The wait is finally over! Listen to our industry experts review the CMMC Proposed Rule, what it means for you and what changes or surprises are in store. Our team here at Kieri, under the guidance of Amira Armond, spent the Holiday sifting through the rule to give you a detailed synopsis of what we think you need to know. This release will have such meaningful impact on the DIB that we are not going to wait until the new year to discuss it. Tune in and our assessment team will give you their thoughts and observations so you can better understand and plan for how CMMC will effect you.
Kieri Solutions offers a licensable set of 800-171, DFARS 252.204-7012, and CMMC compliance templates called the Kieri Compliance Documentation (KCD). This is a holistic and user-friendly cybersecurity program which is designed for small and medium networks (less than 1000 users).
Check our main KCD page for FAQ, business justifications, customer testimonials, price, and more!
The below video has a demo of the real KCD documents so you can see exactly how the program works. It is also good standalone training for what a nice System Security Plan, record keeping, and policies look like.
I am hearing that Microsoft Defender ate everyone’s Outlook shortcut this morning if they had enhanced security enabled (Attack Surface Reduction rules in Microsoft 365 / Intune).
To quickly resolve, re-create the shortcut from the original Outlook.exe file
To do this:
1. Open Windows Explorer
2. In the search bar, search for “Outlook.exe”
3. Right-click OUTLOOK.EXE and “Send to” >> “Desktop (create shortcut)”
Now you should be able to open Outlook using the file on your desktop.
4. You can right-click the file on your desktop and “Pin to Taskbar” or “Pin to Start” to make it more convenient.
Kieri Solutions LLC has included the NIST SP 800-171 DoD Assessment methodology in our compliance programs since the DCMA started publishing it in early 2020.
The just-published DFARS Interim Rule requires self-assessments to be submitted to the DoD as a pre-requisite for contract award.
For full details and links to sources, please see this article on CMMCaudit.org, written by Amira Armond (President of Kieri Solutions):
As a DoD contractor, you need to take action immediately in order to continue winning contracts
Note: All of these actions should be performed by a senior-level cybersecurity expert, either on-staff or consultant.
Have a System Security Plan which describes your environment and addresses all 110 requirements in the NIST SP 800-171. This plan is normally 100+ pages for a business with >50 employees.
Have a Plan of Action & Milestones which describes a full plan to achieve 100% compliance with NIST SP 800-171 and DFARS 252.204-7012
Perform a self-assessment using the NIST SP 800-171 DoD Assessment Methodology
Submit these documents and your self-assessment score to the DoD prior to your next contact award. (Ideally a few weeks ahead, so they can process it)
Kieri Solutions program for NIST SP 800-171 and DFARS 252.204-7012
Our cybersecurity compliance program is designed to help organizations become DFARS 252.204-7012 / NIST SP 800-171 compliant.
Our first priority is DFARS 252.204-7012 and NIST SP 800-171 self-assessment
Our overall program is designed to get you CMMC compliant
These two sets of compliance regulations are complimentary, with a straightforward progression from one to the next.
Kieri Solution’s standard compliance program includes these major deliverables:
Perform gap analysis and create an action plan to get your organization started on implementation projects as soon as possible.
Write the System Security Plan and Plan of Action & Milestones
Conduct a DoD self-assessment and help you report it to the DoD
Train and guide your IT leadership (CISO, CIO, Compliance Officer) to represent your company during an audit, and to support internal processes demonstrating cybersecurity maturity.
Provide customized policies, procedures, and user agreements which address all CMMC Level 2 “Advanced” and NIST SP 800-171 requirements
NIST SP 800-171 compliance is complex
Many companies don’t have the cybersecurity expertise in-house to fully understand what is required by NIST SP 800-171.
They don’t have a real system security plan, or the person assigned to create it only addressed a small portion of the in-scope environment.
Submitting a false claim is punishable
The Federal Justice Department describes penalties of “double the government’s damages” for false claims. The DoD has repeatedly said that falsely attesting to DFARS 252.204-7012 compliance is punishable under the false claims act.
Next steps: Schedule a free 30 minute consultation
Our president, Amira Armond, is making herself available for 30 minute consultations with DoD contractors that are concerned about cybersecurity compliance.
Symptom: You start seeing the alarm “vSphere Health detected new issues in your environment” and it won’t go away.
I wrote about this alarm with one cause: Memory Exhaustion with a Tiny deployment in my other blog. If you navigate to your vCenter appliance website (https://vcenter.company.com:5480) and see memory warnings, check the fix in that blog first.
Symptom: You recently upgraded to vCenter or vSphere ESXi 6.7 U2 (Update 2, April 2019, May 2019)
Symptom: Warning in event logs “Alarm ‘vSphere Health detected new issues in your environment’ on Datacenters changed from Green to Yellow”
Symptom: Warning in event logs: “event.vsphere.online.health.alarm.event.fullFormat (vsphere.online.health.alarm.event)
Symptom: You don’t see anything to explain the issue in the logs. Looks like a false positive?
Symptom: When you navigate to vCenter > Monitor > Health, there is no health tab.
This is the main symptom for this particular issue. Read on!
Root Cause #1: You are still using the Flash vSphere client from version 6.0 and 6.5.
You need to change the URL you are using for vSphere and vCenter: https://vCenter.company.com/ui
You can find this URL from scratch by navigating directly to your vCenter: https://vCenter.company.com and clicking the HTML5 button
You can also find it right at the top of your vSphere website – Look for a button that says “Launch vSphere Client (HTML5)”
Now that you’ve launched the HTML5 site, you will notice that it looks way different!
Root Cause #2: The latest updates for vCenter and vSphere include new checks for common issues.
The April 2019 and May 2019 release of 6.7 Update 2 include new health checks. Your vCenter will now warn you about things like problematic drivers and known memory leaks.
These checks are only visible in the HTML5 client. This is why you couldn’t find the cause of the alert before. Read on for how to find them.
These checks are also handled by the Customer Experience Improvement Program (VMware CEIP). If you are a typical business (not at high risk from cyber-attack), the CEIP program is highly recommended. If you are at risk from cyber-attack, there are ways to secure the CEIP connection so you can still use it.
How to troubleshoot the cause of vSphere Health detected new issue in VMware 6.7
When you open the HTML5 vSphere Client, you will now be able to navigate to Monitor > Health and see what is causing your health alarm.
Using the instructions above, open your HTML5 vSphere client by navigating to https://vcenter.company.com/ui
Select your vCenter object in Hosts & Clusters view. (This is the top level object in your tree)
Click the Monitor button from the middle menu.
Click the Health button from the middle-middle menu.
Identify warnings that have yellow exclamation marks next to them. These are causing your health alarm.
You can click each item to view information about them. If you select the Info tab for that problem, you will see a button for “Ask VMware” which gives additional help.
Click the RETEST button on the top-right of the window to see if the issue still exists.
How do I enable CEIP for VMware?
From the vSphere HTML5 Client, click the Menu drop-down button
Navigate to Deployment > Customer Experience Improvement Program
Click Join…
This VMware blog has a nice video of how to click through and enable CEIP if you are having trouble.
How do I fix “Enable SCAv2 for optimal hyperthreading performance”?
This is a continuation of the SPECTRE/MELTDOWN or “L1 Terminal Fault” issue that you’ve heard about.
WARNING: VMware default settings are for highest performance. If you make changes to increase security against SPECTRE / MELTDOWN, your performance may be impacted significantly! In other words, if your virtual environment is using more than 20% CPU at any given time, you should probably NOT enable these changes without a lot of research.
You probably have already applied the fix for previous versions of vSphere. The fix was to edit Advanced System Settings for each host and change the value of VMkernel.Boot.hyperthreadingMitigation = true
In 6.7 Update 2 and later, VMware added VMkernel.Boot.hyperthreadingMitigationIntraVM which defaults to true.
To enable SCAv2, you would verify that VMkernel.Boot.hyperthreadingMitigation = true and change the VMkernel.Boot.hyperthreadingMitigationIntraVM = false and reboot each host.
This setting can be reached by opening vSphere Client website (https://vcenter.company.com/ui) then select Hosts & Clusters view, then select a host. Click the Configure tab and select Advanced System Settings from the middle menu. Repeat for each host.
How do I fix “ESXi with a problematic driver for Gigabit network adapter”?
Follow the Ask VMware link on the alert to find specific information about your problematic network card.
It will open a VMware KB article and probably recommend installing an updated driver.
To update to a new driver, here are the basic steps… please use caution and common sense!
Download the VIB file from VMware
While you are at it, download the README and review it. If it has instructions, follow those.
If it is in a .zip format, unzip it and find the .vib file
Move your VMs to a different host if possible.
Put your ESXi host into maintenance mode (this procedure could cause impact to any running VMs)
Back up your ESXi host configuration if you still have any VMs on it (in other words, you can’t afford to rebuild it if something goes wrong).
Start SSH service in your host > Configuration > Security Profile menu.
Using WinSCP or another reliable SCP client, connect to your host using IP and root / (root password)
Navigate to the /tmp/ directory and upload the VIB file to that directory.
Using Putty or another reliable SSH / console client, connect to your host using IP and root / (root password)
If your VIB doesn’t say “offline bundle”, type esxcli software vib update -v \tmp\NameOfVIBFile.vib
If your VIB says “offline bundle”, type esxcli software vib update -d \tmp\NameOfVIBFile-offline_bundle.vib
Read the results.
If the the result says “Reboot required: true” , then type reboot (this will reboot your host)
Make sure to test your host with a non-critical VM before moving important VMs to it.
How do I fix “Concurrent-context attack vector vulnerability in Intel processors”?
This error is referring to the “L1 Terminal Fault” which is widely known as SPECTRE / MELTDOWN.
Basically, there is a flaw in all Intel Processors (at least as of late 2018) which allows processes running in the operating system to observe what the CPU is doing with other processes. This is a critical vulnerability for cloud hosts or any servers that allow untrusted users to access them.
L1 Terminal Fault a major concern for cloud hosting companies, not on-premises companies
For example, if you have an account on AWS, your virtual servers are running on the same physical hardware as other people’s virtual servers. If this vulnerability isn’t mitigated, then you could potentially write code to steal data from the other customers, or vice-versa.
To my knowledge, the vulnerability cannot be exploited without running a process on the system, and most of the people who run processes on servers have no need to snoop on the CPU. In other words, if all the other admins on your server work at your company, you should be fine.
What is the fix?
For now, while the physical processors have this flaw, the fix is to logically reduce the hyper-threading capability of Intel CPUs so they can’t be snooped on. This removes 5-20% of the performance capacity of the CPU.
If your VMware environment isn’t really using the CPU (peak CPU on your hosts is less than 30%), go ahead and implement the fix!
If your servers ARE using the CPU intensively (peak CPU is greater than 30%), then think hard before making a change.
To implement this fix, edit Advanced System Settings for each host and change the value of VMkernel.Boot.hyperthreadingMitigation = true , then reboot the host. Since you are already at 6.7 Update 2, your health alarm will probably change to “Enable SCAv2 for optimal hyperthreading performance” which is addressed a few sections above this one.
What if I don’t want to fix concurrent context?
Some environments cannot afford to lose the CPU performance. For example, I have a client that runs a lab environment with extremely high processing requirements. The hosts are running 70%+ CPU constantly.
So how can you remove the vSphere health warning about concurrent-context attack vector?
Event: “Alarm ‘vSphere Health detected new issues in your environment’ on Datacenters changed from Green to Yellow
Even on healthy vCenters, you will see this event appear about once a week. In my environments it lasts for about one hour (green to yellow, then yellow to green). It doesn’t appear to be an actual issue.
Selfish plug time – Need help?
I am a consultant in the Maryland/DC area in the USA. My specialties are Windows migrations (to 2016 and to Office 365 / Azure), VMware migrations, Netapp and SAN, and high availability / disaster recovery planning. If you would like help with your complex project, training, or would like a architectural review to improve your availability, please reach out! More information and contact can be found on the About page. – Amira Armond
I’m starting to see vSphere health warnings complaining about the “Depreciation of the external Platform Services Controller deployment model”
This is very confusing because my vCenter servers were built using the Embedded Platform Services Controller option. Yet vSphere health is saying that there is a problem?
Symptoms:
vSphere health warning for external platform services controller
The Skyline Health description text reads:
“Starting with vSphere 6.7, VMware announced a simplified vCenter Single Sign-On domain architecture by enabling vCenter Enhanced Linked Mode support for vCenter Server Appliance installations with an embedded Platform Services Controller. You can use the vCenter Server converge utility to change the deployment topology from an external Platform Services Controller to an embedded Platform Services Controller with support for vCenter Enhanced Linked Mode. As of this release, the external Platform Services Controller architecture is deprecated and will not be available in future releases. Click the Ask VMware link above for more details and a resolution.”
vSphere health alert for Upgrading Load Balanced PSCs
The Skyline Health description text reads:
“Special steps need to be taken when upgrading a vSphere 6.7 environment that has external, load-balanced Platform Services Controllers to vCenter Server 7.0. Click the Ask VMware link above for more details and a resolution.”
How do I tell if my vCenter uses an external or internal PSC?
Navigate to your vCenter appliance management website:
https://vCenteraddress:5480
You should be able to log on with your normal vSphere credentials (typically username@vsphere.local)
Navigate to the Summary page. In the top middle area, you will see “Type: vCenter Server with an embedded Platform Services Controller”
If your server uses an external PSC, it will say that here as well.
Synology SA3400 SAN connected to VMware vSphere ESXi 6.7 using iSCSI
This is a new install. The issues have been occurring since you started using the Synology for VMware datastores
Event: Device or filesystem with identifier x has entered the All Paths Down state. Warning
Event: Lost connectivity to storage device . Path vmhba64:C0:T1:L1 is down. Affected datastores: Synology_Datastore1. Error
Event: Lost access to volume due to connectivity issues. Recovery attempt is in progress and outcome will be reported shortly. Information
Event: Alarm ‘Cannot connect to storage’ on 10.41.89.34 triggered an action Information
Event: Alarm ‘Cannot connect to storage’ on 10.41.89.34 triggered by event 615108 ‘Lost connectivity to storage device naa.6001405de561547da144d4199dac86d6. Path vmhba64:C0:T1:L1 is down. Affected datastores: Synology_Datastore1.’ Error
VMware performance monitor shows regular extreme disk latency spikes (500ms, 20,000ms) every few minutes.
Occasional vCenter alarms will display showing that a host has lost connectivity to storage. Normally only one host and one iSCSI datastore LUN at a time.
On the Synology side, the Resource view shows no latency spikes.
Root cause
In my experience, this is caused by VMware attempting to perform ATS Heartbeat checking against the Synology (which does not support it).
This issue may also affect EMC and IBM storage providers.
After ESXi 5.5, the VMware VMFS version updated from 3 to 5. One major difference between them is that VMFS5 has the “ATS heartbeat” setting default to on, which offloads the datastore heartbeat feature to the storage provider. According to this VMWARE KB link below,
“This optimization results in a significant increase in the volume of ATS commands the ESXi kernel issues to the storage system and resulting increased load on the storage system. Under certain circumstances, VMFS heartbeat using ATS may fail with false ATS miscompare which causes the ESXi kernel to again verify its access to VMFS datastores. This leads to the Lost access to datastore messages.”
Storage provides like EMC, and IBM are already asking their users to disable this feature on VMFS5 datastores due to the problems encountered:
Refer to the instructions in the VMware Knowledge Base in the following link to disable the ATS Heartbeat:
When I performed this change, it took about 5 minutes, did not need a host reboot, did not cause any impact. The latency spikes and storage disconnects stopped immediately.
This is a solution by Greg Baharoff, the owner of MTBW Services Inc. in Mount Airy, Maryland.
Symptom: During maintenance, the Windows Server became stuck in recovery mode.
Symptom: The following “regular” solutions did not work, such as bootrec /rebuildBCD , sfc /scannow , and dism.exe /cleanup-image.
Symptom: Datto driver / agent was installed on the server before it went into recovery mode.
Root cause for Windows Recovery Mode after Datto install:
It looks like the Datto agent installed on the server was unsigned, or had an invalid signing certificate, which made Windows crash into recovery mode.
Here are the regular solutions for this problem, that normally work. At the bottom of this article are the steps to fix the Datto agent issue.
bootrec /rebuildBCD
Booting with a Windows 2008 R2 recovery DVD, the following steps allow the machine to boot normally.
Put the Windows Server 2008 R2 installation disc in the disc drive, and then start the computer.
Press any key when the message indicating “Press any key to boot from CD or DVD …”. appears.
Select a language, time, currency, and a keyboard or another input method. Then click Next.
Click Repair your computer.
Click the operating system that you want to repair, and then click Next.
In the System Recovery Options dialog box, click Command Prompt.
How to fix the driver signing issue causing Windows recovery mode, related to Datto Agent
It has to do with driver signing.In my case I had installed a new driver – Datto Agent. I restarted and BOOM! Recovery, recovery, recovery, recovery…
Fix: Boot up the server, hit the F8 key a few times to get the Windows boot options. Then choose “Disable Driver Signature Enforcement”.
That got me into Windows….
The Datto Agent started and is working at this point. I didn’t do anything to “fix” the system after I was finally able to login after Disable Driver Signature Enforcement.
The long term solution is to make sure the system certificates trust your Datto agent software then re-enable driver signature enforcement. Installing a different version may be necessary.
Symptoms for missing Multi Factor Authentication (MFA) app password in O365:
You enabled Multi-factor Authentication (MFA) on Office 365 (O365) portal or Microsoft 365
MFA works, and your user(s) are able to log on to the office.com website using it.
You don’t see the “app password” listed anywhere, and the Account Settings view seems to be missing that section.
You set up a conditional access policy for Multi Factor, per the Microsoft how-to article.
What are app passwords in office 365 or Azure?
App passwords are unique passwords used to authenticate legacy software to Office 365.
The primary use case is Outlook 2010 , or Outlook 2016. For example, these could have been standalone deployments before Office 365 was adopted. These older versions of Office may not know how to handle a multi-factor prompt.
If your organization uses Office 365, I recommend installing the latest version of Office 365 from office.com. The latest versions know how to handle multi-factor and don’t need app passwords.
Most users don’t use app passwords.
What does missing app password look like?
You should be able to view or create app passwords from the user’s account settings in Office 365.
If you are having this issue, the area for app passwords is blank. The picture above shows a missing app password area. It should be right under Contact Preferences.
Root cause for missing multi-factor app password:
The Office 365 admin portal has two separate ways to enable MFA for users. One way is to use the Admin > Users > Multi-factor Authentication menu for individual users. The second way is to set up a Conditional Access Policy. Microsoft articles say to use the Conditional Access Policy, but there is a problem with that.
There appears to be a bug where app passwords aren’t enabled properly when you use Conditional Access Policies.
To fix the problem, you need to enable multi factor using the Users menu, not conditional access policies.
The good news is that you don’t need to abandon your conditional access policy entirely. Just use this fix for individuals who need an app password, not everyone.
How to fix missing multi-factor authentication app password in Office 365
To enable application passwords in O365, you need to use the Multi-factor authentication page in admin center.
Navigate to Office 365, log on with your admin account
Click Admin from the menu
Click Users > Active Users from the menu
In the center, you will see a link to “Multi-factor authentication”. Click this link.
Your users list will display. You can filter for individual users here.
Pick the user that needs an app password and click “Enable”.
Enable the user here even if you have already set up a conditional access policy for MFA that includes the user.
For most organizations, you should be fixed now. When I tested, this took effect immediately and I create my app password as the user within 30 seconds.
Recently (May 2020 and later), we are seeing more complex issues that are not resolved by enabling MFA in the users area. Read on for information about fixing those issues.
Modern Authentication fix for missing O365 app password
Thanks to Rob Ryan for sending me these fix steps. Cheers!
Symptoms:
The App Password is missing no matter if we enable or disable MFA from Admin Center > Users.
Disabling MFA did not remove the requirement for multi-factor when we log on with an incognito browser.
We could not find any conditional access policies, and no one had set up any.
Tested email connectivity using testconnectivity.microsoft.com (Outlook test). This failed with an error saying that a conditional access policy denied access.
His account definitely had conditional access policies applied but they were hidden, possibly because his O365 license didn’t have Active Directory Premium 2 rights.
We eventually put in a ticket to Microsoft support, and they pointed us in the correct direction.
The issue was a setting under Office 365 Admin Panel. There is a setting for “Modern Authentication”, that needs to be turned off for some apps that have a different or older Exchange Authentication process.
(Admin center > Settings > Org Settings > Services Tab > Modern Authentication)
This setting can be found in the Admin Panel by clicking “Settings” in the left hand menu panel and then clicking “Org Settings” under the drop down menu. Then click on “Modern Authentication” in the list of settings. Toggle to “off” wait 2 – 3 hours.
Then to set “App “Password, go under the user My Account, “Security & privacy”, “Additional security verification”, “Create and manage app passwords”. In older versions of Office 365 the App Password option was in the title banner of the page, in larger font next to “Security Info”. It is now found by clicking on the “+ Add Method Button”, when available.
Links for O365 Modern Authentication articles by Microsoft:
Thanks to Jim Hill for sending these alternate fix steps which worked for him. You can see his original message in the comments. Cheers!
I figured out a solution! I am not sure if these are the exact steps I did. But the root cause was previously having a conditional access policy previously applied to that user.
-Make sure the CA policy for MFA is not enabled. Mine was the Legacy rule, “Baseline policy: Require MFA for admins (Preview)” -Disable the MFA for that user in the Office 365 Admin. https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365 -Create a new CA policy in Azure AD. Have it grant access and require MFA, and only apply just to that user. -Go back to the Office 365 MFA admin and enable then disable the MFA requirement for that user a few times. I did it four times. Leave with it disabled. -Return to Azure and remove that user from the CA policy requiring MFA. Leave it enabled but just not applied to any users. -Return to Office 365 admin and enable MFA for that user. -Initiate a screen sharing session with that user. Have them log into their MFA set up screen. https://aka.ms/MFASetup They will then see and be able to create a new app password.
This took me a month to figure out, and my exact steps may not have been exactly as I said above. Hopefully the whole community can figure out the best way.
Where can I manage Office 365 app passwords for multi factor?
Log on to office.com with the user account that needs an app password
Click on your account icon at the top right corner (normally shows your initials)
I recently went through the steps to set up conference call bridges on Microsoft Teams for my own organization. Specifically, this means dial-in phone numbers that I or people outside my organization can use for a conference line. Here is how I did it, with tips and information to save you time.
This article is for you if:
You are an Office 365 Admin for your organization
You have at least one user with Office 365 E3 or E5, Education, or Government plans. Note: Looks like Office 365 “Business” does not include Teams. Office 365 E5 includes the “Audio Conferencing” license for each user, which will save you some money.
You want your user to be able to host conference calls with a phone number that non-teams people can dial.
I’m excited about using Teams for conference calling. I’ve used many other services such as Webex, Zoom, GoToMeeting over the years but it is annoying that they don’t automatically synchronize with Outlook. Microsoft Teams has a major advantage in that you can see availability, invite people, and reserve your calendar and room all in one place. It is also a great price at $4 per month per conference leader. And it is really easy to set up and use!
The Microsoft documentation for Teams is terrible (sorry, Microsoft, I love you, but seriously!), which is why I wrote this article. I read through all of it and still ended up contacting support several times. It doesn’t have to be that hard. Read through my article to easily set up Microsoft Teams conference calling. Note: It will take about 24 hours for the feature to enable itself.
How much does a conference line for O365 Teams cost?
At the time of this writing (Oct 2019), there are two license options.
“Audio Conferencing” costs $4 per user per month. This “Enables users to dial-in a number to join meetings, or dial-out to bring participants into the meeting”. Per Microsoft support, this is the correct license for our purposes here. This should enable basic conference call ability, very similar to WebEx or Zoom. This license is only needed for conference hosts (people who organize the meeting). Participants do not need an audio conferencing license. Per Microsoft, a conference number can support up to 250 callers.
“Phone system” costs $8 per user per month. This is “for organizations that need call management capabilities (make, receive and transfer calls in the cloud…” I haven’t tested this license fully yet. I think it is for users who need their own phone number for make calls (similar to having a phone at their desk). Update: You do not need this license to host a conference bridge with phone number. But if you get it, it will also handle the conference calling.
If you want to test this out without spending any money, get a trial subscription to “Office 365 E5” – this includes the Office prerequisite and the Audio Conferencing license.
Choose “Add-ons” – this is a link at the bottom of the page.
I selected “Audio Conferencing” and for my purposes, a monthly commitment. Unchecked “automatically assign to all of your users with no licenses” since I only need a conference line for one person right now.
I followed the purchase license wizard. Success.
I went back to the Admin center > Users
Select the user I want to host conference calls.
In the user management window that appears, I selected the Licenses and Apps menu item. This brings up a list of available licenses.
I add a check to the “Audio Conferencing” license and save changes.
You user needs an Office 365 license (Enterprise, Government, or School since these include Teams) and the Audio Conferencing license.
2. Wait for 24 hours for the audio conferencing license to synchronize
If this is the first time you’ve activated an audio conferencing license, it can take several (up to 24) hours for Microsoft to enable the bridge ID / conference line functionality. When I didn’t wait, I encountered lots of errors on the Teams Admin site. I don’t know if the setup time applies to future audio conference licenses as well (please comment if you know).
Symptoms of pending Microsoft Teams synchronization:
Your O365 user has NOT gotten an email about their audio conference yet.
From Teams Admin, go to Legacy Portal (Skype for Business admin center) and select “audio conferencing” , then select “users” from the top menu… when I select my user, it shows the message “Microsoft audio conferencing license status Pending: 1”
From Teams Admin, go to Legacy Portal and select Audio > Phone numbers. Select a phone number and edit it. The Name field is blank. It will give an error if you try to assign it.
From Teams Admin, go to Users. Select a user that is licensed for audio conferencing and O365. At the bottom of the page, you will see “audio conferencing”. When you try to edit this option, you cannot enable it.
3. Your user will get an email with conferencing dial-in for Teams or Skype
Within 24 hours (it took 20 hours for me), your user will get an email from Microsoft
This email will tell the user that they have Audio Conferencing for Microsoft Teams
It will give them their conference phone number
It will provide the conference leader PIN (used if you are leading the meeting without the Teams app)
If you open O365 Admin > Teams Admin > Voice > Phone Numbers, you will see a new phone number appear here. It will be “assigned”.
Your Microsoft Conference Calling should work now!
If you use Outlook to schedule a Meeting, you will see an icon in the top menu that says “Teams Meeting” or “New Teams Meeting”. Use the Teams Meeting” option to automatically include dial-in and online meeting information to your Outlook invite.
If you don’t see this option, make sure that your user is logged into their Office 365 account with their office products. This should be already be working if they are using the email address that is registered in Office 365.
Creating your first audio conference (with phone #) meeting in Teams App
Once your user has gotten the Audio Conferencing welcome email, you can try it out!
Have your user close and reopen Microsoft Teams (this may be an extra step, but just in case…).
In Teams app, go to Calendar
Click the + New Meeting button
Fill out the meeting details (name, start date and time). Invite some people – in my case, I invited someone who doesn’t use Teams. Click Schedule.
Don’t worry that the audio conference information isn’t displayed. It will appear on the next step.
You will see the meeting confirmation and options. Right now, your invitees are getting emails and your O365 outlook calendar will update with the meeting.
The dial-in phone number and conference ID for teams will display. Note that the Conference ID should change for each meeting.
On this screen, you can change the Meeting options. I recommend modifying the “Who can bypass the lobby” option to “everyone“, especially if you will be hosting the call from your phone.
Outlook audio conference (with phone #) Teams meeting
You can also create a conference-call enabled Teams meeting directly from Outlook’s Calendar.
Schedule a normal meeting in Outlook, but before you send it out, click the “Teams Meeting” button. This adds the conference to it (you will see the conference information in the meeting body).
You can also open existing Outlook meetings and click the Teams Meeting button to add conference calling to them.
Teams automatically synchronizes with your Outlook Calendar. This is the meeting information as viewed by the host. From here you can forward to additional invitees (the dial-in information is included) or change other settings.
Again, automatic synchronization with Outlook. It will remind you to start your Teams meeting.
This is what a Teams conference invite looks like to people outside your organization (who don’t have teams). The audio dial-in number is listed in the invite.
When your meeting starts, remember that by default, dial-in participants will be stuck in the lobby. You can allow them to join the meeting from the Teams app.
If you will be dialing in to your own meeting, I recommend setting the meeting options to allow Everyone to bypass the lobby.
About assigning phone numbers and meeting IDs in Teams
When you set up your first conference phone number in Teams, it looks like all licensed users will use that phone number by default. This may change if you are a large organization with more users. If you know how this works with more users, please leave a comment below!
Different meetings on that phone line will be split out using the Meeting ID, which is a different (dynamically assigned) number for each meeting. So potentially your meeting host could run two different meetings simultaneously.
This is the same way that conferences work on WebEx or Zoom. Many meetings can use a single dial-in phone number at the same time. Each meeting uses a different Conference ID.
If you read through the Microsoft KB articles on this process, the steps to create a new phone number show up everywhere. From what I can tell, reserving a phone number doesn’t cost anything. However, there doesn’t seem to be any advantage to having more than one phone number (for small/med business audio conferences). You can’t use the phone numbers without licensing your user(s). For basic conference setup, you only need one phone number which should get created automatically and assigned by Microsoft when you assign the “audio conferencing” license to the user.
On the left menu, click … Show All to see the other admin centers. Pick the Teams admin center.
On the left menu, click Users.
Select the user you want to host dial-in meetings.
At the bottom of the user view, you will see an area for Audio Conferencing. You can click the Edit button to change your settings.
You may need to enable Audio Conferencing for the user. In my case, this area updated automatically 20 hours after I assigned the Audio Conferencing license to my user.
2. Reset Teams User PIN and Conference ID, re-send welcome email
If your user loses their audio conference information, particularly the leader code / PIN, you can reset it from the Teams admin center.
On the left menu, click … Show All to see the other admin centers. Pick the Teams admin center.
On the left menu, click Voice then Phone numbers
Click the + Add button to request phone numbers
The wizard will start.
Country or region: (I picked United States)
Number type: I picked Dedicated Conference Bridge (Toll). Toll normally means that the caller has to pay long-distance charges (not an issue for my clients). Toll-free means that my organization would pay long-distance charges for the caller, which could result in an unexpected expense, so I avoid it.
Location: I needed to Add a location – an option which appeared when I selected the drop down. In my case, I typed my office address in and it auto-resolved the rest. You can drag and drop the map locator to identify your precise coordinates. This is important for the “Emergency Location” identity, which is automatically provided to emergency services if someone uses that number to call for help (9-1-1 in the USA).
Area code: I picked my preferred area code (from a list of codes that match my location)
Quantity: I picked 1 for this exercise.
Order Name: I typed “001” for the name and “testing teams conference call phone order” for the description at the top of the page.
Next…
A progress circle displays “Thanks for your patience, but we are making sure we reserve the right numbers for you.”
Get numbers displays: You get 10 minutes to confirm your order. It displays the phone number you will get if you place the order. I clicked Next…
Success message. The website says that the phone numbers will appear in the list as soon as they are available. Finish.
The phone number displays in the list.
Error requesting Teams phone number
When I first tried this Teams wizard, I got an error: “We can’t get the list of available countries or regions.”
The second time I tried the Teams wizard, I got further, but then failed again at the last step (to reserve the phone number).
The support link sent me to PTN@microsoft.com . I emailed them with my woes and they responded immediately. I eventually completed the phone number registration process via email. However, I’m including the normal steps below in case you don’t see an error. The wizard has worked fine for me since then.
4. Not needed – use Teams / Skype Legacy Portal to assign a phone number
According to the Microsoft KB articles, you need to assign the phone number using Legacy portal to enable the conference bridge. In my experience, this was NOT necessary. Once my user got the welcome email, everything worked. Microsoft automatically generated a new phone number and assigned it to the user.
This setup may be needed once you have dozens of licensed audio conference users. Or if you don’t want to use the automatically assigned phone number for your organization.
On the left menu, click … Show All to see the other admin centers. Pick the Teams admin center.
On the left menu, click Legacy Portal (this takes you to the Skype for Business admin center)
On the left menu, select Voice > Phone Numbers
Select a phone number. You will see an option appear to “assign” the number. Click Assign.
This brings up an Assign dialogue. If synchronization is complete, you will see “Name: Conference bridge” listed.
If you assign here, your users will have that phone number assigned to them for their conference line. The meetings will be created individually using the Conference ID (just like WebEx and Zoom, you can have many different meetings with one phone number)
5. Not needed – Assign phone number to user in Teams Admin
This step appears to be used for the “phone system” license only (phone numbers assigned to users to replace their desk phones). Currently, the conference bridge assign functionality works better from the Teams Admin > Legacy Portal
On the left menu, click … Show All to see the other admin centers. Pick the Teams admin center.
On the left menu, click Voice > Phone Numbers.
Select a phone number. Click the Edit button.
Error: “You need to buy a Phone System license and make sure it’s been assigned to the user”. when I don’t have a phone system license….
If you have a phone system license… You will see a drop-down option for “Assigned to” –
You will have several options to pick from. The first option is a user line, which I think is appropriate for the Phone System license.
6. Not needed – Set up communications credits for international calls
Several Microsoft KB articles say to set up communications credits, and that they a “free”. I have not needed to do this yet. I believe this is used for toll-free calling, which is not necessary for most users. Please leave a comment if you know more!
I hope this article has been helpful to you. I am very excited about using Teams and Office 365 for official conference calls. It is the best value that I’ve seen out of the various competitors, and automatic synchronization with Outlook calendar is a time saving benefit.
Please comment if this helped you or if you can share your lessons learned with setting up Microsoft Teams for conference calls!
I am a consultant in the Maryland/DC area in the USA. My specialties are Windows enterprises (upgrades to 2016 and to Office 365 / Azure), VMware migrations, Netapp and SAN, and high availability / disaster recovery planning. If you would like help with your complex project, training, or would like a architectural review to improve your availability, please reach out! More information and contact can be found on the About page. – Amira Armond
