Over the past month, I have had a few different SfB Server (On-Premises) customers report issues Federating with Skype Online (O365) customers. This includes customers who have SfB Hybrids and users homed online.
The On-Premises customers have O365 tenants for other services and I always tell non-hybrid Skype On-Prem customers to ensure they don’t assign any Skype Online licenses to users. If they assign an E3 or E5 they should un-check the “Skype Online” license box and for many years, this has worked fine.
Issues customers were seeing:
On-Prem user view Presence of Federated O365 user = OK
On-Prem user send IM to Federated O365 user = OK
At this point the O365 user can successfully see presence of the On-Prem user and reply to the IMs. Everything appears to work as expected. However, if the O365 user tries to initiate the communications:
O365 user view Presence of Federated On-Prem user = FAIL
O365 user send IM to Federated On-Prem user = FAIL
We verified customers federation was configured correctly On-Prem. (Get-CsExternalAccessPolicy, Get-CSHostingProvider, Get-CsAllowedDomain, Get-CsAccessEdgeConfiguration, Test-CsFederatedPartner + checked _sipfederationtls._tcp DNS resolution and certificates).
Microsoft Support did a trace on their O365 Front End pool and they could see the following error their side.
4033;reason=“To User not authorized for Federation”;processing-cluster=”sippoolAM30E30.infra.lync.com”;processing-frontend=”AM30E30FES12.infra.lync.com”;target-user-primary-pool=”sippoolAM30E30.infra.lync.com”;source=”AM30E30FES12.infra.lync.com”
Fix
When O365 user initiates communications to Federated On-Prem user, O365 thinks the user exists in Skype Online, even though the Skype Online license is disabled for all users in the tenant. Therefore O365 never attempts to send anything to the On-Prem Edge Server and completely ignores the _sipfederationtls._tcp record.
My assumption is this is related to Teams and potentially some back end work MS have done to O365. Teams under the hood is sharing a SIP Domain with Skype Online after all. The On-Premises customer has two options:
1) Microsoft support advise to run “Disable-CsOnlineSipDomain” on the SfB On-Prem customers O365 Tenant:
https://docs.microsoft.com/en-us/powershell/module/skype/disable-csonlinesipdomain?view=skype-ps
2) Implement a SfB Hybrid with O365, this will ensure Skype Online knows that it’s sharing a Sip Domain with an On-Premises system.
Ultimately, with Microsoft moving from Exchange Online UM to Cloud Voicemail and heavily pushing Teams, if customers have SfB On-Premises and an Office 365 Tenant, we’re at the stage where everyone needs a Hybrid. Even if they don’t intend to use Skype Online or Teams.
Technical Architect at Symity