lot cheaper than having a professional transcriber listen to a meeting recording, and the output is a good start for a final record. Errors are easily fixed by editing the transcript and making that version available to attendees (and if the edited version is a Word document circulated by email or stored in OneDrive for Business or SharePoint Online, it will be discoverable).

Source Practical365

read more
Microsoft Teams

Microsoft Teams Gets Meeting Recap Tool on Desktop

49-Microsoft-Teams-696×391

Microsoft Teams is adding another useful feature in its ongoing bid to compete with Zoom in the video conferencing space. Known as Meeting Recap, the feature was first announced by Microsoft back at its virtual Ignite 2020 conference.

With this ability, Microsoft Teams users can access a summary of their meeting. This automatically generated overview covers the whole meeting. Hosts and other enabled participants can access transcripts, chats, notes, and recordings from the chat tab or details tab.

Microsoft also sends the Meeting Recap to Outlook entry for the meeting event:

“Teams now provides a recap of Teams meetings so participants—and those who couldn’t make it—can review a completed meeting. A recap including the meeting recording, transcript, chat, shared files, and more are automatically shared in the meeting chat tab and viewable in the details tab of the meeting invite. Organizers will also find the attendance report here.”

After months, the tool is now landing on Microsoft Teams, Although, it’s worth noting Meeting Recap is only available on the desktop and web variants of Teams. That means Windows 10, browsers, and macOS. Users on Android and iOS will need to wait for the tool to be made available.

While this tool adds interesting functionality to Teams, there are some caveats. Firstly, Microsoft says the feature does not work on channels meetings. Furthermore, the transcription recap is a nice touch, but it is only available in English so far.

Teams Roadmap

Earlier this year, Microsoft published a Teams roadmap showing several new features coming to the service.

As well as Meeting Recap, desktop users will also be getting more scenes for Together Mode. This is a feature that leverages AI to take the faces of participants in a meeting and place them in a virtual room.

Tip of the day:

The Windows default font these days is Segoe UI, a fairly simple and no-nonsense typeface that’s used across many of Microsoft’s products. However, though some like this subdued style, others look to change Windows font to something with a bit more personality.

Thankfully, Microsoft does let you change Windows fonts, but it doesn’t make it particularly easy. I our tutorial we show you how to change system font in Windows 10, or restore it again if you don’t like the changes.

Source Winbuzzer

read more
Microsoft Teams

End to End Encryption (E2EE) in Microsoft Teams—What Does It Mean To You?

039-032-340×200

The technology behind encryption has a surprisingly long lifespan—it looks like the first known examples of encryption date all the way back to about 1900 BC, during the reign of Khnumhotep II of Egypt. Since then, it’s fair to say that the technology, use cases, and societal impact of encryption technology have gone well beyond what might have been predicted even recently as 50 years ago.

Before we can dig into what Microsoft’s announcement at Ignite means to you as a user and admin about Teams support for end-to-end encryption, we have some background to cover—I’ll try to keep it short and as interesting as possible for such a complex and sensitive topic.

What we talk about when we talk about encryption

Encryption is just scrambling data using a key, in a way that someone with the correct key can unscramble it. Microsoft supports a number of different encryption algorithms throughout different workloads in Microsoft 365; in general, users and administrators don’t get to pick an algorithm or key strength, as we might have with on-prem products. This is important to remember because what Microsoft is trying to do is maximize protection for customers and Microsoft data and resources throughout the worldwide system while still balancing all their other needs for reliability, performance, and so on.

You’ll see three applications of encryption commonly discussed. First is encryption at rest, which does what it sounds like: it encrypts stored data so that no one can read it without the key. BitLocker (used on data volumes in many of the Microsoft 365 workloads) is a good example of an encryption-at-rest system. The second is transport encryption (also called “encryption in transit”.) Unsurprisingly, this refers to protecting data transported over a network, usually using TLS.

End-to-end but not beyond

The third application—end-to-end encryption (E2EE)—is the most interesting and the most complicated. You’re probably already familiar with E2EE; examples include S/MIME for email, IPv6 for network connectivity, or Apple’s iMessage service. In an E2EE system, an outgoing message is encrypted on the sending device using a key that only the sender and recipient can access. The encrypted data is moved around as an opaque blob of data that the transport mechanism can’t inspect; there may be message routing data, or other metadata,  that is either left unencrypted or encrypted using a key that the transport mechanism can use to read it. Only the intended recipient can read the message.

Alice, Bob, Eve, and their entourage

You could argue that the modern era of cryptography started when Rivest, Shamir, and Adelman published the eponymous RSA public-key algorithm. Whether or not you agree with that argument, there can be no doubt that R, S, and A had a huge influence on cryptographers because they gave us Alice, Bob, and their friends—Eve the eavesdropper, Trudy the intruder, and so on. E2EE systems are specifically designed to let Alice and Bob communicate “securely,” which in this case means two things:

  • Eve can’t eavesdrop; that is, Eve may be able to copy the messages, but she shouldn’t decrypt them. (Even if she can keep copies if the service designers did their jobs right, it won’t be feasible for Eve to decrypt them later.)
  • Mallory, the malicious attacker, can’t change the messages in transit.
  • If Trudy gains access to the network at any point between the sender and recipient, she’s blocked in the same way Eve is. (Note that E2EE does nothing to protect Alice or Bob against attacks where Trudy attacks their devices; if Trudy can compromise Alice’s device, it’s game over.)

Read more: A Primer for How to Secure Microsoft Teams

E2EE and Teams

Phew. So far, you might be wondering when the hell I’ll get around to talking about Teams, the ostensible subject of this article. With those preliminaries out of the way, now we can get to the good stuff.

Let’s start with a useful fact: all communications between Teams users and the service are already encrypted using TLS. E2EE brings nothing new: when Alice, Bob, Carol, and Dave join a Teams meeting or chat, each connection from a Teams client application and the service is encrypted. And communications within Microsoft’s network between different parts of the Teams and M365 backend are also encrypted. However, Microsoft, or a sufficiently sophisticated attacker, can decrypt and monitor the conversation or meeting content by decrypting it.

E2EE protects against this scenario by encrypting the content on each device. As previously noted, when E2EE’s available, the service just gets an encrypted blob that it can’t read, so that when Alice calls Bob to talk about the super-secret project they’re working on, neither Microsoft nor Eve can read the traffic. But there’s a twist.

In Live Communications Server and its successors, there’s a noticeable difference between 1:1 calls and multiparty calls—the 1:1 calls are routed directly between the two endpoints and don’t pass through the server. That same approach is used in Teams: when Alice calls Bob with Teams, the audio and video streams between their devices are exclusively peer-to-peer unless Alice, Bob, or the service enables a feature that requires the service to be part of the conversation. For example, when you record a call, the Teams back-end services have to “see” the audio/video data to make the recording. That’s where E2EE has historically been unfeasible: you can’t have call recording, live transcription, breakout rooms, or other useful and desirable features unless the Teams service itself joins the meeting as a participant. As soon as you move from 1:1 calls to multi-attendee meetings, key management and distribution become a huge problem. Imagine a 40-person meeting organized by Alice where Bob is the first speaker. Alice and Bob have to have each other’s keys, but every other meeting participant has to have a key to decrypt Alice’s stream and a separate key for Bob’s stream and one for Carol, and so on. The alternative is to have each participant share a key with the service only and let the service take care of multiplexing, encrypting, and redistributing the stream, which is exactly what already happens with Teams’ transport encryption.

When Microsoft ships E2EE for Teams, at a date which they have not specified yet beyond sometime in the first half of 2021, it will first be usable only for commercial customers, only with 1:1 audio or video calls, only when the administrator enables the feature at the tenant level, only for the users who have been granted access to the feature via policy, and only when both participants have opted in. This is a sensible way for Microsoft to proceed because many of their key customers have compliance and security requirements that would be obliterated by the indiscriminate use of E2EE for internal calls. For example, you might imagine that government agencies using the government-specific GCC High or DoD tenants might not want their end-users choosing to encrypt their own calls.

Microsoft’s blog post announcing E2EE was fairly bland, too: “As we release E2EE for Teams 1:1 calls, we will continue to learn from customers how the scenarios address their needs. We will then work to bring E2EE capabilities to online meetings later.” When they do, those capabilities will be somewhat limited. For example, consider the common scenario where you have a meeting attendee who needs to dial into your meeting: if you have E2EE for all meeting participants, there won’t be any dial-in access. The same problem exists with breakout rooms, at least as they’re currently implemented. There are also some unanswered questions about device support—Microsoft hasn’t publicly committed yet to delivering E2EE for any of the current crop of Teams room systems, Teams collaboration bars, and so on.

The future of E2EE

It’s no secret that Microsoft has been working very, very hard to compete with Zoom. At least when it comes to E2EE, “beat Zoom” is undoubtedly an attainable bar based on the list of features that Zoom says are disabled when you enable E2EE in their service. This list gives us a pretty good roadmap for what likely will and will not work in the future for Teams, simply because it is fiendishly difficult to provide securely encrypted versions of many of the most interesting features.  Nonetheless, even basic E2EE support will help organizations, and end-users, protect their sensitive conversations against eavesdropping, and that’s a worthwhile and welcome improvement.

Source Practical 365

read more
1 3 4 5 6 7 12
Page 5 of 12