Category: Skype for Business

February 25th, 2020 by SharePoint Maven

What I like about Microsoft Stream is that it is not just a platform to store videos. Since Microsoft Stream is part of Office 365, it is tightly integrated with its other components, like SharePoint and Office 365 Groups. A while back, I wrote an article introducing you to Microsoft Stream. Today, I would like to highlight, what in my opinion are, the top 10 features of Microsoft Stream.

1. Channels

Channels are a great way to organize videos by topic or objective. So, for example, you can have a channel for Human Resources, Training, Onboarding Channel, or a channel for the CEO to post the company update videos.

There is no security on the channel unless you create it within an Office 365 Group (more on it below).

3. Office 365 Group Workspaces

Did you know that every time you create an Office 365 Group, it creates a workspace within Stream for the videos? A workspace is essentially a secure space for you to load videos to with MS Stream. It honors the membership of the group, meaning only them members of the Office 365 Group have access to the workspace.

  1. To access the workspaces, click on Groups under My Content
  2. Next, you will get to see all the Office 365 Groups you are part of

You can also create a new Workspace to store your videos from the same screen as well. This will create the Office 365 Group as well with all its other apps (Planner, Outlook Calendar, SharePoint Site). This happens to be one of many ways to create an Office 365 group.

4. Embed Videos in SharePoint

In my opinion, this is one of the best features of Microsoft Stream. Being a SharePoint geek, I love the ability to embed MS Stream videos in SharePoint. Yep, there is an app for that! To embed the video:

  1. Edit the Page
  2. Add Stream Web Part from the list
  3. You can choose to embed a single video, the whole channel or all of Stream
  4. Hit Publish to publish your page

This is an excellent functionality as you can host videos in Stream and play them within SharePoint sites/pages.

5. Add Videos in Teams

If you live and breathe in Teams daily, you can also add a video as a tab there.

  1. Once in a channel, click on + sign to add a tab
  2. Choose Stream
  3. Choose whether you are embedding a video or a channel, paste the URL, then click Save. Your video will now be added to the channel as a tab!

6. Teams Calls Saved in Stream

Ever had Teams (formerly Skype) calls with your colleagues? If you recorded them, did you know that they are saved in Stream? They are saved in those workspaces that are part of Office 365 Groups I described above.

User experience during Teams Meeting Recording

Once the meeting has ended…

… it is hosted in MS Stream!

7. Embed Forms in Stream Video

Another cool thing you can do with MS Stream is to embed MS Forms inside of the videos. An example could be an onboarding video where HR might collect some information or do a quiz while the new employee watches the video.

This is where you set up the Form within an MS Stream video

 And this is what the user experience is

8. Captions/Transcribing of videos

This is yet another useful feature that allows the transcribing of videos (i.e., recorded Teams meetings I mentioned above) and display text over the video. You can also export the text as well (might be useful for Meeting Minutes).

Here is an excellent article from Microsoft that explains this feature as well.

9. Mobile

Just like with the majority of other Office 365 apps, Microsoft Stream has its mobile app, that allows you to access the videos on a mobile device/phone.

10. Live Events

And finally, you can also do live events too (just like on Facebook!)

The post Top 10 features of Microsoft Stream appeared first on SharePoint Maven.

Posted in Skype for Business

February 25th, 2020 by drago

Every Microsoft product is very complex in itself, depending on the role and functionality there are different communication channels and protocols which communicate with each other.

The same is also true for Exchange. Although Exchange has been rolled out again as a multirole system since the 2013 version, we are thinking back briefly to the time with Exchange 2010, where we were able to install the CAS, hub and mailbox role in a dedicated way.

In addition to the internal communication of Microsoft Exchange, there are also other communications on the network layer between Exchange and surrounding systems such as Microsoft Edge, Active Directory, and UM solutions.

Depending on the complexity of an infrastructure it can be very important which ports have to be open between which destinations and also which protocols are used.


Here is a brief overview of the ports and services used that are relevant for Microsoft Exchange:

Port Funktion
53 DNS
80 http
88 Kerberos
110 POP3
143 IMAP
389 LDAP
587 SMTP
995 POP3S
3268 Microsoft Global Catalog
3343 MS Cluster Net
5060 SIP
5061 SIP (over TLS)
5062 Localisation access
5075 Skype for Business Server Call Park service
5076 Skype for Business Server Audio Test service
50636 EdgeSync synchronization
64327 DAG replication


At this point it is important to note that not all ports have to be used. Depending on the configuration and third-party solutions used, the ports to be used may be different.

To make the whole logic of Microsoft Exchange ports and services a bit clearer, I have created the following diagram:

As we can see on the picture all services are separated. This does not mean that everything has to be built separately. As mentioned earlier in this article, on-premise Exchange infrastructures are no longer built as separate functional roles, they are now multirole.

The graphic should illustrate the communication between them.


Another example here is port 3343 between the two mailbox servers, this port (UDP) is needed for the Microsoft Cluster Net. However, if it is not built as shown in the picture or if it is a single server. We don’t have to pay attention to this in a standard configuration.


As last point I would like to add that this is an on-premsie instance. If you are using Exchange online, this article “Nice to know” is of only limited importance for you.

In any case, it helps you to plan and discuss it with the firewall engineer.

I am aware that there are still some points missing in this article, so I will write another article on this topic in the near future, dealing with the Exchange Hybrid and Hub Transport topics as well.



Photo by Med Badr Chemmaoui on Unsplash

The post Microsoft Exchange services and ports appeared first on MSB365.

Posted in Skype for Business

February 24th, 2020 by Sri Todi

First published on TECHNET on Sep 27, 2017  (Updated 11-JUN-2019)

Starting in Lync Server 2010, we added functionality to enable our partners to provide insights into Call Quality by means of a sending a copy of the Voice Quality Report (VQReport) directly from the server. At that time, I knew of a handful of companies that would allow you to configure QoEConfiguration, so they could generate some reports and provide insights about your network and configuration. Over time, with Call Quality Methodology and later with Call Quality Dashboard , and also integrating CQD Online some of the same functionality was available for free. With Skype for Business Server 2019, Microsoft introduced "Call Data Connector" to allow for data in Hybrid Environments to be analyzed and for insights to be gained


To send your QoE Reports to a third party, all you had to do within Lync was to Run


Set-CsQoEConfiguration -EnableExternalConsumer $true –ExternalConsumerName <Friendly Name of the Third Party Consumer> -ExternalConsumerURL "HTTPS URL Provided by the third party "

As soon as replication was complete, and presuming DNS, Certificates, Firewall was in order, all new QoE Reports would also be sent to the third-party. If the third-party was busy or unavailable, the messages would be queued-up and then be retried. The queues would be MSMQ in Lync Server 2010 and in LySS Database on the SQL Instance LyncLocal on each Front-End Server, in versions Lync Server 2013 and above .


If say, for some reason, the organization decided to change its course and use either Call Quality Methodology or Call Quality Dashboard , you could use Set-csQoEConfiguration to set EnableExternalConsumer $False

It could be possible that over time, with all the changes, the strategy may have changed, but the configuration has existed, and the 3rd party provider has chosen to block connection from your organization, or a new pool is deployed, and outbound connections to port 443 to the external consumer is no longer accessible, in such cases, you could see EVENT ID 56416 occur in your organization.


Time:     5/2/2017 2:49:54 PM

ID:       56416

Level:    Error

Source: LS Data Collection


Message:  Failed to post QoE report to External Consumer.

Error: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond <IP Address of the Provider >:443

at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

--- End of inner exception stack trace ---

at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)

at System.Net.HttpWebRequest.GetRequestStream()

at Microsoft.Rtc.Server.UdcAdapters.QoE.HttpSender.SendReports(LyncMessageDetails msgDetails)

at Microsoft.Rtc.Server.UdcAdapters.QoE.QoEProcessor.ProcessQueueItems(LyssQueueItem queueItem)


Cause: Configurations for the external reports consumer are not set correctly.


Check the External Consumer configurations. If the problem persists, notify your organization's support team with the relevant details.

Depending on the cause, and if the intent is to send the data to third-party then updating it would be a matter of checking why a connection to port 443 is failing and correcting the same. Once the connection issue has been resolved, it’s just a matter of waiting for all the VQReports to be delivered to the third-party. It may take a couple of hours, depending on the robustness of the third-party system, and the time for which you have been experiencing the failure.


If the intent is no longer to send the data to the third-party, then, you may want to run Invoke-csStorageServiceFlush to move all the data from the existing queues to the Network file share, so resources like CPU, RAM and SQL Storage are not wasted in retrying and failing and then move the XML files that were generated.

If the issue is only for a period of time, and your contract/connection with the External QOE Provider is expected to be reinstated, then you could use Set-CsStorageServiceConfiguration to configure EnableAutoImportFlushedData  to $False, so data isn't imported automatically and then run   Invoke-csStorageServiceFlush to move all the data from the existing queues to the Network file share, so resources like CPU, RAM, and SQL Storage are not wasted in retrying.


To understand the robustness of LYSS See: Testing IM and Web-Conferencing Archiving set to Critical 


Posted in Skype for Business

February 24th, 2020 by UC Now Skype/Teams News Feed
What is UCaaS?

Unified Communications as a Service (UCaaS) is a cloud delivery model that offers a variety of communications and collaboration applications and services.  Offering similar capabilities to Unified Communications, UCaaS requires very little in the way of on premise equipment. Appealing to an OpEx heavy finance model, with far less in the way of CapEx, UCaaS brings the power of Unified Communications into a more accessible arena for small and medium businesses.

Posted in Skype for Business

February 24th, 2020 by johnacook

Posted in Skype for Business

February 24th, 2020 by Randy Chapman

Hello Readers, I hope you’re well.

This is a very long post so I’ll get right to it. In this post I’ll show you how to install Verint Verba Recording for Microsoft Teams.


It’s no secret that Microsoft has been working on releasing some APIs for Teams which will allow software vendors to create solutions to integrate and enrich Microsoft Teams. Verint Verba is one of several vendors working with Microsoft to develop against and leverage the APIs for recording.

The latest release from Verint Verba (version 9.5) includes the Verint Verba Microsoft Teams Bot. This new Recording Bot accesses & integrates to Microsoft Teams using the Microsoft Graph API and the Microsoft Local Media SDK.

Verint Verba’s recording solution for Microsoft Teams allows customers to record and archive voice, video, screen and application sharing and chat.

It records calls using a Bot which is hosted on a Verba recording server in Azure and loaded into Teams as an application. This bot connects to your Teams tenancy using the calling APIs which are still in public preview. Verba records users’ calls by conferencing in the Teams Recording Bot and streaming the media to the recording server for processing and storage.

Just a quick note to say that although Verba version 9.5.0 supports Teams recording and the APIs are in public preview, this solution should NOT be considered as generally available.

⚠ Teams Recording with Verba is available for lab or PoC deployments only at the moment: Microsoft Teams Recording capabilities are contingent on the general availability of the Microsoft Teams Calling API.

Lets get started

What you need

  • A Microsoft 365 subscription with Microsoft Teams enabled (should be obvious)
  • Admin rights to your Microsoft 365 subscription – Teams Service admin as a minimum
  • An Azure subscription – this is for the recording “bot” and in my case, the Verint Verba server
  • The right to create a virtual machine in Azure – Virtual Machine Contributor role as a minimum
  • Access to manage public DNS for your domain
  • A public SSL certificate

How to do it

Step 1 – Create a virtual machine

Again, you’ll need to have the Virtual Machine Contributor role as a minimum. This virtual machine will be used to host the Verint Verba Microsoft Teams recording bot as well as the Verint Verba recording role or in my case, recording and web server roles.

The Verint Verba Microsoft Teams Bot is installed as a Windows service and is part of the Verba installer in Combo and Recording Server Roles. The bot service is part of the Verba framework, managed by the Verba Web Application, monitored and maintained by the Verba System Monitor.

Browse to On the home screen, click Virtual Machines and Create

Pick your Azure subscription and create a new resource group

Give your VM a name. Choose your region (nearest to your Teams tenant). Select Windows Server 2019 Datacentre as the image. And change the size to Standard DS3 v2

This is the spec and UK cost per month estimate for this server. And this is before you add additional storage if you want to store recordings locally.

Set up an admin account and password and allow RDP inbound. Then click next

Optional – If you are going to store recordings on this server, you’ll need storage. Create and attach a new or existing disk

Leave the networking as is and let Azure create a new virtual network, subnet and public IP or change it if you have your own way to set it up. Leave everything else as is and click Review + Create

Validation should pass. Now click Create

Watch the progress if you want. It shouldn’t take long to complete

Once your machine is created, click Go to Resource

Click on the Configure link next to DNS name and specify a DNS name to use for your bot. Make a note of the full DNS name because you’ll need it later when you create a CNAME record.

Open some ports

There are three mandatory ports required for communication between the recording bot and the Microsoft Teams platform.

  • 8445 TCP – Media port for Skype Media SDK
  • 9440 TCP – Teams Signaling/Notification #1
  • 10100 TCP – Teams Signaling/Notification #2

There are three optional ports related to Verba service communications which are only required when the main Verba server is deployed on-premises (not in Azure).

  • 4433 TCP – Verba Node Manager Connection
  • 10501 TCP – Verba Recording Director Connection
  • 10502 TCP – Verba Media Recorder Connection

If, as in my case, this is the only Verba server and you install it as a “combo server”, you will need to allow TCP port 443 inbound to be able to access the Verint Verba web interface.

To add the ports, click on networking -> add inbound port rule

Add rules for TCP 8445, 9440, 10100 and 443 (see below)

Once done it should look like this

Step 2 – Configure the server

Now to configure the Server. This includes Adding some Firewall rules in Windows firewall, requesting and installing a public SSL Certificate and binding the SSL Certificate to specific ports.

Add the Firewall rules to the server

The following ports are required for Verint Verba services

  • 80 TCP
  • 443 TCP
  • 4433 TCP
  • 8445 TCP
  • 9440 TCP
  • 10100 TCP
  • 10501 TCP
  • 10502 TCP

Log into your virtual machine using RDP and open an elevated PowerShell or ISE and run the following commands to create the new inbound rules and verify they’ve been created.

# Add the rules
New-NetFirewallRule -displayname 'Verba Web HTTP' -direction inbound -action allow -protocol tcp -LocalPort 80
New-NetFirewallRule -displayname 'Verba Web HTTPS' -direction inbound -action allow -protocol tcp -LocalPort 443
New-NetFirewallRule -displayname 'Verba Node Manager' -direction inbound -action allow -protocol tcp -LocalPort 4433
New-NetFirewallRule -displayname 'Verba Teams Bot Media' -direction inbound -action allow -protocol tcp -LocalPort 8445
New-NetFirewallRule -displayname 'Verba Teams Bot Signaling 1' -direction inbound -action allow -protocol tcp -LocalPort 9440
New-NetFirewallRule -displayname 'Verba Teams Bot Signaling 2' -direction inbound -action allow -protocol tcp -LocalPort 10100
New-NetFirewallRule -displayname 'Verba Teams Bot Recording Director' -direction inbound -action allow -protocol tcp -LocalPort 10501
New-NetFirewallRule -displayname 'Verba Teams Bot Media Recorder' -direction inbound -action allow -protocol tcp -LocalPort 10502
# Verify
Get-NetFirewallRule -Displayname "*verba*" | select displayname,direction,action

I use ISE and I saved it as a PS1. Then just click Run or press F5 to run it

Next, request and import an SSL certificate

The Microsoft Teams bot requires an SSL certificate because the signaling ports are HTTPS web servers and the Teams platform will only send media to a trusted endpoint. The SSL certificate needs to be issued by a public trusted Certificate Authority. If this certificate is only going to be used for this one application you can use If you’ll use it for other things, you can use a wildcard cert *

Once issued, import the certificate to the personal store. When you import the certificate make sure you tick “Mark this key as exportable”.

Finally, bind the SSL Cert to the ports

Now you need to bind the SSL certificate to the ports. The Teams Bot runs 2 HTTPS listeners for receiving signaling from the Teams platform. Both
listeners are started by a system service running under PID 4. This service requires the certificate bound to the listener ports.

To do this you need to use netsh. The command you run is made up of a few parameters including:

  • ipport – which is your local IP and signalling port
  • certhash – which is the thumbprint of the SSL certificate you imported in the previous step
  • appid – this is a random GUID

Rather than find those parameters and paste into a command to run, I put together a little script which collects the information to use as the parameters, including reserving a GUID.

Open an elevated PowerShell or ISE and run the following. Be sure to replace YOUR_CERT_SUBJECT with the subject from your cert. e.g. your domain.

# Get the local IP address
$ipv4=(Test-Connection -ComputerName $env:computername -count 1).ipv4address.IPAddressToString
# Concatenate IP and Port
$ipport1=$ipv4 + ":9440"
$ipport2=$ipv4 + ":10100"
# Get the Certificate hash
$Thumb=Get-ChildItem -Path Cert:LocalMachineMy | Where-Object {$_.Subject -like "*YOUR_CERT_SUBJECT*"} | Select-Object -ExpandProperty Thumbprint
# Generate a new GUID
$guid=New-Guid | select -ExpandProperty guid
netsh http add sslcert ipport=$ipport1 certhash=$Thumb appid="{$guid}"
netsh http add sslcert ipport=$ipport2 certhash=$Thumb appid="{$guid}"
netsh http show sslcert

Step 3 – Register the bot

The steps include:

  • Create a DNS entry for the bot
  • Register the Bot Channel
  • Consent to Bot permissions
  • Add the Bot as an application to Teams
  • Add Recording policies

Create a public DNS entry

Create a DNS CNAME entry in the domain which the SSL certificate issue for. E.g.: The CNAME entry needs to point the DNS name of the previously created VM. e.g.


Registering The Bot

Log in to azure and Search for Bot Channel Registration

Complete the registration form

  • Bot handle: Unique name
  • Select subscription
  • Select resource group

Click Create button and Wait until Azure deploys the channel registration

Go to the Bot Services and select the previously registered Bot Channel. Click on ‘Channels’

In ‘Add a featured channel’ section select Teams

Go to ‘Calling’ tab. Check ‘Enable calling’ option and add a Webhook URL. The webhook URL needs to use the previously created DNS CNAME entry and point to the public signaling port #1.

(The /api/calling endpoint is a bot specific HTTP endpoint where bot is waiting for HTTP request from the Teams platform)

Click ‘Save’ button and Agree to the T&Cs

Click on Settings and make a note of the Microsoft App ID because you need that later. Now click on Manage by Microsoft App ID

Go to Certificates & secrets and click on ‘New client secret’

Give it a name ans set the expiry to never and Add

Now take a note of the new client secret (needed later).

Go to Authentication and click on ‘Add a Platform’

Click on Web

Add a “Redirect URI”. For web applications, use the base URL of your application. e.g.

I used the domain for my blog as the Redirect URI ( just so I got redirected to a valid page. The actual URL doesn’t matter. It’s just where you’ll land once you accept the permissions which comes later. Take a note of what you set for the redirect URI (because this is needed later)

Click Configure and Save

Go to API permissions -> Click on ‘Add a permission’ -> Select ‘Microsoft Graph’

Select Application permissions and add the following permissions:


  • Calls.AccessMedia.All
  • Calls.Initiate.All
  • Calls.InitiateGroupCall.All
  • Calls.JoinGroupCall.All
  • Calls.JoinGroupCallAsGuest.All


  • OnlineMeetings.Read.All
  • OnlineMeetings.ReadWrite.All


  • User.Read.All
  • User.ReadWrite.All
  1. After adding all permissions the list should look like this:
    see screenshot

Grant ‘admin consent’ to the permissions

All assigned permissions need admin consent in the Teams tenant. You’ll need to build a specific URL which includes the Redirect URI (the one you used in the above step), the Tenant ID & Client ID a.k.a. App ID. Both IDs can be found under App Registrations.

  • Go to Azure Active Directory -> App Registrations
  • Click on the previously created bot
  • On the Overview page both ID can be found

Construct the consent URL

Replace the {tenant_id}, the {client_id} and the {redirect_uri} with the proper values.
NOTE: Remove the {} around tenant, client_id and redirect_uri

My link

Paste the URL into a browser. The Microsoft portal will request a login. Login with an administrator. You’ll be prompted to accept the permissions

Then get redirected to your {redirect_uri}?admin_consent=True&tenant={tenant}&state=12345

Mine looked like this

Step 4 – Add the bot to Microsoft Teams

For this step you’ll need to use the App Studio. If you don’t have the app studio installed in Teams, go add it now. Click on the ellipses menu and search for app studio. Then install

Open App Studio

Click on Manifest Editor

Complete the details shown below.

  • Give it a short and long name
  • Generate an App ID
  • Under package name use com.verba
  • Version 9.5.0
  • Give it a short and long description

Scroll down and enter Verba in the name and under website, privacy statement and Terms of use, enter

The branding is mandatory as well. Find the logo on the interweb and use a vector graphics tool such as Snagit to save two .jpg versions of the logo. One at 192×192 and the other at 32×32. Then choose the accent colour. I used the official colour from the logo, #7D2133. Use whatever logo and colour you want.

Now under capabilities, click on ‘Bots’ -> and Set up

Click ‘Existing bot’ -> tick ‘Select from one of my existing’ -> Choose your bot in the drop down list -> tick everything under Calling bot and Scope -> press Save

This is the summary

Click on ‘Test and distribute’ -> then click ‘Install’

Click Add to install and add the bot to Teams

And you’ll see the bot listed under apps

Step 5 – White list the App & Create a Compliance Policy

Connect to Skype Online PowerShell

The next part is done in PowerShell using the SkypeOnline PowerShell module. Open an elevated PowerShell or ISE. Authenticate and connect to a new Skype for Business Online PowerShell session

# Variables
$Username = “”
$Password = cat “C:Password.txt” | ConvertTo-SecureString
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $Password
# Connect to a new session and import it
$SfBOSession = New-CsOnlineSession -Credential $Credentials
Import-PSSession $SfBOSession -AllowClobber -erroraction silentlycontinue -warningaction silentlycontinue 
# Silently Continue after the hour is up

White list the app

Next, run this command to add the bot as an application. e.g. New-CsOnlineApplicationInstance -UserPrincipalname <UPN> -DisplayName <displayname> -ApplicationId <botAppID>

  • The UPN should be a unique name for the bot e.g.:
  • The DisplayName will be displayed in the Teams client (will be hidden later) e.g. Recording Bot
  • Application ID: The saved App Id from the previously created Bot channel registration
New-CsOnlineApplicationInstance -UserPrincipalname -DisplayName "Recording Bot" -ApplicationId 7b91a753-8c3b-4537-ba0c-6a9146e58249

The command should return the successful registration. The result contains the Object ID – save it for the next command

Sync-CsOnlineApplicationInstance -ObjectId 7ceb4j9e-68f4-482f-9467-c3bdd787f5b7

Create Compliance recording policy

You can probably tell by now that I like a PowerShell script. Just run this to create the recording policy and the recording application for the policy.

# Create Compliance recording policy
# Variables
$tenantID = (Get-CsTenant).TenantId
$PolicyDesc = "Verba Recording for Teams"
$PolicyName = "VerbaTeamsComplianceRecording"
$ObjectID = Get-CsOnlineApplicationInstance | where-object {$_.DisplayName -like "*recording*"} | Select-Object -ExpandProperty ObjectID
# Create the new Recording Policy
New-CsTeamsComplianceRecordingPolicy -Tenant $tenantID -Enabled $true -Description $PolicyDesc -Identity $PolicyName
# Create and set recording application for the policy
Set-CsTeamsComplianceRecordingPolicy -Tenant $tenantID -Identity $PolicyName -ComplianceRecordingApplications @(New-CsTeamsComplianceRecordingApplication -Tenant $tenantID -Parent $PolicyName -Id $ObjectID)
# Verify
Get-CsTeamsComplianceRecordingPolicy | Where-Object {$_.Identity -like "*$PolicyName*"}

Now, Grant the policy to one or more users

Grant the policy to a single user

# Grant the policy to a single user (takes several minutes to be applied)
Grant-CsTeamsComplianceRecordingPolicy -Identity -PolicyName $PolicyName
# The granted policy can be verified by the following command
Get-CsOnlineUser | Where-Object {$_.TeamsComplianceRecordingPolicy -eq $PolicyName} | Select UserPrincipalName

Grant the policy to all the users in a department. Sales in this example

# Enable a department
Get-CsOnlineUser -Filter {Department -eq 'Sales'} | Grant-CsTeamsComplianceRecordingPolicy -PolicyName $PolicyName
# Verify
Get-CsOnlineUser | Where-Object {$_.TeamsComplianceRecordingPolicy -eq $PolicyName} | Select UserPrincipalName

If you want to enable everyone for recording you can do this one of two ways. You can of course do a Get-CsOnlineUser | Grant…

Another way is to add the recording application to the global policy. This means all new users automatically get the policy no matter what.

# Enable everyone
Grant-CsTeamsComplianceRecordingPolicy -PolicyName $PolicyName -Global

Step 6 – Install Verba

Installation instructions for a Verba Single Server solution

Download the media from -> Software Downloads -> Click Here (requires an account).

Direct Link to download (Verba Server installation pack (~1.4 GB – installer ZIP with all prerequisites and the MSI) -> Click Here

Unzip to a folder and Run Setup

Choose Single Server solution with all components (Combo Install)
Choose SQL install (For a lab, SQL Express will do). For production you really need SQL Server. For guidance, see Server sizing and requirements -> Click Here

Then tackle all the prerequisites one at a time. The “Installer Pack” version includes all the prerequisites and the installer will take care of all of them.

Java Runtime (see below)
Next -> Accept Terms -> Next -> Next -> Install -> finish

Press Done, Please Verify

Visual C++
Accept Terms -> Next -> finish -> Press Done, Please Verify

SQL Express
Let it complete -> Press Done, Please Verify

Next -> finish -> Move to next

Windows Desktop Experience
Use the Server Manager
or PowerShell – run Install-WindowsFeature Server-Media-Foundation

Configure Virus Scanning

Verify Time Settings

Use Separate System and Media Disk

Start the installer

Next -> Accept Terms -> Single Server -> Next -> Configure Media Disk -> Next -> Certs (Select Generate Certificate Signed by Verba Media Repo CA -> generate, complete the form) -> Next -> finish

SQL Server Connection
Verba install kit has installed Microsoft SQL Server Express Edition as a prerequisite, the password for the sa user is: Verba456+. Enter SA and the password and press test connection, which should pass

Then click execute to complete the execution script

Then close -> Next

Web application ports
Click test connection to make sure the ports are free (they should be if this is a new, dedicated server) -> click next

Web App cert
Since this is a standalone server in the cloud, we need to use the public cert you created earlier so you can browse securely. If you have a PFX file, you need to export the cert as a crt and a key file. I use the Digicert Utility for this. You can do it how you like. OpenSSL for instance.
Here’s a post from Verba on how to do it

Once you have a CRT file and a key file. Browse to both and click next.

Select the local IP -> next

Select your Timezone -> next

Verba monitor
If you use Exchange Online, you can configure a relay connector to use here
Here’s an excellent post by Adam Bertrand a.k.a. Adam The Automator

From the above post, I’ll use PowerShell to create the relay
Connect to Exchange Online Powershell and run the following. One thing to change is the public IP of the server. Use the static IP you set in Azure earlier.

$splat = @{
## Define the name of the connector.
Name = 'SMTP Relay'
## Defined the type of connector to create.
ConnectorType = 'OnPremises'
## The set of sender domains allowed to relay.
SenderDomains = '*'
## Change this to your actual public IP address.
SenderIPAddresses = ''
## Restrict the email relay only to your sender domains and sender IP address
RestrictDomainsToIPAddresses = $true

## Create the connector
New-InboundConnector @splat

Test the relay you connected
SMTP server is
Change the from and to address

# Test the relay connector by sending an email
$mailParams = @{
    SmtpServer = ''
    Port = '25'
    From = ''
    To = ''
    Subject = ('SMTP Relay - ' + (Get-Date -Format g))
    Body = 'This is a test email using SMTP Relay'
    DeliveryNotificationOption = 'OnFailure','OnSuccess'

Send-MailMessage @mailParams

In my case, I received the email, but it was sent to junk. Make sure you whitelist it so you receive alerts in future.

Provide a target email address, a source email address and an SMTP server address ( for system alerts. Then click Next

New create a Verba Admin account -> Click Next

New create a Verba API user account

Click Install

Click Finish

You can browse to your Verba server locally or from the interweb
Create a DNS entry to allow you to join using the wildcard SSL certificate you purchased for the bot. Create an “A” record for hostname “verba” pointing to the static IP of your VM. e.g.

The first screen you’ll see if the licensing screen

Step 7 – Configure Verba for Teams recording

The Verba Microsoft Teams Bot joins then streams the audio/video payload to the Verba Unified Recorder. The bot service listens for connection from the Unified Recorder on 10501 (TCP – Control) and 10502 (TCP – Media) ports.

Go to System and Configuration Profiles and Choose Default Media Repository and Recording Server Configuration Profile

Go to Change Configuration Settings -> scroll down and expand Unified Call Recorder -> expand Microsoft Teams -> click the + next to Teams Bot servers

Enter the details below

Press save

Scroll down to Microsoft Teams Bot and enter the following details:

Under General, set the following:

  • Bidirectional/Stereo Recording: No

Under Microsoft Teams, set the following:

  1. Bot Service DNS Name: this is the long DNS name for your VM in Azure
  2. Bot Service CNAME: This is the CNAME that you added to point at the above hostname
  3. Service Certificate Thumbprint: Public SSL Thumbprint
  4. Bot Application ID: App ID for your Teams Recording Bot
  5. Bot Application Secret: Application Secret from earlier
  6. Microsoft Teams Tenant ID: your Microsoft 365 Tenant ID from earlier
  7. Public IP Address: The public address of this server

Then press save and execute the tasks to make the settings live

And that’s it! At least for now. I’ll publish a separate post for the follow up configuration of Verba itself.

Further reading

Posted in Skype for Business

February 24th, 2020 by UC Now Skype/Teams News Feed

I’m excited to announce the public preview of Azure AD support for FIDO2 security keys in hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get seamless sign-in to their on-premises and cloud resources.  Since the launch of the public preview of FIDO2 support for Azure AD joined devices and browser sign ins, this has been the top most requested feature from our passwordless customers.


We all know that passwords are no longer effective in protecting customers from cybersecurity threats. In fact, compromised passwords are the most frequent cause of enterprise security breaches. Alternatively, passwordless authentication using advanced technologies like biometrics and public/private key cryptography provides a convenient, easy to use experience and world class security.


With the expansion of FIDO2 support to Hybrid environments, we offer seamless sign-in to Windows devices and virtually unphishable access to on-premises and cloud resources, using a strong hardware-backed public/private-key credential.


Public preview of Azure AD support for FIDO2 security keys in hybrid environments teaser.jpg


Our customers shared that simpler deployments are essential for a successful passwordless journey. We took their feedback seriously and enabled FIDO2 security keys for your hybrid environment requires only three deployment components:


  1. Windows Server patch for Domain controllers (Server 2016/Server 2019).
  2. Windows Insider Builds 18945 or later for PCs.
  3. Version or later of Azure AD Connect.

To get started on your FIDO2 journey, you need to:  


  1. Enable security keys as a passwordless authentication method for your tenant and have your users provision their FIDO2 security keys.
    For additional information see: Enable passwordless security key sign-in to on-premises resources with Azure AD and User registration and management of FIDO2 security keys
  2. Ensure that Windows devices are enabled to use FIDO2 security keys to sign in.
    For additional information see: Enable passwordless security key sign-in to Windows 10 devices with Azure AD
  3. Configure components required to sign in to your hybrid AADJ devices as well as for single sign-on (SSO) to on-premises and cloud resources.
    For additional information see: Enable passwordless security key sign-in to on-premises resources with Azure Active Directory (preview)

Additionally, we’re excited to share additional hardware options for FIDO2 security keys from our Microsoft Intelligent Security Association partners. Ensurity Technologies now offers the Thin-C USB key with storage, eWBM Inc. has a new Goldengate USB-C key, and Thales announced Azure AD passwordless sign-in integrations with its PKI-FIDO smartcard. See the full listing of tested compatible devices.


To get started on your passwordless journey, visit Go passwordless.


As always, we love to get your feedback and suggestions! Let us know what you think in the comments below.  


Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

Posted in Skype for Business

February 24th, 2020 by Todd VanderArk

Another RSA Conference (RSAC) and another big year for the Microsoft Intelligent Security Association (MISA). MISA was launched at RSAC 2018 with 26 members and a year later we had doubled in size to 53 members. Today, I am excited to share that the association has again doubled in size to 102 members.

New members expand the portfolio of MISA integrations

Our new members include a number of ecosystem partners, like RSA, ServiceNow, and Net Motion, which have developed critical integrations that benefit our shared customers and we look forward to deepening our relationship through MISA engagement.

New MISA member RSA is now using Azure Active Directory’s risky user data and other Microsoft security signals to enrich their risk score engine. Additionally, RSA also leverages the Graph Security API to feed their SIEM solution, RSA NetWitness with alerts from the entire suite of Microsoft Security solutions.

 “RSA is excited to showcase the RSA SecurID and RSA NetWitness integrations with Microsoft Security products. Our integrations with Microsoft Defender ATP, Microsoft Graph Security API, Azure AD, and Microsoft Azure Sentinel, help us to better secure access to our mutual customer’s applications, and detect threats and attacks. We’re excited to formalize the long-standing relationship through RSA Ready and MISA to better defend our customers against a world of increasing threats.”
—Anna Sarnek, Head of Strategic Business Development, Cloud and Identity for RSA

The ServiceNow Security Operations integration with Microsoft Graph Security API enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats generated by all Microsoft Security Solutions and custom alerts from Azure Sentinel.

“ServiceNow is pleased to join the Microsoft Intelligent Security Alliance to accelerate security incident response for our shared customers. The ServiceNow Security Operations integration with Azure Sentinel, via the graph security API, enables shared customers to automate incident management and response, leveraging the capabilities of the Now Platform’s single data model to dramatically improve their ability to prioritize and respond to threats.”
—Lou Fiorello, Head of Security Products for ServiceNow

Microsoft is pleased to welcome NetMotion, a connectivity and security solutions company for the world’s growing mobile workforce, into the security partner program. Using NetMotion’s class-leading VPN, customers not only gain uncompromised connectivity and feature parity, they benefit from a VPN that is compatible with Windows, MacOS, Android and iOS devices. For IT teams, NetMotion delivers visibility and control over the entire connection from endpoint to endpoint, over any network, through integration with Microsoft Endpoint Manager (Microsoft Intune).

“NetMotion is designed from the ground up to protect and enhance the user experience of any mobile device. By delivering plug-and-play integration with Microsoft Endpoint Manager, the mobile workforce can maximize productivity and impact without any disruption to their workflow from day one. For organizations already using or considering Microsoft, the addition of NetMotion’s VPN is an absolute no-brainer.”
—Christopher Kenessey, CEO of NetMotion Software

Expanded partner strategy for Microsoft Defender Advanced Threat Protection (ATP)

The Microsoft Defender ATP team worked with our ecosystem partners to take their rich and complete set of APIs a step further to extend the power of our combined platforms. This helps customers strengthen their network and endpoint security posture, add continuous security validation and attack simulation testing, orchestrate and automate incident correlation and remediation, and add threat intelligence and web content filtering capabilities. Read Extending Microsoft Defender ATP network of partners to learn more about their partner strategy expansion and their open framework philosophy.

New product teams join the association

In addition to growing our membership, MISA expanded to cover 12 of Microsoft’s security solutions, including our latest additions: Azure Security Center for IoT Security and Azure DDoS.

Azure Security Center for IoT Security announces five flagship integration partners

The simple onboarding flow for Azure Security Center for IoT enables you to protect your managed and unmanaged IoT devices, view all security alerts, reduce your attack surface with security posture recommendations, and run unified reports in a single pane of glass.

Through partnering with members like Attivo Networks, CyberMDX, CyberX, Firedome, and SecuriThings, Microsoft is able to leverage their vast knowledge pool to help customers defend against a world of increasing IoT threats in enterprise. These solutions protect managed and unmanaged IoT devices in manufacturing, energy, building management systems, healthcare, transportation, smart cities, smart homes, and more. Read more about IoT security and how these five integration partners are changing IoT security in this blog.

Azure DDoS Protection available to partners to combat DDoS attacks

The first DDoS attack occurred way back on July 22, 1999, when a network of 114 computers infected with a malicious script called Trin00 attacked a computer at the University of Minnesota, according to MIT Technology Review. Even after 20 years DDoS continues to be an ever-growing problem, with the number of DDoS attacks doubling in the last year alone and the types of attacks getting increasingly sophisticated with the explosion of IoT devices.

Azure DDoS Protection provides countermeasures against the most sophisticated DDoS threats. The service provides enhanced DDoS mitigation capabilities for your application and resources deployed in your virtual networks. Technology partners can now protect their customers’ resources natively with Azure DDoS Protection Standard to address the availability and reliability concerns due to DDoS attacks.

“Extending Azure DDoS Protection capabilities to Microsoft Intelligent Security Association will help our shared customers to succeed by leveraging the global scale of Azure Networking to protect their workloads against DDoS attacks”
—Anupam Vij, Principal Product Manager, Azure Networking

Learn more

To see MISA members in action, visit the Microsoft booth at RSA where we have a number of our security partners presenting and demoing throughout the week. To learn more about the Microsoft Intelligent Security Association, visit our webpage or the video playlist of member integrations. For more information on Microsoft security solutions, visit our website.

The post MISA expands with new members and new product additions appeared first on Microsoft Security.

Posted in Skype for Business

February 24th, 2020 by johnacook

Posted in Skype for Business

February 24th, 2020 by johnacook

Posted in Skype for Business