TeamsPhone-ABP-Block

Microsoft Teams Phone and Microsoft Exchange Address Book Policy

Loading

Last Updated on June 8, 2021 by GrahamWalsh

I was thrown a task of using a Microsoft Teams Phone and securing the directory on it. As you will see in another post, the directory can be hidden from the main user interface, but it is still there when in a meeting. One thing I discovered after a bit of research, was using an Address Book Policy (ABP). A colleague at Microsoft was also investigating Information Barriers, but that requires an E5 license, so it was a race to find the best solution.

People Icon in a Meeting or Call
People Icon in a Meeting or Call

Then when I press that during a call, I can search for people

Searching for a user in a call prior to a policy being set
Searching for a user in a call prior to a policy being set

Address Book Policy Overview

There is an official overview on what an Address Book Policy is on the Microsoft Docs Site here. In summary, it allows you to segment your Global Address List (GAL) and create multiple GALs and assign users/resources to each one. A good example could be a school with teachers and students, they only see their respective address books. In my use case, I have my secure enterprise along with their public facing meeting spaces.

Creating a ABP requires several steps in PowerShell and you cannot do this via the Exchange Admin Centre. It also requires the Address List role.

Step One – Assigning the Address List Role

This step looks straight forward, right. Just head into Exchange Admin Center > Roles > Admin roles and then select Organizational Management and add Address Lists to this role? Not quite, it does not work in the new Exchange Admin Center, only the old one 🤦‍♂️

Exchange Address List Roles
Exchange Roles

Thankfully the old Admin Center is still working, in the left-hand side, you can access this by clicking on it or use this link.

Classic Exchange Admin Center
Classic Exchange Admin Center

Once in the Classic Admin Center, just head to Permissions, select Organization Management and then click on the Edit pencil, then in the pop up, click on the ➕ icon and then add the Address Lists. Then click OK and Save. You are ready to create Address Lists in PowerShell.

Adding the Address List role in the Classic Exchange Admin Center
Adding the Address List role in the Classic Exchange Admin Center

Step Two – Teams Admin Center Config

I recommend doing this step first as it takes a while to replicate. In the Teams Admin Center > Org Wide Settings > Teams Settings we need to enable Search by name. This is off by default, so we move it to the One toggle. What this means is that it will adhere to the Exchange address book policy. If this is turned off, it searches the Teams Directory.

Teams Admin Center > Org Wide Settings > Teams settings

Step Three – Exchange PowerShell Commands

There are several commands to run, and I’ve listed them all below in the order they should be run. There are some variables you can set at the top so that you can just a simple do a name change at the top and then run all the commands again for the next resource account.

### Setting the Exchange Address Book Policy ###

### Variables ###
$GALName="CAP GAL"
$AddressListName="CAP Devices"
$OfflineOAB="CAP OAB"
$CustomAtt02="CAPDevice"
$AddressBookPolicy="Common Area Phones"
$Resource="Interview Room 02"

### Enable Address Book Policy Routing
Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

### Check that it is enabled
Get-TransportConfig | Format-List AddressBookPolicyRoutingEnabled

### Assign a custom attribute to a Mailbox
Set-Mailbox -Identity $Resource -CustomAttribute2 $CustomAtt02

### Create a new Global Address List
New-GlobalAddressList -Name $GALName -RecipientFilter {(CustomAttribute2 -eq $CustomAtt02)}

### Create a New Address List for CAP
New-AddressList -Name $AddressListName -RecipientFilter {((CustomAttribute2 -eq $CustomAtt02 -and DisplayName -eq "*Interview*"))} 

### Create a new Offline Address Book for CAP
New-OfflineAddressBook -Name $OfflineOAB -AddressLists $AddressListName

### Create an Address Book Policy to block any directories
New-AddressBookPolicy -Name $AddressBookPolicy -GlobalAddressList $GALName -AddressLists $AddressListName -OfflineAddressBook $OfflineOAB -RoomList "$AddressListName"

### Apply an Addreess Book Policy to a User/Device/Resource
Set-Mailbox -Identity $Resource -AddressBookPolicy $AddressBookPolicy

### If you want to remove it all as you were testing
Remove-GlobalAddressList $GALName
Remove-AddressBookPolicy -Identity $AddressBookPolicy
Remove-OfflineAddressBook -Identity $OfflineOAB
Set-TransportConfig -AddressBookPolicyRoutingEnabled $false

### Now check to ensure it has all been removed
Get-AddressBookPolicy
Get-Mailbox -Identity $Resource | fl
Get-OfflineAddressBook

Step Four – Invite the device to a meeting

Once all the settings have taken place, I can now send the device a meeting request. However, notice the below that my account is in a different GAL to the Interview Room 02 device, so I do see it when adding it to a meeting, so I must use the full address. A small price to pay for good security.

Adding a user in a different GAL to a Microsoft Teams meeting
Adding a user in a different GAL to a Microsoft Teams meeting

Once the device receives the invite, let’s join this test meeting and see who I can see? The below image is an animated GIF, so you might have to open it in a new window to play. In summary, now when I search for anyone else in the tenant, I am unable to see them, unless they are in my assigned Global Address list.

Demo of a Teams Video Phone with an Address Bok Policy in place
Demo of a Teams Video Phone with an Address Bok Policy in place

There we go, challenge accepted and completed. Let me know if you have any questions below.


Also published on Medium.

All search results
%d