Purpose
This blog is designed to show you how to apply rules to users or groups and how to confirm the policies were actually applied to the users.
Pre-requisites
There are some pre-requisites that will be required for part of this testing. Listed below are what you will need prior to testing
- Windows PowerShell 3.0 (See http://www.microsoft.com/en-us/download/details.aspx?id=34595for download details.)
- Skype for Business Online, Windows PowerShell Module (see https://www.microsoft.com/en-us/download/details.aspx?id=39366for download details)
- PowerShell’s execution policy set to Remote Signed
- Run the following in PowerShell without the quotes “Set-ExecutionPolicy RemoteSigned”
- An On Demand account
- If you already have a Quest Support account, you can use this to log in. If not you can click the “Sign up for a new account” at http://quest-on-demand.com
- A tenant that is already setup and added to the On Demand portal
- The Policy Management for Skype for Business Online module setup
Creating Rules
Creating a rule is a straight forward process but can get a little more complex with the more rules you add. It is important to note that there are priorities for each rule. The top rule being the most restrictive and the lower rules down to the bottom would get less granular and more global.
To visualize this imagine we have 3 accounts as follows:
- John Doe -> Contractor
- Jane Doe -> End User
- Joe Doe - > Manager
We can say that Contactors are temporary employees to your company and generally do not require full access to Skype for Business Online. Where Managers and End Users would have more access in the environment.
With this example, we can limit our contractors through a Rule for contractors to do something like disabling federation and their display picture as well as allowing them to do External Calling from their mobile device.
Let’s go ahead and create the first rule. To do this try the following:
- Log into http://quest-on-demand.comand click on the Policy Management link
- Click Gounder the Skype for Business Online module
- Click Select Tenanton the tenant you wish to set up the rules on
- Click Add Rule
- Provide a name for the rule. For Example, “Contractors – No Federation Or Picture”
- Note: You should be descriptive with your target users and what the rule is going to do to that target user.
- Enter your users or groups. Once you enter the user/group name it will do a lookup to Azure AD. Once they display, click the Add button
- Select the policies you wish this set of users/groups to have. In this example, we will choose:
- The External Policy called “NoFederationAndPIC” which will disable federation and the photo of federated users.
- The Mobility Policy called “MobilityEnableOutsideVoice” which will allow them to make external calls from their mobile devices.
- At this point we have two options:
- We can click the Enablecheckbox and the rule will run right away once we click Save
- We can leave the rule Disabled and just click Saveto use it at a later time
- Let’s choose to click Enablethen click Save. This will start running the rule in about 10 seconds.
Depending on the amount of users in your group or manually selected this can take some time to complete. Once it is completed you will see a green checkmark on the rule.
After the rule completes there we send the command to the Skype for Business Online service and then it will process the request to clients. The time it takes to apply the rule settings varies per tenant and rule you created. We have seen it take as little as 30 seconds and as long as 10 or more minutes. The client will also need to be logged out and back in before the change will take effect for that user.
Confirming the policy was applied
Now that we know it can take some time for the policy to apply, how do we know for sure that it applied?
We can use remote PowerShell and the Skype for Business Online Module to check this. Look back to the pre-requisite section and make sure you have completed steps 1 through 3 before moving forward or you may run into some unexpected errors.
Let’s confirm our changes took effect by doing the following:
- Open the PowerShell console where you have the Skype for Business Online module installed
- Next we will run the following commands in PowerShell to setup a connection to your Tenant
- #Import the Skype Module
Import-Module SkypeOnlineConnector
#Set your global admin account (this will prompt for the credentials)
$cred = Get-Credential
#create a session
$sfboSession = New-CsOnlineSession -Credential $cred -Verbose
#start the session
Import-PSSession $sfboSession
- #Import the Skype Module
- Once this is completed and you are successfully connected you should see a message that states "Initializing remote session" followed by "Success".
- Now we are ready to look up a user that this policy was applied to and check the policies that are currently assigned to them. We can do that with this PowerShell command
- Get-CsOnlineUser -Identity "sip uri" | Select UserPrincipalName,ClientPolicy,ConferencingPolicy,VoicePolicy,ExternalAccessPolicy,MobilityPolicy
#Where sip uri would look like this: "FirstName LastName"
- Once this is run you should see that our policy did apply. If it did not apply you may need to give it some time to propagate through and check later on.
- In our case we can focus on the External Access Policy as that is where we set the NoFederationAndPIC policy and the Mobility Policy that was set to MobilityEnableOutsideVoice
Another way to test this would be to log into the Skype for Business client as one of the impacted users and look up someone that is federated to your company. The should not be able to message them or see their display photo.
And that’s it! Now you should feel comfortable applying a single rule and confirming it is in fact on the user.
Multiple Rules
Now that we are pro’s at setting up a single rule. How do you set up a second rule? The great news is it is exactly the same as creating the first rule. However, now we need to think about how this rule is going to impact the users involved.
Sticking with our example, we have restricted our contactors to internal messaging only but allowed them to make external calls from their mobile device. Now we would like to limit our internal users to not allow External Calling on their mobile devices.
We have to think about how this rule will affect our internal users and contractors as we have one rule already.
Let’s think about what we have configured in the first rule. This rule is restricted to just the contractors so it should not affect our internal users. However, if our contractors are in any groups we add to the second rule, this policy then could impact them. We want to disable users mobile calling but yet we have allowed the contactors to do this.
Rule priority now takes a part in where we place the second rule. As we described earlier, the first is the highest priority and the second rule will only apply to those not in the first rule, the third rule is even more global than the second rule and so on.
If we place this new internal users rule first, than we will actually restrict the contactors mobile calling if they fall into the scope of this rule. We do not want that to happen. If we place the contactors rule first, it will have the highest priority and take precedence over all the other rules. Which means the settings in the first rule wins over the second rule.
This sounds more like what we want to do. Let’s go ahead and create our second rule with the Mobility policy set to “MobilityDisableOutsideVoice”. Give it a proper name, set your users/groups and Save the rule.
Notice this time we did not enable the rule first? This is to make sure we do not accidently apply the rule to users before making sure our rule priority is correct. If the rule priority is correct, you can select that internal users rule, click Enable and Save. If the rule priority is not correct, you can grab the dotted section to the left of the rule name and drag them to the right order, then Enable and Save the rule to active it.
Conclusion
Congratulations! You now should be able to setup multiple rules and manage the priority of your rules to ensure they are applying in the correct order. You also now armed with a PowerShell command to list the policy for any user to confirm they are applying properly.