Microsoft Teams Phone Meeting Policy

Creating a Common Area Phone for Microsoft Teams

Last Updated on June 1, 2021 by GrahamWalsh

I am getting many requests from customers that want to put a Microsoft Teams phone in a public place, so we need to create a common area phone for Microsoft Teams. Microsoft have a license especially for this known as a Common Area Phone and it’s $8 per device per month in my tenant. You can even start a free 30-day trial on this too. Once we have our license, we need to create a user. This can be done in the M365 Admin Portal or via PowerShell and then assign the license. I created this first user via the M365 Portal.

In the example below, I am using the Crestron UC-P10-C certified Microsoft Teams video phone. I am using Crestron XiO Cloud for remote viewing of the screen for screenshots.

Default Policy

However, once I sign into the device with the license and the started policy, I see the follow image.

Default User Sign In on Teams Phone

I want to disable all these to make the phone secure, so I must create a new policy. This is only available via Microsoft Teams PowerShell, it was in the Teams Admin Center for a few hours and then disappeared again. I’m sure it will come back. The standard policy looks like this when I run the command. To see a list of all the variables, these are listed on the Microsoft site here.

Get-CSTeamsIPPhonePolicy
IdentityGlobal
Description
SignInModeUserSignIn
SearchOnCommonAreaPhoneModeEnabled
AllowHomeScreenEnabledUserOverride
AllowBetterTogetherEnabled
AllowHotDeskingTrue
HotDeskingIdleTImeoutInMinutes120
Default Policy

Creating a Common Area Phone Policy

Obviously, this allows for too many issues when a phone is in a communal area such as access to directory, hot desking etc. So, we need a new policy. This must be done via PowerShell, but it is coming to Teams Admin Center at some point.

New-CsTeamsIPPhonePolicy -Identity 'CAP '-Description 'Common Area Phone Policy' -SignInMode CommonAreaPhoneSignIn -SearchOnCommonAreaPhoneMode Disabled -AllowHomeScreen Disabled -AllowBetterTogether Disabled -AllowHotDesking $FALSE

Now our table looks like this when we run Get-CSTeamsIPPhonePolicy

IdentityCAP
DescriptionCommon Area Phone Policy
SignInModeCommonAreaPhoneSignIn
SearchOnCommonAreaPhoneModeDisabled
AllowHomeScreenDisabled
AllowBetterTogetherDisabled
AllowHotDeskingFalse
HotDeskingIdleTImeoutInMinutes120
New CAP Policy

Once we have set this up, we now need assign this to my user Interview Room 01. So, we run this command below. For full reference on this command, they are listed here.

Grant-CsTeamsIPPhonePolicy -Identity '[email protected]' -PolicyName 'CAP'

Common Area Phone Policy on a Device

Once that is done, we’ll sign out of our device and sign back in and let’s see the difference. I don’t have access to People or Voicemail or any Call history or lists. I just have a dial pad. Now if this device does not have a Calling Plan, it can’t dial out!!

Common Area Phone Sign In
Home Screen of Common Area Phone

If I try and make a call outbound, I get this error.

Blocked Calling Outbound
Mene Options when in Common Area Phone Mode
Settings Available to Common Area Phone users

Now the main thing missing here is a mailbox, so I have single click join to scheduled meetings. I can accept an incoming call, voice or video as per below.

Incoming Call – Voice
Point to Point Call from a Microsoft Teams Rooms

When someone has created a meeting, they are able to make a call out to a device. There is not a native auto-answer on the devices just yet. That is available on Microsoft Teams Room on Android devices, so maybe it will come this this app.

Dialling out from a Teams Meeting
Incoming call on Teams Video Phone
Answered call on device. Camera is off by default
Camera enabled on Microsoft Teams Video Phone

However, one issue is that I can still see is that the Directory Contacts. If I go to the People contact, I have access to add people/search the directory. This might be ok for some organisations, but not for others. I will follow up with a blog post if I find a solution.

Meeting Participants
Browsing the directory during a call

How do we get a calendar on the device?

The official method is to apply a Meeting Room license or equivalent. You could potentially use a Microsoft 365 Business Basic as that includes Exchange and Teams licensing. However, I’m not here to get into a licensing discussion 🙂

In the above example, we just created a standard user with the identity of Interview Room 01. We will need to create a resource mailbox and user enable that. This is the same process for setting up a Microsoft Teams Room, so I’ll setup another account and call this Interview Room 02. We will also need another IP Phone Policy as we need the SignInMode to be MeetingSignIn (so we can get the calendar on the home page). This is the PowerShell script to create the new Policy.

New-CsTeamsIPPhonePolicy -Identity “CAP-Calendar” -Description “Common Area Phone with Calendar Policy” -SignInMode MeetingSignIn -SearchOnCommonAreaPhoneMode Disabled -AllowHomeScreen Disabled -AllowBetterTogether Disabled -AllowHotDesking $false

To create the new resource mailbox for this, we can of course either do some in the M365 portal in Exchange or we can do it all via PowerShell. Here are the settings for PowerShell. First, I query what licenses I have available and I’m looking for my Common Area Phone one so I can add that to my variables. My Common Area Phone is gwalsh:MCOCAP

Get-MsolAccountSKU
Microsoft 365 Licenses Available

Now we are going to set some variables that will be used for the rest of the setup

### Meeting Room Variables
$newRoom="[email protected]"
$name="Interview Room 02"
$pwd="YourS3curePa$$word"
$license="gwalsh:MCOCAP"
$location="GB"

Once you have run your variables, we can now use them in the creation of the meeting room mailbox with the script below. I explain each step and what it is for. Some are useful for testing/lab setups and maybe not so when in production.

### Creating a new Account
New-Mailbox -MicrosoftOnlineServicesID $newRoom -Name $name -Room -RoomMailboxPassword (ConvertTo-SecureString -String $pwd -AsPlainText -Force) -EnableRoomMailboxAccount $true
### Wait one minute before configuring the new account
Set-MsolUser -UserPrincipalName $newRoom -PasswordNeverExpires $true -UsageLocation $location
### Assigning a license to the room account
Set-MsolUserLicense -UserPrincipalName $newRoom -AddLicenses $license
### Setting a MailTip for the Room
Set-Mailbox -Identity $newRoom -MailTip "This room is public facing."
### Configs the account to process requests
Set-CalendarProcessing -Identity $newRoom -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -RemovePrivateProperty $false -DeleteComments $false -DeleteSubject $false -AddAdditionalResponse $true -AdditionalResponse "This meeting has been scheduled in a public meeting room." 
#### Option Configuration 
### Getting Room Mailboxes ###
Get-Mailbox -RecipientTypeDetails RoomMailbox
### Finding and setting allowed external meeting invites from outside the domain.  Again, useful in a lab environment, not on a communal area device.
Get-Mailbox "*Interview*" | Get-CalendarProcessing | Select *external*
Get-Mailbox "*Interview*" | Set-CalendarProcessing -ProcessExternalMeetingMessages $true
### Allowing duplicate meeting invites - ideal for labs for testing
Set-CalendarProcessing -Identity "$newroom" -AllowConflicts $true
### Checking Room Settings
Get-Mailbox -Identity "$newroom" | fl
Get-CalendarProcessing -Identity "$newroom" | fl

Meeting Sign In Policy on a Microsoft Teams Phone

Once that is done, we can now log into the phone. You can of course do this remotely now too which is great and super simple. However, do you notice the issue below? Well, we have not assigned the IP Phone Policy to this account as we can see the homepage, people, voicemail, we can sign out of the device etc, so we run the PowerShell code below to apply the policy.

Interview Room 02 Signed In
Grant-CsTeamsIPPhonePolicy -Identity “[email protected]” -PolicyName “CAP-Calendar”

If you want peace of mind, you can check your policies and what devices have been assigned a policy with the commands below.

Get-CSTeamsIPPhonePolicy
Get-CSOnlineUser | ft UserPrincipalName, TeamsIPPhonePolicy

Once that is done, we can sign out and then remotely sign in again using https://www.microsoft.com/devicelogin. I usually open this in a private browser, so there will not be any issues.

Remote sign in details

Then when you sign into the device now, you will see it a little different. It will now show the calendar as the default page and even in the settings on the left hand side, you cannot sign out etc.

Meeting Sign In Policy

Now let’s send the device a few different invites, a normal meeting, a private meeting. Below I am using Outlook on the Web to schedule, and you can see right at the top, the Tool Tip has appeared, informing that this is identity you’re inviting is a public device. You could also use Room Finder and set that up so people can find rooms in different buildings/locations easier. I have a post on that here.

Outlook on the Web – Schedule a Meeting

I have now sent the phone two different meeting invites, a standard one and another one marked as Private in Outlook. The Teams phone adheres to that setting. Now we have a single click to join any meeting in a public space.

Home Screen with Meetings

The other feature I have noticed in this mode is that when I press … More, I can see People. Now I am unable to search the directory which is good. What I could add here is a Favourite contact, which could be a helpdesk number possibly.

People screen when in MeetingSignIn Mode

Final Observations

It’s great that we have many options on how to configure the Teams Phones. However, there are some things I’d like to configure/see to make the device more secure when it is deployed in public spaces. These are:

  • Hide Meet Now when in MeetingSignIn mode
  • Hide the People button and the ability to add people to an on-going meeting in MeetingSignIn and CommonAreaSignIn modes.
  • Start video automatically on calls
  • Start the call unmuted
  • Auto Answer the device on incoming calls

Some of these might be able to be restricted via other policies within Microsoft 365. I shall investigate this and write another article when I do find out.

Feel free to add any comments below.


Also published on Medium.

%d bloggers like this: