In Part 5 we will migrate our Skype for Business onPrem user to Skype for Business Online and Teams. This Blog Post Series consists of 6 parts. So if you missed one check them out as follows..


This post is split into multiple parts due to the complexitiy of a migration from Exchange and Skype for Business onPremise to Office 365 resp. Exchange Online and Teams.

Part 1 will cover the prerequisites like synchronize your onPrem users to Office 365 with Azure AD Connect.

Part 2 will cover migration from Exchange onPrem to Exchange Online and here especially Exchange Hybrid classic full.

Part 3 will cover moving user mailboxes from onPrem to Exchange Online.

Part 4 … will cover troubleshooting Exchange Hybrid

Part 5 … will cover migration from Skype for Business onPrem users to Skype for Business Online and Teams.

Part 6 … coming soon … will cover routing your onPrem SIP Trunk to Teams.


Migration from Skype for Business onPrem to Office 365 Skype for Business Online and Teams


We should first update our onPrem Skype for Business environment with the latest cumulative update.

After that before jumping into the migration, I would suggest to read the following documentation from Microsoft.


Plan hybrid connectivity between Skype for Business Server and Microsoft 365 or Office 365
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/plan-hybrid-connectivity?toc=/SkypeForBusiness/toc.json&bc=/SkypeForBusiness/breadcrumb/toc.json



Also keep in mind


Skype for Business Online will be retired on July 31, 2021 after which the service will no longer be accessible. In addition, PSTN connectivity between your on-premises environment whether through Skype for Business Server or Cloud Connector Edition and Skype for Business Online will no longer be supported. Learn how to connect your on-premises telephony network to Teams using Direct Routing.



About Shared SIP Address Space functionality

https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/plan-hybrid-connectivity?toc=/SkypeForBusiness/toc.json&bc=/SkypeForBusiness/breadcrumb/toc.json#about-shared-sip-address-space-functionality

With hybrid connectivity set up between an on-premises deployment of Skype for Business Server and Teams or Skype for Business Online, you can have some users homed on-premises and some users homed online.

This type of configuration relies on shared SIP address space functionality, and is sometimes referred to as “split domain”–meaning users of a domain, such as contoso.com, are split between using Skype for Business Server on premises and Teams or Skype for Business Online, as shown in the following diagram:



When shared SIP address space is configured:

  • Azure Active Directory Connect is used to synchronize your on-premises directory with Microsoft 365 or Office 365.
  • Users who are homed on premises interact with on-premises Skype for Business servers.
  • Users who are homed online may interact with Skype for Business Online or Teams services.
  • Users from both environments can communicate with each other.
  • The on-premises Active Directory is authoritative. All users should be created in the on-premises Active Directory first, and then synchronized to Azure AD. Even if you intend for the user to be homed online, you must first create the user in the on-premises environment, and then move the user to online to ensure the user is discoverable by on-premises users.


Before a user can be moved online, the user must be assigned a Skype for Business Online (Plan 2) license. If the user will be using Teams, the user must also be assigned a Teams license (and the Skype for Business license must remain enabled). If your users want to take advantage of additional online features, such as Audio Conferencing or Phone System, you need to assign them the appropriate license in Microsoft 365 or Office 365.



Configure Skype for Business hybrid

Let’s start with the hybrid configuration. You can use here the Hybrid setup wizard from the Skype for Business Control Panel, normally, you will see below that this is not true in my case πŸ™‚ .








The Hybrid Setup wizard tells me that Federation with Office 365 and Shared SIP address space is not configured.

Further he kindly tells us, that if we select Next, he will configure our Skype for Business Server and Office 365 tenant with these required setting, so click on Next.



Hmmm, obviously he’s not so kind as I thought πŸ™ . The Federation with Office 365 was not configured by the wizard.

You will find hints in the web, that the reason for this error will result from entries in the CSAllowedDomains or CSBlockedDomains list. In my case I didn’t configured any allowed or blocked domains and there were no entries in my environment, on-premise and online.

Under the following Federation requirements, they say that the Blocked domains and Allowed domains list in the on-premise deployment must exactly match with the online tenant.


Federation requirements
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/plan-hybrid-connectivity?toc=/SkypeForBusiness/toc.json&bc=/SkypeForBusiness/breadcrumb/toc.json#federation-requirements


So what’s the reason in my case? I suppose this is a bug in the Hybrid setup wizard and the used cumulative update version.

You will see below why I suppose this is a bug.

I installed as mentioned at the beginning the latest CU KB4470124 which is available right now at writing this post, for Skype for Business Server 2019.


You can also configure the Hybrid configuration and Federation with Office 365 from your on-premise Skype for Business Server Management Shell instead with the Hybrid Setup wizard. You only need to run the following 4 Cmdlets.


Configure Skype for Business hybrid
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/configure-federation-with-skype-for-business-online#configure-your-on-premises-environment-to-enable-shared-sip-address-space-with-microsoft-365-or-office-365

Configure your on-premises Edge service to federate with Microsoft 365 or Office 365

Set-CSAccessEdgeConfiguration -AllowOutsideUsers $True -AllowFederatedUsers $True -EnablePartnerDiscovery $True -UseDnsSrvRouting


Configure your on-premises environment to enable shared SIP address space with Microsoft 365 or Office 365

Get-CsHostingProvider | ?{ $_.ProxyFqdn -eq “sipfed.online.lync.com” } | Remove-CsHostingProvider
New-CsHostingProvider -Identity Office365 -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root


Enable shared SIP address space in your organization

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true




Now coming to the point, why I suppose the Hybrid Setup wizard in my version is on the fritz πŸ™‚ .

After finishing the Hybrid configuration with the above PowerShell Cmdlets, you will get the following entries for the Hosting Provider.

After running the Hybrid Setup wizard again, I get the same error with Federation with Office 365 was not configured by the wizard.

Further after checking it again with the Skype for Business Server Management Shell and the Get-CSHostingProvider Cmdlet, I will get the following output.


The Hybrid Setup wizard is setting IsLocal to False and deletes the AutodiscoverUrl.

So finally I configured Skype for Business hybrid with the PowerShell Cmdlets above and it works fine.


Trying to run the Hybrid Setup wizard the next day will run fine without the Federation with Office 365 was not configured error message.



Further I thought the Hybrid Setup wizard in my version is setting a different new AutodiscoveryUrl for the Hosting Provider as in the actual documentation from Microsoft under https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/configure-federation-with-skype-for-business-online, what was not right!

You will see below that also the Skype for Business Online admin center is now under this new FQDN https://webdired4.online.lync.com/LSCP.


The reason for this different Autodiscover URL is not the version of the Hybrid setup wizard, instead this URL is tenant specific!

So for my tenant the Audiscover URL is

https://webdired4.online.lync.com/Autodiscover/AutodiscoverService.svc/root

and the Hybrid Setup wizard can determine this specific URL at logon to the Office 365 tenant.

You will see later how to determine this tenant specific URLs.



So no clue why the Hybrid Setup wizard now runs without issues. I suppose this was due to some Office 365 synchronisation delays.




Move users between on-premises and cloud

Now we can start to move/migrate users to Office 365 resp. Skype for Business Online or directly to Teams, as Skype for Business Online will be retired on July 31, 2021 after which the service will no longer be accessible.


Move users between on-premises and cloud
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud

Teams users inherently have a Skype for Business home, whether they use Skype for Business or not

If you have on-premises Skype for Business users that are also using Teams (side by side), those users are homed on premises. Teams users with Skype for Business on premises do not have the ability to interoperate with Skype for Business users from their Teams client, nor can they communicate from Teams with users in a federated organization. Such functionality is only available after the user is moved from Skype for Business on premises to online. When you move a user to online, you can either allow them to use Skype for Business Online (and, optionally, Teams) or you can make them Teams Only. If your organization is already using Teams, it’s strongly recommended that you move them to Teams Only mode, which will ensure that routing of all incoming chats and calls lands in their Teams client.

For more details, see Teams coexistence with Skype for Business and Migration and interoperability guidance for organizations using Teams together with Skype for Business.


Prerequisites to move the user to Office 365

The user must be assigned a license for Skype for Business Online (Plan 2), and if they will be using Teams, they must also have a Teams license.

If the user is enabled for dial-in conferencing in on premises, by default the user must also have an Audio Conferencing license assigned in Microsoft 365 or Office 365 before you run move the user online. Once migrated to the cloud, the user will be provisioned for audio conferencing in the cloud. If for some reason you want to move a user to the cloud, but not use audio conferencing functionality, you can override this check by specifying the BypassAudioConferencingCheck parameter in Move-CsUser.

If the user is enabled for Enterprise Voice in on premises, by default the user must have a Phone System license assigned in Microsoft 365 or Office 365 before you move the user online. Once Migrated to the cloud, the user will be provisioned for Phone System in the cloud. If for some reason you want to move a user to the cloud but not use Phone System functionality, you can override this check by specifying the BypassEnterpriseVoiceCheck parameter in Move-CsUser.


As you can see, you can move users either to Teams or Skype for Business Online. Further you have the choice to move the users as follows with the Skype for Business Admin Control Panel or with the Move-CsUser cmdlet from the Skype for Business Server Management Shell onPrem.



Move users with Skype for Business Admin Control Panel

So I will move my first user John Doe from onPrem to Skype for Business Online with the Skype for Business Admin Control Panel.






Finally you can see, that the user John Doe is now homed in Office 365 resp. Skype for Business Online.



Further you will see the moved user in the Skype for Business Online admin center. This is the same behaviour as with Exchange, with the onPrem admin centers of Exchange and Skype for Business, you will see all users homed onPrem and Online in contrast to the online admin centers where you can only see the users homed in Office 365.



In contrast to Skype for Business Online admin center, the Microsoft Teams admin center will show all users homed onPrem or Office 365.



From now on you can only manage the SIP address and Line URI inside the onPrem Skype for Business admin center for users homed in Office 365.



What is changed after moving the user from on-premise to the cloud?

https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud#moving-users

The user starts using Skype for Business Online services in the cloud for any Skype for Business functionality.

Teams users become enabled for interoperability with Skype for Business users, and they can also federate with other organizations.

Contacts from on premises are moved to the cloud (either Skype for Business or Teams).

Existing meetings they organized that are scheduled in the future are migrated to online: If users are moved directly to TeamsOnly (see below), meetings are converted to Teams meetings, otherwise meetings remain Skype for Business but will be migrated so they are hosted online instead of on-premises. Migration of meetings happens asynchronously and begins approximately 90 minutes after moving the user. To determine status of meeting migration, you can use Get-csMeetingMigrationStatus. Note that any content that was uploaded in advance of the meeting is not moved.




Move users with Move-CsUser


https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-on-premises-to-skype-for-business-online#move-users-with-move-csuser

Move-CsUser is available from an on-premises Skype for Business Management Shell PowerShell window. You must have sufficient privileges in both the on-premises environment as well as in the Microsoft 365/Office 365 organization as described in Required administrative credentials. You can either use a single account that has privileges in both environments, or you can start an on-premises Skype for Business Server Management Shell window with on-premises credentials, and use the -Credential parameter to specify credentials for a Microsoft 365 or Office 365 account with the necessary administrative role.



The following cmdlet sequence can be used to move a user to Skype for Business Online. It assumes the Microsoft 365 or Office 365 credential is a separate account and supplied as input for the Get-Credential prompt.


$cred=Get-Credential
$url=”https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc”

Move-CsUser -Identity username@contoso.com -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url


So in my case the first try to move a user with the Move-CsUser cmdlet ends as follows πŸ™ .


Error Message
Move-CsUser : HostedMigration fault: Error=(201), Description=(Cannot find user in Active Directory with the following SIP URI: β€œsip:John.Nokes@braintesting.net”)


This error normally occurs if the msRTCSIP Active Directory attribute was not synchronized to your Azure AD. So if this was the issue, you can force the synchronization with the following two powershell cmdlets from your Azure AD Connect server:


To trigger a delta sync run

Start-ADSyncSyncCycle -PolicyType Delta


or to trigger a full (initial) sync run

Start-ADSyncSyncCycle -PolicyType Initial


But in my case the users Active Directory attributes was still correct synced with my Azure AD as you can see below.

To check that all attributes synced correctly run the follwing cmdlets:


Connect-AzureAD
Get-AzureADUser -ObjectId <UserPrincipalName> | fl


Get-AzureADUser -ObjectId jnokes@braintesting.de | fl ObjectID,ObjectType,AccountEnabled,DirSyncEnabled,DisplayName,LastDirSyncTime,Mail,SipProxyAddress,
UserPrincipalName





In my case I used the wrong Hosted Migration Service URL which was documented as follows


https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-on-premises-to-skype-for-business-online#move-users-with-move-csuser

$cred=Get-Credential
$url=”https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc”
Move-CsUser -Identity username@contoso.com -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url


Under https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud you will find the following important note and reason why I run into this error.


The value of the hosted migration override URL is a variant of the following URL:
https://adminXX.online.lync.com/HostedMigration/hostedmigrationService.svc

In the above URL, replace the XX with either two or three characters, determined as follows:

In a Skype for Business Online PowerShell session, run the following cmdlet:

Get-CsTenant | fl identity

The resulting value will be in the following format:

OU=,OU=OCS Tenants,DC=lyncXX001,DC=local

The two- or three-digit code is the XX contained in the section, DC=lyncXX001. If it’s a two-character code, it will be a digit followed by a number (such as 0a). If it’s a three-character code, it will be two letters followed by a digit (such as jp1). In all cases, you’ll see 001 immediately after the XX code.


So finally I changed the hosted migration override URL to my tenant specific URL and it works.






Move users with Move-CsUser directly to Teams


Moving users from onPrem directly to Teams with the Skype for Business Admin Control Panel is self-explaining, you can select this point directly in the action menu of the specific user like perviously to move to Skype for Business online.



Moving the user with the Move-CsUser cmdlet directly to Teams is also not much different from moving to Skype for Business online.


The only difference is to specify the

MoveToTeams

switch.


https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-on-premises-to-teams#move-to-teams-using-move-csuser

$cred=Get-Credential
$url=”https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc”
Move-CsUser -Identity username@contoso.com -Target sipfed.online.lync.com -MoveToTeams -Credential $cred -HostedMigrationOverrideUrl $url


But this time we won’t run into the same issue with the wrong hosted migration override URL as previously πŸ™‚ .

So first determine if not already done, your tenant specific hosted migration override URL with the

Get-CsTenant | fl identity

cmdlet as described above for moving the user to Skype for Business online.



To test it with the same user John Nokes as above, I moved him back to on-premise.

Damn πŸ™‚ The user has an Office 365 E5 without Audio Conferencing Lincence assigned and is enabled for dial-in conferencing on-premises.


So I am only wondering why I doesn’t get this error above when moving the same user to Skype for Business online with the Move-CsUser cmdlet.

Regarding the prerequisites (whether to Skype for Business Only or Teams Only mode)

https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud#prerequisites

you will need for both, Teams and Skype for Business online an Audio Conferencing licence.


So another try after purchasing the Audio Conferencing Lincence for my test users.


Now it works, looks like everywhere the same, pay money and it runs πŸ™‚ .


Even if we dont’t get an error message at moving enabled dial-in conferencing users to Skype for Business online, without having an Audio Conferencing Licence for this users, they still not able to join audio conferences and you will see in the Microsoft Teams admin center that Audio conferencing is off.


Here you can see that after purchasing the Audio Conference Licence it is set to On for the moved users. Above after moving the first time you will see a screenshot, where the same moved online users are off before purchasing the licences.


Also in the Skype for Business online admin center you can see, that the user is enabled for Audio Conferencing.





Moving users back to on-premises


Moving the users back to on-premise is as easy as moving them into the cloud.


https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-the-cloud-to-on-premises


With the Skype for Business Server Control Panel you only need to click on the Action menu for the specific user and select Move selected users to on-premises … as follows.



With the Move-CsUser cmdlet it is not really much catchier.


https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-the-cloud-to-on-premises#move-users-with-move-csuser

$cred=Get-Credential
$url=”https://admin1a.online.lync.com/HostedMigration/hostedmigrationService.svc”
Move-CsUser -Identity username@contoso.com -Target pool.corp.contoso.com -Credential $cred -HostedMigrationOverrideUrl $url



Still remember that the famous hosted migration override URL is tenant specific πŸ™‚

Specify the -Target parameter with the fully qualified domain name of the desired on-premises pool that will host the user.



Finally is back at home on-premise and much cheaper as in the cloud πŸ™‚





Links


Manage external access in Microsoft Teams

https://docs.microsoft.com/en-us/microsoftteams/manage-external-access

Currently, to federate within the Microsoft Teams app to an external user outside of your organization who’s not currently a guest of your Azure Active Directory (Azure AD) or tenant, you must be correctly set up for hybrid and moved to Skype for Business Online. As of February 25, 2019, Teams doesn’t support native federation without the user of the SIP profile being homed in Skype for Business Online. For more on setting up your account for hybrid and then moving to Teams, see Upgrade Skype for Business hybrid deployment to Teams


Hybrid modern authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers

https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview

(evoSTS is a Security token service (STS) , which is used by Azure AD)

https://en.wikipedia.org/wiki/Security_token_service



In Part 6 … which is coming soon, we will cover the routing from an onPrem SIP Trunk to Teams.