Office 365, Skype for Business

Schedule a Skype for Business meeting in OWA with Office 365 Hybrid

adam / February 19, 2016

What you will need

An online admin account. I don’t recommend ever using an account that is federated with on premise with dir sync for doing these types of tasks. It doesn’t cost anything to have a separate admin account. It will need org admin, exchange org admin, and Skype for Business org admin to accomplish this.

Microsoft Online Services Sign-In Assistant for IT Pros

https://www.microsoft.com/en-us/download/details.aspx?id=41950

http://go.microsoft.com/fwlink/p/?linkid=236297

Skype for Business Online PowerShell

http://www.microsoft.com/en-us/download/details.aspx?id=39366

Skype for Business, Lync 2013 or Lync 2010 PowerShell (not sure if this will work with 2010 or not, have not tried it), you can just download the eval and install just the admin tools

http://www.microsoft.com/en-us/evalcenter/evaluate-skype-for-business-server

Known issues

  1. You have to make sure that when you update your oAuth certificate, you update office 365

Notes

  • I have not tried this against a site that has multiple web services. However, I would assume that you would just add another ExternalWebServices entries, assuming the certificate is the same thumbprint. If not, you would just import another cert.
  • You can run this all from your Front End Server, as long as you don’t have issues installing the MSOnline powershell modules. It would make simplify the process. But all it will save you is copying an exported certificate and re-importing it.
  • This process was modified from https://technet.microsoft.com/en-us/library/jj204990.aspx I found the documentation to be missing some information and I wanted it all spelled out.
  • You can find more details on how to connect to office 365 from here: https://technet.microsoft.com/library/dn975125.aspx

The Install Process

  1. Get the Oauth cert from your front end server

    $cert = (Get-CsCertificate | Where-Object {$_.Use -like “OAuthTokenIssuer”}).Thumbprint

  2. Export the certificate

    Export-Certificate -cert (get-childitem -path cert:\localmachine\My\$cert) -FilePath c:\source\oauth.cer -type cert

  3. You will need to know your external web services name

    $ExternalWebServices = (Get-CsService -WebServer).externalFQDN

  4. Login to Lync Online

    Import-module SkypeOnlineConnector

    $cred = Get-Credential (use the domain.onmicrosoft.com account)

    $sfbonline = New-CsOnlineSession -Credential $cred -OverrideAdminDomain “Your *.onmicrosoft.com tenant name”

    Import-PSSession $sfbonline –AllowClobber

    1. Create the following script and execute it. This assumes you have only 1 tenant. If you have more, you will need to change the $tenantDisplayName value to the string. Make sure to run this in elevated permissions and run the Set-ExecutionPolicy -ExecutionPolicy Unrestricted

<CODE>

Write-host “Retrieving TenantID” -ForegroundColor Magenta

## If you have more than one Tenant, just set the value to that string $tenantDisplayName = (get-cstenant).DisplayName

## Nothing else Should require changing

$TenantID = (Get-CsTenant -Filter {displayname -like $tenantDisplayName}).tenantID

Write-host $TenantID -ForegroundColor Cyan

Write-host “Checking STS” -ForegroundColor Magenta

$sts=Get-CsOAuthServer Microsoft.sts -ErrorAction SilentlyContinue

write-host $sts -ForegroundColor Green

if ($sts -eq $null)

{

write-host “Setting New CsOuathServer” -ForegroundColor Cyan

$newcsoauthserver=New-CsOAuthServer Microsoft.sts -MetadataUrl “https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1”

write-host $newcsoauthserver-ForegroundColor Green

}

else

{

if ($sts.MetadataUrl -ne “https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1”)

{

write-host “Resetting New CsOuathServer” -ForegroundColor Cyan

Remove-CsOAuthServer microsoft.sts

New-CsOAuthServer microsoft.sts-MetadataUrl “https://accounts.accesscontrol.windows.net/$TenantId/metadata/json/1”

write-host $newcsoauthserver -ForegroundColor Green

}

write-host “No Changes to STS required” -ForegroundColor Green

}

Write-host “Retrieving Exchange Partner Application” -ForegroundColor Magenta

$exch=Get-CsPartnerApplication microsoft.exchange -ErrorAction SilentlyContinue

Write-host $exch -ForegroundColor Cyan

if ($exch -eq $null)

{

write-host “Setting New Exchange Partner Application” -ForegroundColor Cyan

$exchpartner=New-CsPartnerApplication -Identity microsoft.exchange -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer

write-host $exchpartner -ForegroundColor Green

}

else

{

if ($exch.ApplicationIdentifier -ne “00000002-0000-0ff1-ce00-000000000000”)

{

write-host “Resetting Exchange Partner” -ForegroundColor Cyan

Remove-CsPartnerApplication microsoft.exchange

$newexchpartner=New-CsPartnerApplication -Identity microsoft.exchange -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer

write-host$newexchpartner-ForegroundColorGreen

}

else

{

write-host “Updating Exchange Partner Application” -ForegroundColor Cyan

$newexchpartner=Set-CsPartnerApplication -Identity microsoft.exchange -ApplicationTrustLevel Full -UseOAuthServer

write-host $newexchpartner -ForegroundColor Green

}

write-host “No Changes to Exchange required” -ForegroundColorGreen

}

 

write-host “Setting OAuth Configuration for Lync/Skype” -ForegroundColor Cyan

$oauthconfig=Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

write-host$oauthconfig-ForegroundColorGreen

 

</CODE>

 

 

  1. Login to O365 online

    Import-Module MSOnline

    Import-Module MSOnlineExtended

    $cred = get-credential username@tenant.onmicrosoft.com#if you are doing this within the same powershell, you can skip this step

    Connect-MsolService -Credential $cred

  2. Get the Lync/SfB Online AppPrincipalID

    Get-MsolServicePrincipal | where-object{$_.DisplayName -like “*lync*”}

    That should return something like the following: The key is the AppPrincipalID, and almost in all cases looks like the example here, for any tenant

     

    ExtensionData : System.Runtime.Serialization.ExtensionDataObject

    AccountEnabled : True

    Addresses : {}

    AppPrincipalId : 00000004-0000-0ff1-ce00-000000000000

    DisplayName : Microsoft.Lync

    ObjectId : e4ab67b9-8343-4af2-9b27-fe7e94ffad0e

    ServicePrincipalNames : {00000004-0000-0ff1-ce00-000000000000/*.infra.lync.com,00000004-0000-0ff1-ce00-000000000000/*.online.lync.com, 00000004-0000-0ff1-ce00-000000000000,Microsoft.Lync}

    TrustedForDelegation : True

     

     

    If it does not, try changing the name from lync to skype. If it returns a DisplayName of SkypeForBusinessRemotePowershell and only that, then you most likely do not have Skype for Business Online available.

    Now store the appid as a variable so you don’t have to remember it:

    $lynconline = (Get-MsolServicePrincipal | where-object{$_.DisplayName -like “Microsoft.lync”}).AppPrincipalID

  3. Get the Exchange Online AppPrincipalID

    Get-MsolServicePrincipal | where-object {$_.DisplayName -like “*exchange*”}

    That should return something like the following: The key is the AppPrincipalID, and almost in all cases looks like the example here, for any tenant

     

    ExtensionData : System.Runtime.Serialization.ExtensionDataObject

    AccountEnabled : True

    Addresses : {}

    AppPrincipalId : 00000002-0000-0ff1-ce00-000000000000

    DisplayName : Microsoft.Exchange

    ObjectId : f36ca527-2c7a-478e-b2b7-d47fffffcfd6

    ServicePrincipalNames : {00000002-0000-0ff1-ce00-000000000000/outlook.office365.com,

    00000002-0000-0ff1-ce00-000000000000/mail.office365.com,

    00000002-0000-0ff1-ce00-000000000000/outlook.com,

    00000002-0000-0ff1-ce00-000000000000/*.outlook.com…}

    TrustedForDelegation : True

     

     

    If it does not, try changing the name from lync to skype. If it returns a DisplayName of SkypeForBusinessRemotePowershell and only that, then you most likely do not have Skype for Business Online available.

    Now store the appid as a variable so you don’t have to remember it:

    $exchangeonline = (Get-MsolServicePrincipal | where-object {$_.DisplayName -like “Microsoft.Exchange”}).AppPrincipalID

  4. Now you will need to encode the certificate you exported above

    $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate

    $certificate.Import(“C:\Source\oauth.cer”)

    $binaryValue = $certificate.GetRawCertData()

    $credentialsValue = [System.Convert]::ToBase64String($binaryValue)

  5. At this point, you will need to get the start and end date of the certificate. You can do this by opening up the certificate and getting the valid from and to Date or through PowerShell

    Assuming you are not running these commands on your front end server, you can import the certficate as follows:

    set-location -Path cert:\localmachine\my

    $cert = Import-Certificate -FilePath C:\Source\oauth.cer

    1. Set the start date of the certificate

      $notbefore = $cert.NotBefore

    2. Set the end date of the certficate

      $notafter = $cert.notafter

  6. Assign the certificate to the Lync/Skype online

    New-MsolServicePrincipalCredential -AppPrincipalId $lynconline -Type Asymmetric -Usage Verify -Value $credentialsValue -StartDate $notbefore -EndDate $notafter

  7. Assign the certificate to Exchange online

    New-MsolServicePrincipalCredential -AppPrincipalId $exchangeonline -Type Asymmetric -Usage Verify -Value $credentialsValue -StartDate $notbefore -EndDate $notafter

  8. Configure the Exchange Online Service Principal and configure your on-premise version of Skype for Business Server 2015 as an Office 365 service principal.

    Set-MSOLServicePrincipal -AppPrincipalID $exchangeonline -AccountEnabled $true

    $LyncOnlineSP = Get-MSOLServicePrincipal -AppPrincipalID $lynconline

    Change the <$ExternalWebServices> string to the value from Step 3 getting the external web services. In theory you would just repeat this line for each web services you had, then go to the next step.

    $lyncOnlineSP.ServicePrincipalNames.Add(“$lynconline/<$ExternalWebServices>”)

    Set-MSOLServicePrincipal -AppPrincipalID $lynconline -ServicePrincipalNames $LyncOnlineSP.ServicePrincipalNames

To Remove these settings, for example if you change web front ends, or need to add additional front ends later

  1. Just like above you will need to get the AppPrincpalID for Lync

    $lynconline = (Get-MsolServicePrincipal | where-object {$_.DisplayName -like “Microsoft.lync”}).AppPrincipalID

  2. Make sure you have the rite certificate. There should be only one listed as type Asymatric

    Get-MsolServicePrincipalCredential -AppPrincipalId $lynconline -ReturnKeyValues $true

  3. Remove the Certficate for Lync/Skype
  4. $keyid = (Get-MsolServicePrincipalCredential -AppPrincipalId $lynconline -ReturnKeyValues $true).keyid

    Remove-MsolServicePrincipalCredential -AppPrincipalId $lynconline -KeyId $keyid

  5. Remove the Exchange Key

    $keyid = (Get-MsolServicePrincipalCredential -AppPrincipalId $Exchangeonline -ReturnKeyValues $true).keyid

    Remove-MsolServicePrincipalCredential -AppPrincipalId $exchangeonline -KeyId $keyed

https://technet.microsoft.com/en-us/library/jj204990.aspx

Related Posts

AudioCodes XUM in a mixed PBX and SfB environment

May 22, 2018

Duplicating Auto Attendants in O365

May 17, 2018

AT&T IP Flex and SfB

May 6, 2018

About adam

View all posts by adam →

7 thoughts on “Schedule a Skype for Business meeting in OWA with Office 365 Hybrid

Leave a Reply

Your email address will not be published. Required fields are marked *