top of page
  • Writer's picturesamanthaeasterday

What is right for your organization? Direct Routing, Microsoft Calling Plans or maybe Both?

Let's look at Direct Routing first. There are seven steps of planning Direct Routing.

Self-deployed vs. Hosted

Should you do a self deployed SBC (session border controller) or partner hosted SBC?

Self Deployed SBC

Benefits: You have full control over your SBC and you'll be able to use your existing PBX.

Disadvantages: You are responsible to configure your SBC and you'll need to purchase, maintain and host the device.

Partner Hosted SBC (basically the opposite of everything above)

Benefits: You won't need to purchase, maintain or host the SBC

Disadvantages: You don't have control over your SBC configuration and the support model could be more complex.

Understand the initial costs and if you have the technical support and expertise in house.

Licensing and Endpoints

To use Direct Routing with Teams, you will need a Microsoft Phone System License. If included in your plan, the Microsoft Teams plus Skype for Business Plan 2. It's important to note, even if you are in Teams Only mode, do not remove the MS Teams+SfB Plan2 license. Because even in Teams Only mode, some SfB components are being used.

Another license to consider is the Audio Conferencing License. This is not mandatory for Direct Routing, however this license gives users the ability to have a Dial-In number for their Microsoft Teams meetings.

Direct Routing supports endpoints on any Teams client, Common area phones and Skype for Business third-party IP Phones.


An SBC is needed to be the interface between Microsoft Phone System and Teams, and PSTN or legacy PBXs.

An SBC has 3 main functions: Connectivity, Security and Media Services.

An SBC can be a certified physical hardware device or software deployed in the cloud, such as Azure or AWS. To find a certified SBC for Direct Routing. Check this link out.

This diagram shows how the SBC connects to Teams and Phone System to legacy PBX and PSTN systems.

The SBC must have a fully qualified domain name (FQDN)

Some requirements to think about when assigning a name:

You can't use the default domain name of your Microsoft tenant.

You must have at least one domain name to your Microsoft tenant. That way you can assign a valid name to the SBC.

A sub-domain name is not valid name unless you have registered the domain.

See the examples below.


MTLS is used to communicate with SBCs, so you need to assign a digital certificate from a supported certification authority to each SBC device. This will be easy if you only have one SBC. Obviously, you will buy one certificate and assign it. A private certificate is the most secure. If you have more than one SBC, you can use a wildcard certificate and assign it to all devices. Its the most cost effective way, but almost the most non-secure way to do it. You could purchase a separate certificate for each SBC. But my recommendation would be to purchase one certificate and use it for all of your SBC. This is a trade-off between cost and security.

IP ranges and ports must be set correctly so the SBC can communicate with the Phone System being used.

This is best described as a visual.

Voice Routing. If you thought SBCs were fun...just you wait! Voice Time!!

There is a lot to cover when configurating voice to allow users to place calls.

There are three objects that work together to specify the class of service and calls of restriction for calls.

Voice routing policy

PSTN usage record

Voice route

A PSTN usage record specifies a class of call (internal, local, or international). The PSTN record is assigned to both a Voice Routing Policy and a Voice Route. A Voice Routing Policy is assigned to a group of users and a PSTN usage record. If a valid PSTN usage record can't be found the user or a voice routing policy be found, the call will fail. It is important to remember the PSTN usage records need to be in the correct order. If a number matches the first record, it will stop there. If it doesn't match, it will go in order of the records, until it finds one that matches. This is the same configuration of Skype for Business, so there shouldn't be any surprises for you. And of course, if it can't find a record that matches, the call fails.

In the Teams admin center, you'll find these settings in Voice->Voice routing policies->Teams Voice Route.

You will have remembered Dial Plans from Skype as well. A dial plan translates a shortened version of a number into one that adheres to E.164. The benefit of a dial plan is you can migrate to Teams without interruptions to your users habits (good or bad). There is a maximum of 1,000 dial plans per tenant and 500 normalization rules per dial plan. There are three types of dial plans:

Service dial plan->this can't be changed and is the same for everyone per country. For some companies the service dial plan will cover all their dial plan needs. (lucky dogs you).

Tenant global dial plan->this can be customized and it will affect all your users.

Tenant user dial plan->this can be customized as well, but you can assign user dial plans for specific users.

Take the below planning steps into consideration:

A couple of extra notes for Voice. Evaluate the volume of calls you currently have. You need to decide if you need multiple SBCs. To manage high loads, you can group multiple SBCs in a single voice route. For HA consider configuring voice routes so they are assigned a priority level. And of course Disaster Recovery. Voice routing policies can be configured to allow certain users to use specific routes. So if an SBC is the US aren't available, users could be routed to the SBCs in Europe.

Let's talk Media Bypass. Media bypass enables you to shorten the path of the media to go directly between the end user and the SBC, instead of sending it via the MS Phone System. Sounds great!! Right!? Well, it does come with limitations. This will only work if the SBC and client are in the same location or network. For media bypass to work, it must be enabled on the SBC. The Teams user must have access to the public IP address of the SBC, whether or not they're on the same network, unless you're using Local Media Optimization (next section).

See below for call flows with and without Media Bypass.

When media bypass is implemented, users inside the network need access to the public IP address of the SBC. The administrator has to configure a "hairpin", with the connection going out from the Teams client and back into the SBCs public IP address. You must also configure media processors and assign IP addresses for them. SBCs need to communicate with transport relays. Check below for the IP address requirements.

Local Media Optimization controls how media traffic flows between the Teams client and the SBCs. If you are not able to configure a "hairpin" (discussed above), you will need to configure local media optimization. When this is configured, the internal IP address of the SBC is used, rather than the external IP address. This means the SBCs can be behind a firewall and not necessarily seen by Teams.

So to finish up the Voice section of Teams. Here is a high-level of Direct Routing:

89 views0 comments

Updated: Mar 11, 2021

Let me start first with an assumption...

Since in my last post was stage 1 and ensuring hybrid connectivity. I will assume you have your users synced to your Teams environment.

SO let's get into designing your Teams settings!

Like I said in my last post, getting the settings figured out sets your users up for SUCCESS! Nail these settings down and be aligned with your business and most importantly Security (governance anyone?)

Step one: Teams

Teams Policies

Teams ad channel policies are used to control what settings or features are available to users when they are using teams and channels.

This one is pretty simple...literally one option

Create private channels = On or Off

Not too exciting...

Could this have been put somewhere else...Yes

Did it need it's own section...Not even close to Yes

But hey, there you go.

Step two: Meetings

Meeting Policies

This will be used to control what features are available to users when they join MS Teams meetings. The default is for all users to be in the Global config. But they do include additional policies. Pretty simple right?? WRONG! Well, not really. But there is a lot to consider with this one. I made a few mistakes when I was settings this because I didn't fully understand what turning on or off an option would do. So do your homework.

Above are the default settings. A lot going on here. But I'll break it down..

General settings-> Leave it alone. Done.

Audio & video-> Leave it alone. Bam.

Content sharing-> Leave it alone. Now you're thinking...WOW I'm really good at this policy setting thing!

Participants & guests-> Leave it alone. KIDDING!! Seriously, review this section carefully. Let's go through it:

Let anonymous people start a meeting-> this is off by default. My recommendation keep it this way. What happens when you turn it on? Participants calling into the meeting can start the meeting. When they do that, the call will drop after 4 hours. You might think this will not happen to you, but what if it does...during an all day board meeting with your CEO, COO, CFO, CIO and any other three letter acronym that starts with Chief you want to add there...because it did. To me. Super fun.

Roles that have presenter rights in meetings->Talk to your business lead on this one. But keep in mind, users can change this per their personal meeting options.

  • EveryoneUserOverride: All meeting participants can be presenters. This is the default value. This parameter corresponds to the Everyone setting in Teams.

  • EveryoneInCompanyUserOverride: Authenticated users in the organization, including guest users, can be presenters. This parameter corresponds to the People in my organization setting in Teams.

  • OrganizerOnlyUserOverride: Only the meeting organizer can be a presenter and all meeting participants are designated as attendees. This parameter corresponds to the Only me setting in Teams.

Automatically admit people-> You can turn on or off if people that are anonymous are automatically joined to a meeting. Do you want them to sit in the lobby? We changed this to Everyone in our organization. Why you might ask? Great question. That leads me to the next part...

Allow dial-in users to bypass the lobby-> We turned this off. Because, we turned on Automatically admit people. This can be set when 'Automatically admit people' isn't set to Everyone. We didn't want dial in users to start meetings. Once they dial in, they will sit in the lobby, however once the organizer joins, they automatically join. Otherwise the organizer will have sit and click 'admit' on every users dialing in. This could result in 20, 30, 50 'admit' clicks...yes...that has happened.

The last 2 options are 'keep default'.

You can create custom policies. Usually you are pretty safe to keep the Global policy for all users. I did create a custom policy to Restrict users to record meetings. I had a user who didn't want to risk anyone being able to record the meetings he schedules. So I created a policy and added him to it. Bam. Done.

Meeting settings

Control whether anonymous people can join Teams meetings, what is included in the meeting invitations, and if you want, you can enable QoS and set ports for real-time traffic.

These settings are pretty important.

Work with your business to decide if you want Anonymous users to join a meeting and if so, do you want them to be able to interact with apps in meetings? These options are more about security. They are turned on by default. If you turn them off, will you get support questions? Will your users not understand why some people can join their meetings and others can't? YES and YES. So maybe just leave these be.

You can also set the URLs for Logo, Legal, and Help. Make sure these links are open to the public, as anyone you invite to your meeting will see these.

Network - QoS

Setting QoS is important. This will help tell the network that these packets should be prioritized. These are the default settings. But running the Network Planner, will help you understand if you need more ports for any service.

Step three: Messaging policies

Used to control what chat and channel messaging features are available to users in Teams. By default there is one Global policy. You can create custom ones and assign users.

These are the default settings. Carefully review each section with your business and make sure they understand these settings.

Even though these are default settings, you can still change many of these options in the channel itself. But that is something you will need to teach your users to do.

Step four: Teams apps

Permission policies

Policies to control what apps you want to make available to Teams users in your organization. By default there is on Global policy. You can create custom policies and assign to individual users.

This isn't too complicated. If you want to lock down what apps your users can install, go for it. It's not a bad idea, until you've done your research on what apps are out there. But these are the default settings.

Step five: Org-wide settings

External access

Lets your Teams and SfB users communicate with other users that are outside your organization.

By default these settings are turned on. There isn't any reason really to turn them off. Be careful though, if you add anyone to the Allow list, it automatically Blocks everyone else...

Guest access

Lets people outside your organization access to teams ad channels. This is an all or nothing settings. This is pretty straight forward. No real GOTCHAS to worry about. One thing to keep in mind however, you can't create custom policies for your users. You can however change a lot of these settings in the Channel itself. Another thing to add to your training checklist! Microsoft's checklist for prereqs might help

Team settings

Lets you set up your teams for features such as email integration, cloud storage options and device set up. These settings will be applied to all of the teams in your organization.

You can most likely keep the default settings on this. Unless you want to turn off file sharing from other cloud storage solutions. Can we say BYE BYE Google Drive!?! Okay, probably not.

Go to Stage 3 VOICE!! Voice gets it's own section. Why?! Because it is just that dang special!

19 views0 comments
  • Writer's picturesamanthaeasterday

Updated: Mar 11, 2021

Say what?!! Yes! It is true. It took me long enough (I'm not going to tell you how long) to find a solution to this problem. Personally, it came from being in Islands mode in Teams and the problem of presence not syncing between the two. I finally found an awesome blog by Stale. His links were outdated, so I kindly asked for them to be updated. I wanted this script!!

  1. Download the script from

  2. Change the default custom presence to the ones of your choosing

    1. Keep in mind, you can only have 4

    2. You can only use Busy, Available and DND. You cannot use Away. If you do, it will break the whole dang thing.

  3. From PowerShell admin run the below from the directory you saved the script

    1. .\Set-CsCustomPresence.ps1 (or whatever you named the script)

  4. You need to sign out of Skype and back in for the changes to take effect

  5. Bam!

402 views0 comments
  • Twitter
bottom of page