You may have a need to Set up Auto Attendant for Teams After Hours Call Forwarding. An example is a department that supports after business hours, and you have an on-call person who answers the call and a secondary person who answers if the first one cannot. In this post I can show you how to set up an auto attendant to do this. 

So read on and I will show you step by step how to achieve this. 

Prerequisites to Set up Auto Attendant for Teams 

You will need the following elements before you get started. 

Step one – Set up Auto Attendant 

For this, you will need to go into Microsoft teams’ administration and go to Voice / Auto Attendants. Click Add: 

It will start a wizard and all you need to do is go through the steps: 

2. Name your Attendant. It is un-personed so I have chosen no operator. I have also set the time zone and the language. Voice input is disabled. Click “Next”’ 

In the next section you set the call flow. Here we specify the initial greeting and then specify the options the attendant has to the user: 

3. Further down the screen, we specify how each option is routed by assigning dial keys to a user. Click “Assign a Dial key” and assign it to a “person in the organization”. Note: the user(s) picked MUST HAVE A TELEPHONE NUMBER ASSIGNED TO THEM! The telephone won’t be used but Teams admin needs it in order to use the forwarding feature on the account: 

Click “Next” 

4. In the next step you can assign hours for the queue and set up an after-hours queue so effectively you would have another section like the previous step. However, for this illustration the first queue is set up to be running 24 hours, so we only have one: 

5. There are no holidays for the Auto Attendant, so we just click Next: 

6. Also, we just click next for the dial scope: 

7. In this step you need to add a resource account. Search for the Resource Account you created as part of the prerequisite above, and the click Add: 

8. Click “next” and finally Submit: 

You now have an Auto Attendant set up! But before you can test it you need to set up the forwarding options for the dial key options you set up in step #3. 

Step Two – Set up the Forwarding Option for Assigned Dial Keys 

To properly Set up Auto Attendant for Teams After Hours Call Forwarding, you need to go through each user you assign a dial key to and set up forwarding options in their individual account. 

For this, you need to go to Users in Teams Admin, search for the user and then change the following options: 

The options are “ring the accounts devices”, Also “allow simultaneous ring” on 15555551212 (primary number) and “if unanswered” for 20 seconds, forward to 15555551213(secondary) . 

If you would rather user PowerShell to accomplish this, you issue the following command: 

Connect-MicrosoftTeams  

Set-CsUserCallingSettings -Identity userid@domain.com -IsForwardingEnabled $true -ForwardingType Simultaneous -ForwardingTargetType SingleTarget -ForwardingTarget "15555551212" 

Set-CsUserCallingSettings -Identity userid@domain.com -IsUnansweredEnabled $true -UnansweredDelay 00:00:20 -UnansweredTargetType singleTarget -UnansweredTarget  15555551213 

Expected Behavior for Set up Auto Attendant for Teams 

All right, we now have everything set up, it is time to test. Now when you test you should get the following behavior: 

1. A call is received by the auto Attendant 
2. You are greeting and, in this case, presented with 2 options (press #1 for Tech Support, #2 for Billing). 
3. Whichever one you pick goes to the team’s account assigned that dial key. 
4. The account has forwarding set up to ring the first forwarder and if not picked up in 20 second it will then ring the second forwarder. 

There you have it. This is how to achieve a Set up Auto Attendant for Teams for Teams After Hours Call Forwarding. If you are an organization with a capable IT department, this could be an option to go with instead of a third-party service. 

Sometimes you need to reset MFA for a user. It may be because they have switched to a new mobile device, lost or damaged a previous mobile device or they have switched from Text to number matching as there preferred method of MFA. Either way, it is a simple process.

Steps to reset MFA for a user – Admin

On the admin side, log into https://admin.microsoft.com

Click on Identity / Users / All Users / Per-user MFA

Search for the user you need to reset.

Once you find the user, check the check box next to them and click User MFA Settings just above.

You will see the following display:

Make sure you check “Require selected users to provide contact methods again”.

Steps to reset MFA for a user – User

When the user logs in to any M365 app they will get this prompt:

Mae sure the user has the Microsoft Authenticator app installed on their phone. Click on” Next”

Click Next

Click Next

Open your Authenticator App and Click the “+” button to add an account.

In this case it is a business account we are setting up. Choose Work or School Account

Choose Scan QR Code

Go back to your computer screen. You will see the code to scan:

Use your phone to Scan the QR Code:

The computer screen will send you a two-digit number as a test code. Enter that number into the waiting prompt on your mobile screen.

The test number will have succeeded. Click Next.

 You can set up an App password if you want. In this example, we are not.

If you have followed this steps to reset MFA for a user, you will have it done in no time. It is a much more secure way to authenticate a users. I would suggest you always uses this way unless you have no other option!

You can do so much with Office 365. For example, you can easily Translate Documents in Word. Most documents will more than likely come in one of two formats. It will be either a PDF or a Word Document. These steps will help you translate it from another language to English (i.e. French) without it having to leave the security of our organization. 

There are Translation Services out there but if you don’t want the added cost this is a good way to go. 

If you receive the resume in PDF format you will need to do it in two steps. In the case of a Word document, you will only need the second step. 

Step One – Open the PDF file using Word 

1. Open Word to Translate Documents in Word.

2. Click “Open” in Word. 
3. Click “Browse” to navigate to the PDF document. 
4. From the drop-down box, choose “PDF”: 

5. Choose the PDF file you want to open in Word. 

6. You be asked if you want to convert to Word: 

7. Click OK and the PDF will be converted to Word. 

8. You will need to save the document before can translate it. 

9. Save it as a word document: 

Step Two – Translate Document in Word 

10. Once the document is saved, go to the Review tab and choose “Translate Document”: 

11. It should auto-detect the language but if you want, you can choose the language the document is in, the “To” language should be set to “English”: 

12. Click Translate. 

13. The translation will open in a new document: 

14. From here you can save it to anywhere on the server. 

Note: Translate Documents in Word and Formatting won’t be perfect, but it will do most of the heavy lifting! 

We have all had shared computers in our organization. It probably has a Sign-In List from MS Teams on it if you use it (you probably do). What if you would like to clear that list so subsequent users who sign into the computer do not see a large list of names when they sign into Teams.

I can show you how to do this quickly….

Steps to Remove Sign-In List From MS Teams

It is quite simple really. Just hit Win+R and type %AppLocalData%.

Delete the following folders:

Delete:
%LocalAppData%\Packages\MSTeams_8wekyb3d8bbwe
%LocalAppData%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
%LocalAppData%\Microsoft\OneAuth
%LocalAppData%\Microsoft\TokenBroker
%LocalAppData%\Microsoft\IdentityCache

Once that is done, restart the computer. And voila! Your sign-in list will be empty the next time you start MS Teams! It would be good do to do this from time to time as general housekeeping on a shared computer. This is one of many ways to keep your shared computers running smoothly with Teams. In my experience, it can be a bit of a chore but if you keep on top of it, it is not so bad.

Sometimes you have a scenario where you need to Get M365 Devices to Stay Logged in with Conditional Access. And that is a multiuser device that is enrolled in Intune but also can’t use MFA. Using Remote Help when the device eventually logs out will be extremely helpful.

You need to get that device to stay logged in. Having it logged out would not be good since you might have to tell the user (one of many) what the password is to log back in. A password that could be easily shared. Not the best for security.

Using Remote Help

Using remote help on the android device is good, because it enables you to remote to the device and help the user with configuring or troubleshooting programs. There is no need to walk them through instructions over the phone or have them hold up the phone over a web cam (like in Teams) so you can see the screen as you help them. In this case, telling them a password that you don’t want them to know!

What is Remote Help

Remote help is an application that is available in any of the app stores. We are going to focus on Android devices. As an administrator of Intune, you probably have a company google play store for enrolled devices. Just add the app to your store like you would do normally for any other app.

Configure Using Remote Help

** Note ** – this is EXTREMELY important!!!! If you plane on using this feature with enrolled devices, there is only one enrollment profile that works with the Remote Help App!!!

When using remote help, this is a problem. The profile is the Corporate Owned Dedicated Devices. It works with unenrolled devices, but you need to enable that in Intune. I think Microsoft needs to do better. There are devices that use different profiles (i.e., Corporate Owned With Work Profile) that could benefit from Using Remote Help. But here is how you set it up.

Configure Remote Help on the Tenant

Task 1: Enable Remote Help
Sign in to Microsoft Intune admin center and go to Tenant administration > Remote Help.

• On the Settings tab:
• Set Enable Remote Help to Enabled to allow the use of remote help. By default, this setting is Disabled.
• Set Allow Remote Help to unenrolled devices to Enabled if you want to allow this option. By default, this setting is Disabled.
• Set Disable chat to Yes to remove the chat functionality in the Remote Help app. By default, chat is enabled and this setting is set to No.
• Select Save.
• Note: When you purchase licenses or start a trial, it could take a while to become active (anywhere between 30 minutes to 8 hours). When you try to create a Remote Help session you may continue to see messages indicating that Remote Help isn’t enabled for the tenant even if you enabled Remote Help in the tenant after activation.

Task 2: Configure permissions for Remote Help

Remote Help uses Intune role-based access controls (RBAC) to set the level of access a helper is allowed. Through RBAC, you determine which users can provide help and the level of help they can provide.

To protect the privacy of users who may be using the sharer device, helpers should use the minimum level of privilege required to remotely assist the device. Only request an Unattended session if you know that there’s no user at the sharer device to accept the remote help session.

The following Intune RBAC permissions manage the use of the Remote Help app. Set each to Yes to grant the permission:

• Category: Remote Help app
• Permissions:
  • Elevation : Yes/No
  • View screen : Yes/No
  • Take full control : Yes/No
  • Unattended control : Yes/No

 Note

If the Take full control permission is set to Yes, then by default, the user will have additional permission to View screen, even if the user’s View screen permission is set to No. If the Elevation permission is set to Yes, then by default, the user will have additional permission to View screen and Take full control, even if the user’s View screen and Take full control permission is set to No. If the Unattended control permission is set to Yes, then, by default, the user will have additional permission to View screen, Take full control, and Elevation, even if the user’s View screen, Take full control, and Elevation permissions is set to No.

• Category: Remote tasks
• Permissions:
  • Offer remote assistance: Yes/No

By default, the built-in Help Desk Operator role sets all these permissions to Yes. You can use the built-in role or create custom roles to grant only the remote tasks and Remote Help app permissions that you want different groups of users to have. For more information on using Intune RBAC, see Role-based access control.

Task 3: Assign user to roles

After creating the custom roles that you can use to provide different users with Remote Help permissions, proceed to assign users to those roles.

1. Sign into Microsoft Intune admin center and go to Tenant administration > Roles > and select a role that grants Remote Help app permissions.
2. Select Assignments > Assign to open Add Role Assignment.
3. On the Basics page, enter an Assignment name and optional Assignment description, and then choose Next.
4. On the Admin Groups page, select the group that contains the user you want to give the permissions to. Choose Next.
5. On the Scope (Groups) page, choose a group containing the users/devices that a member is allowed to manage. You also can choose all users or all devices. Choose Next to continue.

 Important

If a sharer or a sharer’s device isn’t in the scope of a helper, that helper cannot aid.

On the Review + Create page, when you’re done, choose Create. The new assignment is displayed in the list of assignments.

Configure Using Remote Help for the User

Prerequisites for Remote Help on Android

For general prerequisites, go to Prerequisites for Remote Help

• Set up Managed Google Play for your tenant. For more information, go to Connect your Intune account to your Managed Google Play account
• Install the Intune app on devices with a version higher than 5.0.5541.0
• Devices must NOT have device configuration policy set to block Screen capture
• The helper must be licensed to use the Remote Help add-on. For more details on licensing, go to Use Intune Suite add-on capabilities – Microsoft Intune
• The helper must have appropriate RBAC permissions to use Remote Help on Android:
• Category: Remote Help app
• Permissions:
• Take full control: Yes (required for control)
• View screen: Yes (required for screen share)
• Unattended control: Yes (required for unattended control)
• If the user doesn’t have the correct RBAC permissions for a particular mode, the corresponding options are disabled when attempting to start a Remote Help session.

Setting up Remote Help for Android

To set up Remote Help for Android, you need to complete the following steps:

1. Deploy the Remote Help app.
2. Grant permissions.

• Configure camera permissions.
• Configure permission setup for Samsung devices.

Deploy Remote Help app

1. Using Managed Google Play, add the Remote Help app from Microsoft.
2. On devices that you want to use Remote Help, assign the app as Required. This setting allows automatic installation of the app on those devices.

Grant permissions

To protect user privacy on the device, both the Android OS and device OEMs require certain permissions to be granted to the Remote Help app.

Camera
The Remote Help app requires Camera permissions.

Note: Remote Help does not store camera input. These permissions are only used to initiate a remote help session between the device and the Intune service.

You can auto-grant them through app configuration policy:

1. Go to Apps > App Configuration Policies > Add a new policy for Managed devices.
2. Create the policy for Android Enterprise with type Fully managed, Dedicated, and Corporate-Owned Work Profile Only. Target the policy to the Remote Help app that you approved earlier.
3. Under Permissions, add CAMERA permissions. Then, set the permission state to Auto grant.
4. Assign the profile to the devices on which you want to use Remote Help.

Using Remote Help for Android

1. In the admin console, navigate to the device you would like to remotely assist.
2. On the device actions toolbar, select New remote assistance session then select the session mode.
3. On the device, the user sees a prompt displaying a request to grant screen share or control of the device.

• If starting an attended screen sharing or full control session, the user must select Accept to allow the session to begin. If the user doesn’t accept within 5 minutes, the session times out.
• If starting an unattended control session, the session will begin automatically after 30 seconds.

4. During the session, the sharer device displays a floating End Session button. This button can be repositioned on the screen. Tap the button to end the session from the sharer device.

5. During a control session, use the buttons on the menu bar, keyboard or mouse input to interact with the sharer device. You can also long-press on the Power button in the menu bar to simulate a long press. This can be useful, for example, to open the power options menu on some devices.

6. At the end of the session, select Leave to end the session from the admin console.

Note: On Android 13 devices, the device unlock UI (the PIN entry pad, or the pattern dot grid) cannot be displayed remotely. To unlock the device, you can still use keyboard input to enter a passcode. This is a security measure added by Android, not Remote Help, to protect the end user from a passcode or unlock pattern being captured if the device is unlocked while screen sharing.
 
Hopefully this will help you with using remote help on android. Once you realized that for enrolled device, you can only use the Corporate Owned Dedicated Devices profile you will be well on your way. Or you can spend several hours trying to get it work before you find out and have to write a blog article about!

Sometimes you have a scenario where you need to Get M365 Devices to Stay Logged in with Conditional Access. I can give you an example. Say you have a dedicated multiuser device that is enrolled in Intune but can’t use MFA.

You need to get that device to stay logged in. Having it logged out would not be good since you might have to tell the user (one of many) what the password is to log back in. A password that could be easily shared. Not the best for security.

Use Conditional Access for Device to Stay Logged in

One way that could help is to use conditional access. It allows you to target the users and devices that have multiuser access and allow them to stay logged in. If you are worried about security in this setup you can add another conditional access policy to enhance security

More importantly, for this article, we are going to configure browser persistence.

What is Browser Persistence

A persistent browser session allows the end-user to remain signed in after closing and reopening their browser window. The default configuration for browser session persistence, allows the end-user on a personal device to choose whether to persist the session by showing a “Stay signed in?” prompt after successful authentication.

This is helpful for the multi-user devices we mentioned above need to stay logged in as long as possible.

Configure Conditional Access for Device to Stay Logged in

1. Go to Conditional Access in Microsoft Entra and Click The “plus sign” to add a new policy

2. Add the Users / Groups you want to include in this policy

3. Under target resources, choose All cloud Apps:

4. Choose persistent browser session and choose always persistent from the dropdown menu and Click Select:

5. Run the policy in “Report-Only” and click create:

It is good to run the policy in report-only mode and make sure it operates as expected before you enable the policy.

This policy should help to keep those devices logged in as long as possible. In my next article, I will show you a way you can get the above mentioned devices logged in after they eventually log out, but the user will not have be told the password! I will show you in my next article how to sign them in without letting the user know the password.

We have all had the Teams We’ve Run into an Issue Error. Something worked one day and then the next…it doesn’t. How frustrating! Most times, it happens with something as simple as logging in but there are other cases where you might get this error.

I will give you an example…

Accessing an External Team You Have Been Invited To

You may get the Teams We’ve Run into an Issue. In this case, the user was receiving errors trying to get into an external team he had been part of for a while. It showed the error message from the picture above. At first only the Teams web app worked, then nothing worked.

What Teams We’ve Run into an Issue Might have been…

First, I thought it was a mismatch between Teams policy settings between the user’s company and the external company. The policy to allow only Teams 2.0 clients was enabled on the user’s side in the Teams admin portal. We had moved to the new team’s client permanently as MS stopped supporting Teams Classic on July 1^st.

If the external companies MS Teams policy was set to “Microsoft-controlled”, which allows the use of Teams Classic until next year, it could cause a conflict.

It was verified that the external organization was using the New Teams Policy, so it wasn’t that…

What it was and What fixed It

It turns out it was 2 things. One, the user had recently got a new mobile device and the external organization needed to reset his MFA. And two, his Teams Cache needed to be reset.

I have written a great post on how to delete Teams Cache (Classic and New) Here.

You have just enrolled an Android mobile phone in Intune (Corporate Owned With Work Profile or Dedicated Work Profile) and Android System Apps and Intune behave differently. Like, they don’t work. They seemed to have disappeared or are asking for administrative permission to operate.

I will show you a simple trick that in two steps, you will have your user(s) up and running in no time.

Android System Apps and Intune use Package Manager

First you need to get a similar phone and install Package Manager on it. Whats really cool about this app is it gives the exact name of every single package that resides on your Android phone, even the system apps.

If you see from the illustration above all the applications start with a “com.” You can also use the search at the top to search by the package friendly name (i.e. Android Audio). You will need to take note of the “com.” Package name and the friendly name. You will need it for the next step.

Publish System App in Company Play Store

I have written some great articles on enrolling Android Devices here (Part1 and Part2).

If you are not familiar with a company Google Store and linking it to Intune, please check this video out . It shows you how to set one up.

One you have that done, you can go into Intune and the Android Apps section here.

Click On “+ Add” to begin adding an android App.

From the dropdown box, select “Android Enterprise System App” and click Select.

On the next screen I have given an example of what you should put. You can get this information from the previous step from the app Package Manager. Then Click Next

In this section, click on add group and pick which user group you would like to assign to this application too. You probably already have one set up for your mobile users. It can be assigend, dynamic user or dynamic device. The choice is up to you.

The last screen shows you the options you created in the previous screen. Click create to finish.

It won’t show up as an app available to download in your corporate Google Play Store but it will allow the system app to run now. The device just has to synchronize its Intune policies next time it checks in.

There you have it. A way to make sure Android System Apps and Intune work properly, especially if you use Corporate Owned With Work Profile or Dedicated Work Profile. If your users complains of an app not visible of requiring admin permission, this is probably why.