Migration from onPremise to Office 365 – Step by Step – Part 5 – Skype for Business onPrem to Skype for Business Online and Teams
In Part 5 we will migrate our Skype for Business onPrem user to Skype for Business Online and Teams. This Blog Post Series consists of 6 parts. So if you missed one check them out as follows..
This post is split into multiple parts
Part 1 … will cover the prerequisites like synchronize your onPrem users to Office 365 with Azure AD Connect.
Part 2 … will cover migration from Exchange onPrem to Exchange Online and here especially Exchange Hybrid classic full.
Part 3 … will cover moving user mailboxes from onPrem to Exchange Online.
Part 4 … will cover troubleshooting Exchange Hybrid
Part 5 … will cover migration from Skype for Business onPrem users to Skype for Business Online and Teams.
Part 6 … will cover Skype for Business Hybrid Connectivity and Teams Direct Routing
Part 7 … will cover troubleshooting Skype for Business Hybrid
- Migration from Skype for Business onPrem to Office 365 Skype for Business Online and Teams
- Configure Skype for Business hybrid using the wizard from the Control Panel
- Configure Skype for Business hybrid using PowerShell
- DNS settings for hybrid deployments
- Upgrade users from Skype for Business Online to Teams-only users
- Migration from scheduled on-premises Skype for Business Meetings to Teams
- Links
Migration from Skype for Business onPrem to Office 365 Skype for Business Online and Teams
We should first update our onPrem Skype for Business environment with the latest cumulative update.
After that before jumping into the migration, I would suggest to read the following documentation from Microsoft.
Plan hybrid connectivity between Skype for Business Server and Microsoft 365 or Office 365
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/plan-hybrid-connectivity?toc=/SkypeForBusiness/toc.json&bc=/SkypeForBusiness/breadcrumb/toc.json
When creating DNS records for hybrid deployments, all Skype for Business external DNS records should point to the on-premises infrastructure. For details on required DNS records, please refer to DNS requirements for Skype for Business Server.
Also keep in mind
Skype for Business Online will be retired on July 31, 2021 after which the service will no longer be accessible. In addition, PSTN connectivity between your on-premises environment whether through Skype for Business Server or Cloud Connector Edition and Skype for Business Online will no longer be supported. Learn how to connect your on-premises telephony network to Teams using Direct Routing.
About Shared SIP Address Space functionality
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/plan-hybrid-connectivity?toc=/SkypeForBusiness/toc.json&bc=/SkypeForBusiness/breadcrumb/toc.json#about-shared-sip-address-space-functionality
With hybrid connectivity set up between an on-premises deployment of Skype for Business Server and Teams or Skype for Business Online, you can have some users homed on-premises and some users homed online.
This type of configuration relies on shared SIP address space functionality, and is sometimes referred to as split domain –meaning users of a domain, such as contoso.com, are split between using Skype for Business Server on premises and Teams or Skype for Business Online, as shown in the following diagram:
When shared SIP address space is configured:
- Azure Active Directory Connect is used to synchronize your on-premises directory with Microsoft 365 or Office 365.
- Users who are homed on premises interact with on-premises Skype for Business servers.
- Users who are homed online may interact with Skype for Business Online or Teams services.
- Users from both environments can communicate with each other.
- The on-premises Active Directory is authoritative. All users should be created in the on-premises Active Directory first, and then synchronized to Azure AD. Even if you intend for the user to be homed online, you must first create the user in the on-premises environment, and then move the user to online to ensure the user is discoverable by on-premises users.
Before a user can be moved online, the user must be assigned a Skype for Business Online (Plan 2) license. If the user will be using Teams, the user must also be assigned a Teams license (and the Skype for Business license must remain enabled). If your users want to take advantage of additional online features, such as Audio Conferencing or Phone System, you need to assign them the appropriate license in Microsoft 365 or Office 365.
Configure Skype for Business hybrid using the wizard from the Control Panel
Let’s start with the hybrid configuration. To configure Skype for Business hybrid you can use the Hybrid setup wizard from the Skype for Business Server Control Panel or PowerShell with the Skype for Business Server Management Shell.
Check that before you configure Skype for Business Hybrid the following prerequisites will be fulfilled.
Sign in to Office 365 with your tenant administrator.
The Hybrid Setup wizard tells me that Federation with Office 365 and Shared SIP address space is not configured.
Further he kindly tells us, that if we select Next, he will configure our Skype for Business Server and Office 365 tenant with these required settings, so click on Next.
And finish, from now on you will be able to move users to Skype for Business Online or Teams.
Configure Skype for Business hybrid using PowerShell
You can also configure the Hybrid configuration and Federation with Office 365 from your on-premise Skype for Business Server Management Shell instead with the Hybrid Setup wizard. You only need to run the following 4 Cmdlets.
Configure Skype for Business hybrid
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/configure-federation-with-skype-for-business-online#configure-your-on-premises-environment-to-enable-shared-sip-address-space-with-microsoft-365-or-office-365
Configure your on-premises Edge service to federate with Microsoft 365 or Office 365
Set-CSAccessEdgeConfiguration -AllowOutsideUsers $True -AllowFederatedUsers $True -EnablePartnerDiscovery $True -UseDnsSrvRouting
Configure your on-premises environment to enable shared SIP address space with Microsoft 365 or Office 365
Get-CsHostingProvider | ?{ $_.ProxyFqdn -eq “sipfed.online.lync.com” } | Remove-CsHostingProvider
New-CsHostingProvider -Identity Office365 -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root
Enable shared SIP address space in your organization
You’ll need to make the corresponding change in your Microsoft 365 or Office 365 organization.This setting can take several minutes to kick in in Office 365.
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
Note!
The SharedSipAddressSpace attribute needs to remain “True” until moving to online is final, and no users remain on-premises.
DNS settings for hybrid deployments
When creating DNS records for hybrid deployments, all Skype for Business external DNS records should point to the on-premises infrastructure. For details on required DNS records, please refer to DNS requirements for Skype for Business Server.
Additionally, you need to ensure that the DNS resolution described in the following table works in your on-premises deployment. (If you already configured federation for on-premises, then you most likely already have these.)
Source: https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/plan-hybrid-connectivity?toc=/SkypeForBusiness/toc.json&bc=/SkypeForBusiness/breadcrumb/toc.json&redirectedfrom=MSDN#dns-settings-for-hybrid-deployments
Depending on how DNS is configured in your organization, you may need to add these records to the internal hosted DNS zone for the corresponding SIP domain(s) to provide internal DNS resolution to these records.
See also the following post about troubleshooting Skype for Business Hybrid and the part with Skype for Business Hybrid configuration will break Open Federation. Here the reason was related to exactly this missing DNS SRV Record which was not resolvable by the Edge Server in the perimeter network.
Move users between on-premises and cloud
Now we can start to move/migrate users to Office 365 resp. Skype for Business Online or directly to Teams, as Skype for Business Online will be retired on July 31, 2021 after which the service will no longer be accessible.
Move users between on-premises and cloud
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud
Teams users inherently have a Skype for Business home, whether they use Skype for Business or not.
If you have on-premises Skype for Business users that are also using Teams (side by side), those users are homed on premises. Teams users with Skype for Business on premises do not have the ability to interoperate with Skype for Business users from their Teams client, nor can they communicate from Teams with users in a federated organization. Such functionality is only available after the user is moved from Skype for Business on premises to online. When you move a user to online, you can either allow them to use Skype for Business Online (and, optionally, Teams) or you can make them Teams Only. If your organization is already using Teams, it’s strongly recommended that you move them to Teams Only mode, which will ensure that routing of all incoming chats and calls lands in their Teams client.
For more details, see Teams coexistence with Skype for Business and Migration and interoperability guidance for organizations using Teams together with Skype for Business.
Prerequisites to move the user to Office 365
The user must be assigned a license for Skype for Business Online (Plan 2), and if they will be using Teams, they must also have a Teams license.
If the user is enabled for dial-in conferencing in on premises, by default the user must also have an Audio Conferencing license assigned in Microsoft 365 or Office 365 before you run move the user online. Once migrated to the cloud, the user will be provisioned for audio conferencing in the cloud. If for some reason you want to move a user to the cloud, but not use audio conferencing functionality, you can override this check by specifying theBypassAudioConferencingCheck
parameter inMove-CsUser
.
If the user is enabled for Enterprise Voice in on premises, by default the user must have a Phone System license assigned in Microsoft 365 or Office 365 before you move the user online. Once Migrated to the cloud, the user will be provisioned for Phone System in the cloud. If for some reason you want to move a user to the cloud but not use Phone System functionality, you can override this check by specifying theBypassEnterpriseVoiceCheck
parameter inMove-CsUser
.
As you can see, you can move users either to Teams or Skype for Business Online. Further you have the choice to move the users as follows with the Skype for Business Admin Control Panel or with the Move-CsUser cmdlet from the Skype for Business Server Management Shell onPrem.
Move users with Skype for Business Admin Control Panel
So I will move my first user John Doe from onPrem to Skype for Business Online with the Skype for Business Admin Control Panel.
Finally you can see, that the user John Doe is now homed in Office 365 resp. Skype for Business Online.
Further you will see the moved user in the Skype for Business Online admin center. This is the same behaviour as with Exchange, with the onPrem admin centers of Exchange and Skype for Business, you will see all users homed onPrem and Online in contrast to the online admin centers where you can only see the users homed in Office 365.
In contrast to Skype for Business Online admin center, the Microsoft Teams admin center will show all users homed onPrem or Office 365.
From now on you can only manage the SIP address and Line URI inside the onPrem Skype for Business admin center for users homed in Office 365.
What is changed after moving the user from on-premise to the cloud?
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud#moving-users
The user starts using Skype for Business Online services in the cloud for any Skype for Business functionality.
Teams users become enabled for interoperability with Skype for Business users, and they can also federate with other organizations.
Contacts from on premises are moved to the cloud (either Skype for Business or Teams).
Existing meetings they organized that are scheduled in the future are migrated to online: If users are moved directly to TeamsOnly (see below), meetings are converted to Teams meetings, otherwise meetings remain Skype for Business but will be migrated so they are hosted online instead of on-premises. Migration of meetings happens asynchronously and begins approximately 90 minutes after moving the user. To determine status of meeting migration, you can use Get-csMeetingMigrationStatus. Note that any content that was uploaded in advance of the meeting is not moved.
Move users with Move-CsUser
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-on-premises-to-skype-for-business-online#move-users-with-move-csuser
Move-CsUser is available from an on-premises Skype for Business Management Shell PowerShell window. You must have sufficient privileges in both the on-premises environment as well as in the Microsoft 365/Office 365 organization as described in Required administrative credentials. You can either use a single account that has privileges in both environments, or you can start an on-premises Skype for Business Server Management Shell window with on-premises credentials, and use the-Credential
parameter to specify credentials for a Microsoft 365 or Office 365 account with the necessary administrative role.
The following cmdlet sequence can be used to move a user to Skype for Business Online. It assumes the Microsoft 365 or Office 365 credential is a separate account and supplied as input for the Get-Credential prompt.
$cred=Get-Credential
$url=”https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc”
Move-CsUser -Identity username@contoso.com -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url
So in my case the first try to move a user with the Move-CsUser cmdlet ends as follows 🙁 .
Error Message
Move-CsUser : HostedMigration fault: Error=(201), Description=(Cannot find user in Active Directory with the following SIP URI: “sip:John.Nokes@braintesting.net”)
This error normally occurs if the msRTCSIP-PrimaryUserAddress Active Directory attribute was not synchronized to your Azure AD which is there shown as SipProxyAddress parameter as blow. So if this was the issue, you can force the synchronization with the following two powershell cmdlets from your Azure AD Connect server:
To trigger a delta sync run
Start-ADSyncSyncCycle -PolicyType Delta
or to trigger a full (initial) sync runStart-ADSyncSyncCycle -PolicyType Initial
You can also check with the Synchronization Service Manager from AD Connect if this attribute will be synchronized with Office 365.
Synchronization Service Manager -> Connectors -> your Active Directory Domain Services Connector.
But in my case the users Active Directory attributes was still correct synced with my Azure AD as you can see below.
To check that all attributes synced correctly run the follwing cmdlets:
$credential = Get-Credential
Connect-AzureAD -Credential $credential
Get-AzureADUser -ObjectId <UserPrincipalName> | fl
Get-AzureADUser -ObjectId jnokes@braintesting.de | fl ObjectID, ObjectType,AccountEnabled,DirSyncEnabled, DisplayName,LastDirSyncTime, Mail, SipProxyAddress, UserPrincipalName
In my case I used the wrong Hosted Migration Service URL which was documented as follows
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-on-premises-to-skype-for-business-online#move-users-with-move-csuser
$cred=Get-Credential
$url=”https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc”
Move-CsUser -Identity username@contoso.com -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url
Under https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud you will find the following important note and reason why I run into this error.
The value of the hosted migration override URL is a variant of the following URL:
https://adminXX.online.lync.com/HostedMigration/hostedmigrationService.svc
In the above URL, replace the XX with either two or three characters, determined as follows:
Connect to a Skype for Business Online PowerShell session, run the following cmdlet:
$credential = Get-Credential
$sfboSession = New-CsOnlineSession -Credential $credential
Import-PSSession $sfboSessionSkype for Business Online Connector connections will be rejected starting May 17, 2021. Please contact Microsoft Support for help and support for migrating to Teams PowerShell Module.
If you’re using the latest Teams PowerShell public preview release, you don’t need to install the Skype for Business Online Connector!Import-Module MicrosoftTeams
$credential = Get-Credential
Connect-MicrosoftTeams -Credential $credential
Get-CsTenant | fl identity
The resulting value will be in the following format:
OU=,OU=OCS Tenants,DC=lyncXX001,DC=local
The two- or three-digit code is the XX contained in the section, DC=lyncXX001. If it’s a two-character code, it will be a digit followed by a number (such as 0a). If it’s a three-character code, it will be two letters followed by a digit (such as jp1). In all cases, you’ll see 001 immediately after the XX code.
So finally I changed the hosted migration override URL to my tenant specific URL and it works.
Move users with Move-CsUser directly to Teams
Moving users from onPrem directly to Teams with the Skype for Business Admin Control Panel is self-explaining, you can select this point directly in the action menu of the specific user like perviously to move to Skype for Business online.
Moving the user with the Move-CsUser cmdlet directly to Teams is also not much different from moving to Skype for Business online.
The only difference is to specify the
MoveToTeamsswitch.
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-on-premises-to-teams#move-to-teams-using-move-csuser
$cred=Get-Credential
$url=”https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc”
Move-CsUser -Identity username@contoso.com -Target sipfed.online.lync.com -MoveToTeams -Credential $cred -HostedMigrationOverrideUrl $url
But this time we won’t run into the same issue with the wrong hosted migration override URL as previously 🙂 .
So first determine if not already done, your tenant specific hosted migration override URL with the
Get-CsTenant | fl identity
cmdlet as described above for moving the user to Skype for Business online.
To test it with the same user John Nokes as above, I moved him back to on-premise.
Damn! 🙂 The user has an Office 365 E5 without Audio Conferencing Lincence assigned and is enabled for dial-in conferencing on-premises.
So I am only wondering why I doesn’t get this error above when moving the same user to Skype for Business online with the Move-CsUser cmdlet.
Regarding the prerequisites (whether to Skype for Business Only or Teams Only mode)
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud#prerequisitesyou will need for both, Teams and Skype for Business online an Audio Conferencing licence.
So another try after purchasing the Audio Conferencing Lincence for my test users.
Now it works, looks like everywhere the same procedure, take out credit card and it runs 🙂 .
Even don’t getting an error message at moving enabled dial-in conferencing users to Skype for Business online, without having an Audio Conferencing Licence for this users, they still not able to join audio conferences and you will see in the Microsoft Teams admin center that Audio conferencing is off.
Here you can see that after purchasing the Audio Conference Licence it is set to On for the moved users. Above after moving the first time you will see a screenshot, where the same moved online users are off before purchasing the licences.
Also in the Skype for Business online admin center you can see, that the user is enabled for Audio Conferencing.
Moving users back to on-premises
Moving the users back to on-premise is as easy as moving them into the cloud.
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-the-cloud-to-on-premises
With the Skype for Business Server Control Panel you only need to click on the Action menu for the specific user and select Move selected users to on-premises … as follows.
With the Move-CsUser cmdlet it is not really much catchier.
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-the-cloud-to-on-premises#move-users-with-move-csuser
$cred=Get-Credential
$url=”https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc”
Move-CsUser -Identity username@contoso.com -Target pool.corp.contoso.com -Credential $cred -HostedMigrationOverrideUrl $url
Still remember that the famous hosted migration override URL is tenant specific 🙂
Specify the -Target parameter with the fully qualified domain name of the desired on-premises pool that will host the user.
Finally back at home on-premise and much cheaper as in the cloud 🙂
Upgrade users from Skype for Business Online to Teams-only users
First we want to determine the actual state of the user we want to upgrade to Teams-only as follows:
Get-CsOnlineUser -Identity jdoe@braintesting.de | fl InterpretedUserType,
After the upgrade the InterpretedUserType should be HybridOnlineTeamsOnlyUser.
The upgrade is done as follows:
Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity jdoe@braintesting.de
We can also use the Microsoft Teams admin center and here editing the Teams upgrade settings for the user and switch to Teams only.
Migration from scheduled on-premises Skype for Business Meetings to Teams
Using the Meeting Migration Service (MMS)
https://docs.microsoft.com/en-us/skypeforbusiness/audio-conferencing-in-office-365/setting-up-the-meeting-migration-service-mms
Links
Manage external access in Microsoft Teams
https://docs.microsoft.com/en-us/microsoftteams/manage-external-access
Currently, to federate within the Microsoft Teams app to an external user outside of your organization who’s not currently a guest of your Azure Active Directory (Azure AD) or tenant, you must be correctly set up for hybrid and moved to Skype for Business Online. As of February 25, 2019, Teams doesn’t support native federation without the user of the SIP profile being homed in Skype for Business Online. For more on setting up your account for hybrid and then moving to Teams, see Upgrade Skype for Business hybrid deployment to Teams
Hybrid modern authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers
https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview
DNS requirements for Skype for Business Server
https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/network-requirements/dns(evoSTS is a Security token service (STS) , which is used by Azure AD)
https://en.wikipedia.org/wiki/Security_token_service
In Part 6 … we will cover the routing from our on-premise SIP Trunk aka Enterprise Voice to Skye for Business Online Hybrid Voice and Microsoft Teams Direct Routing both known as Microsoft Phone System.