SOLVED

Phone System Administrator Accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-1558272%22%20slang%3D%22en-US%22%3EPhone%20System%20Administrator%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1558272%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EGreetings%20all%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%20I%20further%20my%20evaluation%20of%20MS%20Teams%20use%20to%20augment%20or%20replace%20some%20or%20all%20of%20our%20PBX%2FCall%20Server%20functionality%2C%20I%20have%20questions%20about%20whether%20or%20not%20it%20is%20possible%20to%20limit%20those%20who%20administer%20it.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20currently%20have%20over%20100%20locations%20with%20stand-alone%20telephone%20systems%20that%20each%20provide%20service%20with%20over%20300%20telephones.%20That%20may%20or%20may%20not%20be%20large%20in%20your%20world%2C%20and%20certainly%20doesn't%20fully%20and%20accurately%20describe%20our%20enterprise%2C%20but%20I%20mention%20it%20to%20point%20out%20that%20we%20currently%20have%20hundreds%20of%20administrators%20caring%20for%20these%20systems%20all%20over%20the%20world.%20I'll%20give%20an%20example%20of%20what%20I'd%20like%20to%20be%20able%20to%20do%2C%20first%20by%20setting%20the%20scene.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20will%20likely%20use%20direct%20routing%20and%20will%20want%20users%20to%20dial%209%2BXXXXXXXXXX%20to%20dial%20off%20system.%20North%20American%20dialing%20will%20be%20easy%20to%20administer%2C%20but%20our%20overseas%20locations%20is%20where%20dialing%20restrictions%20or%20class%20of%20service%20will%20need%20to%20be%20managed%20closely.%20For%20example%2C%20I%20may%20want%20someone%20to%20have%20local%20dialing%20but%20not%20long-distance%20dialing%2C%20common%20in%20the%20PBX%20world%20and%20from%20what%20I%20can%20tell%20in%20MS%20Teams%20with%20the%20use%20of%20direct%20routing%2C%20easy%20enough%20to%20identify%20a%20digit%20string%20and%20point%20that%20to%20an%20SBC.%20I'm%20not%20looking%20for%20instructions%20on%20that%2C%20though%20if%20that%20is%20not%20possible%20please%20let%20me%20know.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E1)%20Can%20I%20have%20a%20person%20with%20limited%20administrator%20privileges%20that%20only%20allow%20them%20to%20administer%20a%20group%20of%20users%20(the%20ability%20to%20make%20changes%20only%20for%20persons%20assigned%20to%20one%20overseas%20office)%3F%20For%20example%2C%20I%20would%20want%20someone%20to%20have%20the%20ability%20to%20change%20users'%20ability%20to%20call%20long-distance%20or%20local%2C%20but%20only%20for%20persons%20who%20work%20at%20a%20particular%20office%20that%20the%20administrator%20supports.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E2)%20Can%20I%20limit%20the%20SBCs%20and%20administrator%20can%20configure%20calls%20to%20route%20to%3F%20For%20example%2C%20I%20may%20not%20want%20an%20administrator%20for%20users%20in%20London%20to%20be%20able%20to%20make%20changes%20that%20allow%20them%20to%20make%20calls%20off%20the%20Paris%20SBC.%20I%20will%20want%20those%20type%20of%20calls%20to%20be%20possible%2C%20but%20I%20may%20want%20to%20limit%20who%20can%20configure%20that%20type%20of%20routing.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20a%20related%20question.%20Can%20a%20person%20have%20more%20than%20one%20CsOnlineVoiceRoutingPolicy%20assigned%20to%20them%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you%20very%20much!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1558272%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1558320%22%20slang%3D%22en-US%22%3ERe%3A%20Phone%20System%20Administrator%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1558320%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F716608%22%20target%3D%22_blank%22%3E%40Mark_TV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%20%231%20-%20Not%20really.%20There%20are%20RBAC%20roles%20which%20provide%20limited%20configuration%20capabilities%20based%20on%20role%20membership%2C%20but%20as%20far%20as%20I%20know%2C%20a%20single%20RBAC%20role%20does%20not%20support%20scoping%20of%20those%20permissions%20to%20a%20group%20of%20users%20(such%20as%20a%20remote%20office%20location).%20It's%20all%20or%20none.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Fusing-admin-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Fusing-admin-roles%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%20%232%20-%20Once%20SBCs%20are%20input%20into%20Direct%20Routing%20they%20become%20available%20to%20be%20used%20globally%2C%20but%20usage%20in%20Outbound%20Routing%20is%20not%20active%20until%20someone%20adds%20the%20SBC%2FGateway%20into%20the%20proper%20routing%20configuration.%20From%20what%20I%20know%2C%20if%20you%20have%20a%20user%20that%20is%20able%20to%20manipulate%20the%20Voice%20Routing%20configuration%20via%20RBAC%2C%20that%20applies%20to%26nbsp%3B%3CEM%3Eall%26nbsp%3B%3C%2FEM%3Econfiguration%20in%20Direct%20Routing.%20Again%2C%20all%20or%20none.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%20VoiceRoutingPolicy%20-%20No.%20Users%20can%20only%20be%20assigned%20a%20single%20VoiceRoutingPolicy.%20That%20is%20why%20it%20is%20important%20to%20include%20all%20potential%20PSTN%20usages%20and%20voice%20routes%20(including%20class-of-service%20restrictions%20and%20primary%2Falternate%20routes%20for%20SBC%20failover)%20in%20that%20single%20usage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%20External%20Access%20Prefix%20(9%20prefix)%20-%20This%20is%20supported.%20However%2C%20%3CEM%3Edo%20not%3C%2FEM%3E%26nbsp%3B%3CEM%3Enormalize%26nbsp%3B%3C%2FEM%3Ethe%20number%20such%20that%20the%209%20appears%20in%20the%20dialed%20digits.%20Configuration%20should%20support%20allowing%20users%20to%20continue%20that%20legacy-PBX-trunk-habit%2C%20but%20proper%20E.164%20routing%20configurations%20don't%20include%209%2B15555555555%20as%20the%20normalized%20number%20the%20client%20dials.%20Proper%20configurations%20always%20stick%20to%20E.164-proper%20for%20any%20dialed%20number%20(%2B15555555555)%20and%20then%20you%20add%2Fsubtract%20digits%20as%20required%20on%20the%20Direct%20Routing%20trunk%20via%20CsTeamsTranslationRules%20or%20on%20your%20SBCs%20directly.%20It's%20a%20very%20common%20attempted%20shortcut%20to%20not%20do%20this%2C%20but%20trust%20me%2C%20it%20makes%20voice%20routing%20(especially%20global)%20so%20much%20easier%20if%20you%20stick%20to%20proper%20E.164.%20This%20advice%20has%20been%20true%20for%20a%20long%20time%2C%20even%20all%20the%20way%20back%20to%20OCS%2FLync%2FSFB.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fskype%2Fnew-csteamstranslationrule%3Fview%3Dskype-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fskype%2Fnew-csteamstranslationrule%3Fview%3Dskype-ps%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fview.officeapps.live.com%2Fop%2Fview.aspx%3Fsrc%3Dhttp%253A%252F%252Fvideo.ch9.ms%252Fsessions%252Flync%252F2014%252FBEST301_Lasko.pptx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fview.officeapps.live.com%2Fop%2Fview.aspx%3Fsrc%3Dhttp%253A%252F%252Fvideo.ch9.ms%252Fsessions%252Flync%252F2014%252FBEST301_Lasko.pptx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1559557%22%20slang%3D%22en-US%22%3ERe%3A%20Phone%20System%20Administrator%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1559557%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84875%22%20target%3D%22_blank%22%3E%40Trevor%20Miller%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreat%20point%20on%20the%209%20%2B%20dialing.%20When%20you%20say%2C%20%22%3CEM%3Edo%20not%20normalize%3C%2FEM%3E%22%209%20dialing%2C%20do%20you%20mean%20we%20should%20have%20the%20E.164%20digit%20strings%20explicitly%20defined%20but%20also%20have%20a%20%26nbsp%3B9%20%2B%20option%20to%20catch%20those%20times%20when%20users%20dial%20that%20way%3F%20Is%20the%20expectation%20that%20users%20walking%20down%20the%20street%20in%20London%20or%20in%20the%20office%20using%20Teams%20on%20their%20mobile%20device%20or%20workstation%20should%20always%20dial%20the%20full%20E.164%20number%20to%20call%20a%20local%20business%2C%20as%20in%20%2B44%20XXXXXXXXXX%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20VoiceRoutingPolicy%2C%20that's%20good%20to%20know.%20This%20could%20lead%20to%20thousands%20of%20unique%20VoiceRoutingPolicy%20configurations%20that%20would%20likely%20be%20a%20heavy%20lift%20up%20front%20with%20minimal%20ongoing%20maintenance%20as%20changes%20to%20privileges%2Frestriction%20come%20up.%20Is%20that%20your%20experience%3F%20I%20can%20see%20that%20the%20naming%20convention%20must%20be%20important%20to%20have%20established%20at%20the%20beginning%20and%20strictly%20adhered%20to.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1559669%22%20slang%3D%22en-US%22%3ERe%3A%20Phone%20System%20Administrator%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1559669%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F716608%22%20target%3D%22_blank%22%3E%40Mark_TV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%20Dialing%3A%3C%2FP%3E%3CP%3EYour%20Dial%20Plans%20will%20have%20normalization%20rules%20that%20outline%20dialing%20habits%20for%20each%20of%20your%20locales.%20Normalization%20rules%20can%20be%20structured%20such%20that%20you%20could%20support%20if%20a%20user%20dials%209%2C%20then%201%2C%20then%2010%20digits%20for%20US%20NANPA.%20Or%20perhaps%20they%20only%20dial%201%2C%20then%2010%20digits.%20Or%20perhaps%20they%20only%20dial%207%20digits%20where%20available%20for%20local%20calls.%20Or%20maybe%20they%20fully%20dial%20the%20E.164%20number%20(after%20all%2C%20most%20cell%20phones%20support%20this%20today).%20What%20types%20of%20dialing%20habits%20will%20depend%20on%20country%2C%20city%2C%20whether%20you%20need%20short-digit%20extension%2C%20etc.%20Effectively%20you%20can%20support%20any%20number%20of%20dialing%20habits%20but%20the%20end%20result%20of%20all%20those%20rules%20should%20always%20be%20an%20E.164%20number.%20In%20your%20example%20of%20a%20London%20number%2C%20no%20they%20do%20not%26nbsp%3B%3CEM%3Ehave%26nbsp%3B%3C%2FEM%3Eto%20dial%20E.164%20-%20you%20could%20have%20normalization%20rules%20set%20up%20to%20allow%20020%20%2B%203XXXXXXX%20and%20it%20gets%20turned%20into%20%2B44%2020%203XXXXXXX.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%20VoiceRouting%3A%3C%2FP%3E%3CP%3ECorrect.%20The%20bulk%20of%20your%20effort%20is%20the%20planning%20and%20design%20of%20all%20the%20different%20Locales%2C%20Class%20of%20Services%20and%20Various%20Routes%20your%20calls%20need%20to%20take.%20You%20can%20choose%20to%20implement%20this%20logic%20directly%20within%20Teams%20(in%20the%20form%20of%20voice%20routing%20policies%2C%20pstn%20usages%2C%20and%20voice%20routes)%2C%20or%20perhaps%20look%20at%20a%20solution%20from%20your%20Direct%20Routing%20SBC%20vendor.%20The%20SBC%20solutions%20offer%20capabilities%20around%20AD%20lookups%20or%20advanced%20dial%20plan%20functionality%20that%20may%20negate%20the%20need%20to%20have%20the%20control%20within%20Teams%20Routing%20configurations.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1559963%22%20slang%3D%22en-US%22%3ERe%3A%20Phone%20System%20Administrator%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1559963%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84875%22%20target%3D%22_blank%22%3E%40Trevor%20Miller%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreat%20information%20that%20provides%20clarity%20to%20a%20number%20of%20uncertainties.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Greetings all,

 

As I further my evaluation of MS Teams use to augment or replace some or all of our PBX/Call Server functionality, I have questions about whether or not it is possible to limit those who administer it.

 

We currently have over 100 locations with stand-alone telephone systems that each provide service with over 300 telephones. That may or may not be large in your world, and certainly doesn't fully and accurately describe our enterprise, but I mention it to point out that we currently have hundreds of administrators caring for these systems all over the world. I'll give an example of what I'd like to be able to do, first by setting the scene.

 

We will likely use direct routing and will want users to dial 9+XXXXXXXXXX to dial off system. North American dialing will be easy to administer, but our overseas locations is where dialing restrictions or class of service will need to be managed closely. For example, I may want someone to have local dialing but not long-distance dialing, common in the PBX world and from what I can tell in MS Teams with the use of direct routing, easy enough to identify a digit string and point that to an SBC. I'm not looking for instructions on that, though if that is not possible please let me know.

 

1) Can I have a person with limited administrator privileges that only allow them to administer a group of users (the ability to make changes only for persons assigned to one overseas office)? For example, I would want someone to have the ability to change users' ability to call long-distance or local, but only for persons who work at a particular office that the administrator supports.

 

2) Can I limit the SBCs and administrator can configure calls to route to? For example, I may not want an administrator for users in London to be able to make changes that allow them to make calls off the Paris SBC. I will want those type of calls to be possible, but I may want to limit who can configure that type of routing.

 

I have a related question. Can a person have more than one CsOnlineVoiceRoutingPolicy assigned to them?

 

Thank you very much!

4 Replies
Highlighted
Best Response confirmed by ThereseSolimeno (Microsoft)
Solution

@Mark_TV 

 

Re #1 - Not really. There are RBAC roles which provide limited configuration capabilities based on role membership, but as far as I know, a single RBAC role does not support scoping of those permissions to a group of users (such as a remote office location). It's all or none.

https://docs.microsoft.com/en-us/MicrosoftTeams/using-admin-roles

 

Re #2 - Once SBCs are input into Direct Routing they become available to be used globally, but usage in Outbound Routing is not active until someone adds the SBC/Gateway into the proper routing configuration. From what I know, if you have a user that is able to manipulate the Voice Routing configuration via RBAC, that applies to all configuration in Direct Routing. Again, all or none.

 

Re VoiceRoutingPolicy - No. Users can only be assigned a single VoiceRoutingPolicy. That is why it is important to include all potential PSTN usages and voice routes (including class-of-service restrictions and primary/alternate routes for SBC failover) in that single usage.

 

Re External Access Prefix (9 prefix) - This is supported. However, do not normalize the number such that the 9 appears in the dialed digits. Configuration should support allowing users to continue that legacy-PBX-trunk-habit, but proper E.164 routing configurations don't include 9+15555555555 as the normalized number the client dials. Proper configurations always stick to E.164-proper for any dialed number (+15555555555) and then you add/subtract digits as required on the Direct Routing trunk via CsTeamsTranslationRules or on your SBCs directly. It's a very common attempted shortcut to not do this, but trust me, it makes voice routing (especially global) so much easier if you stick to proper E.164. This advice has been true for a long time, even all the way back to OCS/Lync/SFB.

https://docs.microsoft.com/en-us/powershell/module/skype/new-csteamstranslationrule?view=skype-ps

https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fvideo.ch9.ms%2Fsessions%2Flync%2F2014...

 

Highlighted

@Trevor Miller 

 

Great point on the 9 + dialing. When you say, "do not normalize" 9 dialing, do you mean we should have the E.164 digit strings explicitly defined but also have a  9 + option to catch those times when users dial that way? Is the expectation that users walking down the street in London or in the office using Teams on their mobile device or workstation should always dial the full E.164 number to call a local business, as in +44 XXXXXXXXXX?

 

On the VoiceRoutingPolicy, that's good to know. This could lead to thousands of unique VoiceRoutingPolicy configurations that would likely be a heavy lift up front with minimal ongoing maintenance as changes to privileges/restriction come up. Is that your experience? I can see that the naming convention must be important to have established at the beginning and strictly adhered to.

 

Thank you,

Highlighted

@Mark_TV 

 

Re Dialing:

Your Dial Plans will have normalization rules that outline dialing habits for each of your locales. Normalization rules can be structured such that you could support if a user dials 9, then 1, then 10 digits for US NANPA. Or perhaps they only dial 1, then 10 digits. Or perhaps they only dial 7 digits where available for local calls. Or maybe they fully dial the E.164 number (after all, most cell phones support this today). What types of dialing habits will depend on country, city, whether you need short-digit extension, etc. Effectively you can support any number of dialing habits but the end result of all those rules should always be an E.164 number. In your example of a London number, no they do not have to dial E.164 - you could have normalization rules set up to allow 020 + 3XXXXXXX and it gets turned into +44 20 3XXXXXXX.

 

Re VoiceRouting:

Correct. The bulk of your effort is the planning and design of all the different Locales, Class of Services and Various Routes your calls need to take. You can choose to implement this logic directly within Teams (in the form of voice routing policies, pstn usages, and voice routes), or perhaps look at a solution from your Direct Routing SBC vendor. The SBC solutions offer capabilities around AD lookups or advanced dial plan functionality that may negate the need to have the control within Teams Routing configurations.

Highlighted

@Trevor Miller 

 

Great information that provides clarity to a number of uncertainties.

 

Thank you very much!