Home
Microsoft

Custom Policies in Skype for Business Online

What are custom policies

We recently added functionality to create custom policies in Skype for Business Online. This allows you to control more granularly what functions are available to end users and how the client behaves. For example, you could use custom policies to prevent users in certain a business unit from using File Transfer and creating Polls.

 

As you open Skype Admin tab in Office 365 portal, you can select specific options like Allow HD Video. However, you cannot create policies in traditional way. PowerShell reveals quite an extensive list of pre-existing policies described in our previous blogs: Policies, Policies, Policies–Online! and Policies in Skype for Business Online.

Why choose custom policies

Like in ice-cream shop, to accommodate your taste, you want to pick your own set of flavors and mix them together. To adapt to specific organization scenarios, you may require your own set of policies. Policies become important for scenarios where, in certain countries by law, you are required to block VoIP functionality. Compliancy requirements for financial institutions may drive you to impose IM Archiving for certain user profiles or and leave them as optional for others. Labor requirements may require allowing users to appear offline even if they are signed to the system. Custom policies are currently available for:

  • Conferencing
  • Client
  • Mobility

We advise that you collect your business requirements and compare them to current options available in the portal, or pre-defined policies in place via remote PowerShell. Most customers will find them sufficient. This simplifies your day-to-day operations, where administrators use the Office 365 admin portal for core features. Custom policies are available only via remote PowerShell where less savvy admins may struggle. 

I need custom policies

While it is relatively easy to create policies with PowerShell (more details later in this article), it is important that you consider how to plan, deliver, and operate policies. You will not find any guidance on how to do it, but you should follow the core SOF principals to help you plan, deliver, and operate.

  • Plan
    • Collect business and legal requirements.
    • Group requirements based on options available.
    • Evaluate existing predefined policies in place (tip: check the blogs referenced above).
    • Limit it to a manageable number vs. accommodating every requirement.
    • Define naming standards.
    • Define parameters/fields how to identify users (Country, Business unit, etc.), and provided list by departments.
  • Deliver
    • This is the actual creation of the policies in PowerShell, as detailed – see below.
    • Create scripts and apply them for existing users based on specific criteria identified during planning.
    • Incorporate a policy process in your Identity Platform, if applicable.
    • Incorporate a policy assignment into your end user provisioning process.
  • Operate
    • Validate that policies are assigned to proper users upon deployment.
    • Establish a process for changing settings in policies.
    • Establish a process for creating new policies.
    • Establish a process for ongoing monitoring (scheduled scripts etc.).

Roll up the sleeves, time for PowerShell

Now, you only have to learn and understand the new set of commands. They are similar, and the principal is similar across the commands.

New policy creates one, Set sets the setting, Remove removes the policy and you grant it to the end user. When you grant the policy, you specify the user as identity and policy with the name.

Once created, you cannot rename the policy name. Be aware, of Conferencing policies, as you cannot alter the following three settings: AllowIPAudio, AllowIPVideo and EnableDialInConferencing after initial definition during policy creation. This is by design to prevent administrative error of accidental functionality enablement in countries under VOIP blocking legislation.

Imagine a scenario where you are tasked to deploy a policy to all Contoso Bank users in Austria (AT). You can identify them by the Office and CountryOrRegionDisplayName fields. Users in scope are not allowed to do a File Transfer, P2PFileTransfer and prevent participants from using polls.

 

  1. Evaluate currently available conferencing policies, and execute the following command: Get-CsConferencingPolicy | Select Identity,EnableFileTransferEnableP2PFileTransfer,AllowPolls.

    The second part of the cmndlet “Select Identity,EnableFileTransfer, EnableP2PFileTransfer,AllowPolls” renders the table with policy names and setting for the policy you are want, instead of generating a long list of all settings.

  2. Next, you create a new conferencing policy. In this case, we will call it DisableFileTransferPolls.

    We chose this name as it exactly describes what the policy will do. Run the following command:

    New-CsConferencingPolicy -Identity “DisableFileTransferPolls” -EnableFileTransfer $False -EnableP2PFileTransfer $False

    Remember, if you must set AllowIPAudio, AllowIPVideo and EnableDialInConferencing, do so during policy creation. Since this is not a requirement for our example, we do not need to set any of these values.

  3. You just realize that you forgot to disable Polls. You update the policy by using Set command:

    Set-CsConferencingPolicy -Identity “DisableFileTransferPolls” -AllowPolls $False

  4. Now, it’s time to test the policy. First you apply it to the single end user:

    Grant-CsConferencingPolicy -Identity zoran@contoso.com -policyname “DisableFileTransferPolls”

    Allow 15-30 min for policy to apply. Remember, you must sign out and in for policy to apply.  On your local machine check uccapi log file in Snooper. Search for “Meeting Policy”, check response and you would be able to locate settings you just set:

    <property name="AllowPolls">false</property>  
    <property name="AllowFileTransfer">false</property> 
    <property name="EnableP2PFileTransfer">false</property>
  5. Once testing is complete, get the list of target production users. The filter option in command is more efficient than where-object. Filter command returns the result set, vs. getting a list of all of users and then processing it. As described earlier, we want all to find all users who have set Office as “Contoso Bank” and are located in located in Austria (“AT”). For large tenants use -ResultSize to test commands first.

    $BankUsers = Get-CsOnlineUser -filter {(Office -eq "Contoso Bank") -and (CountryOrRegionDisplayName -eq "AT")}|Select UserPrincipalName,SipAddress

    Assigning variables gives you flexibility to:

    ·    Obtain count by executing $BankUsers.count

    ·    List all users in scope by typing $BankUsers

    ·    Export list by executing $BankUsers|Export-CSV -Path .\BankUsers.csv in case you have to revert the changes

  6. Time to apply the change to all users in scope
    $BankUsers.SipAddress | Grant-CsConferencingPolicy -policyname “DisableFileTransferPolls” 
  7. The deployment is now complete. All that is left is to validate changes. You can also use them for Operation to ensure you are operating the environment as designed in the long run, as we mentioned in previous paragraph.

    The command below returns first 5 users with DisableFileTransferPolls policy applied (currently specifying tenant ID is required).

    get-csonlineuser -filter { (Conferencingpolicy -eq "Tag:DisableFileTransferPolls") -and (TenantID -eq "xxxx-xxxx-xxx-xxxx-xxxx") } -Resultsize 5 |Select Alias,UserPrincipalName,SipAddress

    Later you can follow the same principal to obtain list of users you missed (match users who do not have policy applied but are matching Office and Country)

    $BankUsersMissed = get-csonlineuser -filter { (Conferencingpolicy -ne "Tag:DisableFileTransferPolls") -and (TenantID -eq "xxxx-xxxx-xxx-xxxx-xxxx") -and (Office -eq "Contoso Bank") -and (CountryOrRegionDisplayName -eq "AT")} |Select Alias,UserPrincipalName,SipAddress
    For detailed set of commands, check the following blog Custom Policies for Skype for Business Online.

Considerations

As we mentioned through the article, keep in mind the following:

 

  • During Conferencing policy creation, you are required to properly set AllowIPAudio, and EnableDialInConferencing options. You cannot alter them later. Commands like Set-CsConferencingPolicy -identity BlogDemo -AllowIPAudio $True where initial setting was $Falsewill fail.
  • When you list the parameters for the policy some of them are pre-fixed, and can’t be altered. A list of parameters that are editable are available in the TechNet articles listed in above’s Tech Community Blog.
  • Using custom policy names as filer in Get-CsOnlineUser command requires TenantID to be included in filter command. You can get your tenant ID by executing Get-CsTenant |Select TenantID .
  • Get-CsConferencingPolicy and Get-CsMobilityPolicy require -Include SubscriptionDefaults to list pre-defined policies.
  • When using Get-CSOnlineUser |Select Identity, the result gives you canonical name of the object. Better leverage Get-CSOnlineUser |Select Alias,UserPrincipalName,SipAddress.

Call to action

  1. Review options available in portal, review pre-defined policies before you decide to create custom ones.

  2. Review your business and legal requirements with business owners on top of IT team requirements.
  3. Optimize the number of policies, even complex business generally requires up to five per modality.
  4. Questions or comments? Discuss with us in the Community.

 

 

3 Comments
Senior Member

Great to see more information about custom policies and some of the limitations. Why is an admin unable to set custom BW policies for video, appshare, and file transfer? Often the default policies that only limit video BW do not meet all needs. It would be great to limit some of the other modalities for sites with BW limitation concerns.

Microsoft

I’d like you input on minimum values for these policies that ensure a reasonable quality experience for end users. We would basically only let tenants set these values that low.


 

Senior Member

I think 1000 as a minimum value would be fine, it would just be nice to be able to configure video and app sharing bandwidth in a custom policy, especially for a remote site with limited bandwidth. I understand wanting to ensure reasonable quality experience but allowing an admin more control over the policies makes the service more flexible (and adoptable).