Last Updated on June 1, 2021 by GrahamWalsh
I am getting many requests from customers that want to put a Microsoft Teams phone in a public place, so we need to create a common area phone for Microsoft Teams. Microsoft have a license especially for this known as a Common Area Phone and it’s $8 per device per month in my tenant. You can even start a free 30-day trial on this too. Once we have our license, we need to create a user. This can be done in the M365 Admin Portal or via PowerShell and then assign the license. I created this first user via the M365 Portal.
In the example below, I am using the Crestron UC-P10-C certified Microsoft Teams video phone. I am using Crestron XiO Cloud for remote viewing of the screen for screenshots.
However, once I sign into the device with the license and the started policy, I see the follow image.
I want to disable all these to make the phone secure, so I must create a new policy. This is only available via Microsoft Teams PowerShell, it was in the Teams Admin Center for a few hours and then disappeared again. I’m sure it will come back. The standard policy looks like this when I run the command. To see a list of all the variables, these are listed on the Microsoft site here.
Creating a Common Area Phone Policy
Obviously, this allows for too many issues when a phone is in a communal area such as access to directory, hot desking etc. So, we need a new policy. This must be done via PowerShell, but it is coming to Teams Admin Center at some point.
New-CsTeamsIPPhonePolicy -Identity 'CAP '-Description 'Common Area Phone Policy' -SignInMode CommonAreaPhoneSignIn -SearchOnCommonAreaPhoneMode Disabled -AllowHomeScreen Disabled -AllowBetterTogether Disabled -AllowHotDesking $FALSE
Now our table looks like this when we run Get-CSTeamsIPPhonePolicy
|Description||Common Area Phone Policy|
Once we have set this up, we now need assign this to my user Interview Room 01. So, we run this command below. For full reference on this command, they are listed here.
Grant-CsTeamsIPPhonePolicy -Identity 'InterviewRoom01@graham-walsh.com' -PolicyName 'CAP'
Common Area Phone Policy on a Device
Once that is done, we’ll sign out of our device and sign back in and let’s see the difference. I don’t have access to People or Voicemail or any Call history or lists. I just have a dial pad. Now if this device does not have a Calling Plan, it can’t dial out!!
If I try and make a call outbound, I get this error.
Now the main thing missing here is a mailbox, so I have single click join to scheduled meetings. I can accept an incoming call, voice or video as per below.
When someone has created a meeting, they are able to make a call out to a device. There is not a native auto-answer on the devices just yet. That is available on Microsoft Teams Room on Android devices, so maybe it will come this this app.
However, one issue is that I can still see is that the Directory Contacts. If I go to the People contact, I have access to add people/search the directory. This might be ok for some organisations, but not for others. I will follow up with a blog post if I find a solution.
How do we get a calendar on the device?
The official method is to apply a Meeting Room license or equivalent. You could potentially use a Microsoft 365 Business Basic as that includes Exchange and Teams licensing. However, I’m not here to get into a licensing discussion 🙂
In the above example, we just created a standard user with the identity of Interview Room 01. We will need to create a resource mailbox and user enable that. This is the same process for setting up a Microsoft Teams Room, so I’ll setup another account and call this Interview Room 02. We will also need another IP Phone Policy as we need the SignInMode to be MeetingSignIn (so we can get the calendar on the home page). This is the PowerShell script to create the new Policy.
New-CsTeamsIPPhonePolicy -Identity “CAP-Calendar” -Description “Common Area Phone with Calendar Policy” -SignInMode MeetingSignIn -SearchOnCommonAreaPhoneMode Disabled -AllowHomeScreen Disabled -AllowBetterTogether Disabled -AllowHotDesking $false
To create the new resource mailbox for this, we can of course either do some in the M365 portal in Exchange or we can do it all via PowerShell. Here are the settings for PowerShell. First, I query what licenses I have available and I’m looking for my Common Area Phone one so I can add that to my variables. My Common Area Phone is gwalsh:MCOCAP
Now we are going to set some variables that will be used for the rest of the setup
### Meeting Room Variables $newRoom="email@example.com" $name="Interview Room 02" $pwd="YourS3curePa$$word" $license="gwalsh:MCOCAP" $location="GB"
Once you have run your variables, we can now use them in the creation of the meeting room mailbox with the script below. I explain each step and what it is for. Some are useful for testing/lab setups and maybe not so when in production.
### Creating a new Account New-Mailbox -MicrosoftOnlineServicesID $newRoom -Name $name -Room -RoomMailboxPassword (ConvertTo-SecureString -String $pwd -AsPlainText -Force) -EnableRoomMailboxAccount $true ### Wait one minute before configuring the new account Set-MsolUser -UserPrincipalName $newRoom -PasswordNeverExpires $true -UsageLocation $location ### Assigning a license to the room account Set-MsolUserLicense -UserPrincipalName $newRoom -AddLicenses $license ### Setting a MailTip for the Room Set-Mailbox -Identity $newRoom -MailTip "This room is public facing." ### Configs the account to process requests Set-CalendarProcessing -Identity $newRoom -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -RemovePrivateProperty $false -DeleteComments $false -DeleteSubject $false -AddAdditionalResponse $true -AdditionalResponse "This meeting has been scheduled in a public meeting room." #### Option Configuration ### Getting Room Mailboxes ### Get-Mailbox -RecipientTypeDetails RoomMailbox ### Finding and setting allowed external meeting invites from outside the domain. Again, useful in a lab environment, not on a communal area device. Get-Mailbox "*Interview*" | Get-CalendarProcessing | Select *external* Get-Mailbox "*Interview*" | Set-CalendarProcessing -ProcessExternalMeetingMessages $true ### Allowing duplicate meeting invites - ideal for labs for testing Set-CalendarProcessing -Identity "$newroom" -AllowConflicts $true ### Checking Room Settings Get-Mailbox -Identity "$newroom" | fl Get-CalendarProcessing -Identity "$newroom" | fl
Meeting Sign In Policy on a Microsoft Teams Phone
Once that is done, we can now log into the phone. You can of course do this remotely now too which is great and super simple. However, do you notice the issue below? Well, we have not assigned the IP Phone Policy to this account as we can see the homepage, people, voicemail, we can sign out of the device etc, so we run the PowerShell code below to apply the policy.
Grant-CsTeamsIPPhonePolicy -Identity “firstname.lastname@example.org” -PolicyName “CAP-Calendar”
If you want peace of mind, you can check your policies and what devices have been assigned a policy with the commands below.
Get-CSTeamsIPPhonePolicy Get-CSOnlineUser | ft UserPrincipalName, TeamsIPPhonePolicy
Once that is done, we can sign out and then remotely sign in again using https://www.microsoft.com/devicelogin. I usually open this in a private browser, so there will not be any issues.
Then when you sign into the device now, you will see it a little different. It will now show the calendar as the default page and even in the settings on the left hand side, you cannot sign out etc.
Now let’s send the device a few different invites, a normal meeting, a private meeting. Below I am using Outlook on the Web to schedule, and you can see right at the top, the Tool Tip has appeared, informing that this is identity you’re inviting is a public device. You could also use Room Finder and set that up so people can find rooms in different buildings/locations easier. I have a post on that here.
I have now sent the phone two different meeting invites, a standard one and another one marked as Private in Outlook. The Teams phone adheres to that setting. Now we have a single click to join any meeting in a public space.
The other feature I have noticed in this mode is that when I press … More, I can see People. Now I am unable to search the directory which is good. What I could add here is a Favourite contact, which could be a helpdesk number possibly.
It’s great that we have many options on how to configure the Teams Phones. However, there are some things I’d like to configure/see to make the device more secure when it is deployed in public spaces. These are:
- Hide Meet Now when in MeetingSignIn mode
- Hide the People button and the ability to add people to an on-going meeting in MeetingSignIn and CommonAreaSignIn modes.
- Start video automatically on calls
- Start the call unmuted
- Auto Answer the device on incoming calls
Some of these might be able to be restricted via other policies within Microsoft 365. I shall investigate this and write another article when I do find out.
Feel free to add any comments below.
Also published on Medium.