09-02-2019 04:00 AM - edited 09-04-2019 12:00 AM
09-02-2019 04:00 AM - edited 09-04-2019 12:00 AM
As title says we have issues with external connectivity for Azure AD users.
Some time ago we switched to MS Teams, and to make user life a bit easier we integrated on-prem AD with O365, so users can use same password everywhere.
The issue is that accounts made in Active Directory are unable to IM external users (message, add, call basically anything). Those users also does not show up in Teams admin center, only users made in O365 (how long we should wait for the accounts to propogate?). Search user externally dont show up when searching external users.
O365 accounts dont have that issue and connectivity is fully functional. Both types use MS Teams commercial cloud licenses. We tried to manage licenses from Azure (take off Teams license from O365 and add it from Azure). Can anyone advise?
Any additional information can be provided if needed.
EDIT: We created few test onprem accounts that were synced to AzureAD. They are working, for some reason it looks like only fresh accounts work (and show up in Teams admin center). Older dont.
Also we are using onpremise Exhange server.
09-02-2019 04:59 AM
09-02-2019 05:04 AM - edited 09-02-2019 05:05 AM
Hello @Rob Ellis , thank you for the reply.
Synced users show up with onmicrosoft.com. After they show up we changed the suffix and add the licenses.
We made a test account on whom we left the default suffix, it does not work aswell.
09-02-2019 05:08 AM
@Rob Ellis Suffix on our AD is .local, we left it like that. Should that be changed aswell?
09-02-2019 02:09 PM
09-02-2019 11:36 PM - edited 09-02-2019 11:46 PM
Hello @Chris Webb , thank you for your reply.
External connectivity is enabled and Coexistence to Islands but we are testing connectivity with external Teams users.
As per @Rob Ellis suggestion we created a new AD user and set the routable logon suffix (not .local like it was before) and external connectivity started to work (a few hours later). We changed the logon suffix for some users but for now only the first account is working, so we are waiting for the External connectivity to appear if thats the case (due propagation).
I have a question - why on-prem domain logon suffix fixed connectivity for the first account?
Other thing - when we set routable suffix to other users they still dont appear in the users list in Teams Admin center. First account showed up with status DirSyncTeamsUser.
09-03-2019 12:19 AM
09-03-2019 12:30 AM
@Rob Ellis, Looks like that is not the case, we tried one of out company.onmicrosoft.com accounts. External connectivity works on it.
For now I guess we should wait for users with changed suffixes to show up (hopefully). If they dont then it looks like only new on-prem AD accounts show up for some reason.
09-03-2019 05:25 AM
09-03-2019 07:42 AM
It looks like the policy is not fully pushed.
Yesterday we made 2 test accounts in on-prem AD. One with .local suffix which was changed to company.onmicrosoft.com and .com suffix which remained like that after Azure AD sync.
Both accounts can IM external Teams users. Coexistence mode is set to Org-wide which is Islands. Very strange because these are only accounts that can IM external users (theres actually third account that we made for our new user). So it looks like it only works for the new users (these users also show up Teams admin center). Old onprem AD accounts dont work.
Accounts with changed logon name .com still dont work. And we test using external O365 Teams user who also integrated Onprem AD with O365.
09-03-2019 07:56 AM
09-03-2019 11:28 PM - edited 09-04-2019 12:01 AM
Hello @Chris Webb, changed it to Teams only yesterday. Still is not working.
Also we are using on premise Exchange, when making those 2 test accounts we didnt create an email box for them. Could Exchange interfiere with the setup?
09-05-2019 11:18 AM
09-05-2019 11:21 PM - edited 09-06-2019 01:19 AM
@Chris Webb Thanks for the answer, I will look into it.
Account logon suffix has been changed from .local to .com. Any idea why new accounts work without SFB online licenses? We only have MS Teams Commercial cloud licenses.
One other thing - before teams there was a SFB 2019 in our domain from which we first removed SIP accounts and then deleted the servers. Could that interfiere with old AD accounts and external connectivity?
09-06-2019 04:20 AM
09-06-2019 04:26 AM
Hello @Chris Webb . It looks like that is the case. In order to enable them in teams we need to migrate accounts from SFB to Teams. Im having some issues with that but I will try to solve it.
09-06-2019 07:28 AMSolution
Hello and thanks to everyone that contributed to this post.
I managed to find the issue. It was indeed related to previously used Skype for Business. When a SFB user is created, a certain attributes are added. And those stay until they change (for example if user migration are used ((didnt work for us since SFB servers were deleted)) or until they are removed.
What happened was there was a conflict with those attributes. Teams "thought" that we still use SFB due to these previous SFB msRTC attributes. Once removed after a while External connectivity appeared.