Getting your environment ready to deploy surface hubs and teams meeting room devices, especially when your environment is mostly Azure, but still in a hybrid state can be a pain in the neck.
I recently had the opportunity to work through the above and came up with the following analogy……….
If you can do it all in Azure, then do it all in Azure
The reason I say this is because many hybrid environments still use their on premise AD for their source of truth, or don’t have any form of writeback enabled, so when a room resource is created on premise it won’t be in the cloud until AAD sync takes place and furthermore, what if the primary domain used for these accounts requires a 3rd party MFA? Or there are issues with the attributes used, or the primary SMTP address policy interferes with your script.
I was having major issues making the above work, mostly because every device once joined to the domain had to then be given an M365 account that originated on premise, this is fine for users, but for a device that needs adding to the domain and also needs a room account based in M365 synced up from on premise AD and then the ins and outs of waiting for the registrar pool to become active and then the account also needing to authenticate with a 3rd party MFA before it could contact Azure just seemed really cumbersome.
I found the guide on how to do this on the Microsoft article a little misleading in some points and additionally, the user performing the task needs to use PowerShell commands that only exist in Azured, Exchange Online and in Microsoft Teams. Microsoft also wrote their own provisioning script for customers to use, but I don’t know about you, but I never run a script without reading and understanding it line by line and this one just seemed overcomplicated for what was essentially a room mailbox, an attached user account, a teams room license and a SIP address against the room email address, so….
So, Why can’t we just provision everything in Azure, using the onmicrosoft.com domain!??
I don’t claim to be the best PowerShell scripter out there, I’m pretty sure you can do better and neater, but having a script that does all the work in Azure/M365 makes much more sense and when its easily run with local admin rights on your chosen windows device its easy enough to crack on and get those devices provisioned!
Turn on the basic authentication and install modules as needed whilst also setting a few variables:
Once you have imported the modules you can get on with creating the mailbox and giving it the right settings, password is stored in plain text, but for the moment we just want to create a Teams Room!
Next on the list is to connect to Azure AD and set the password policy, and update the primary SMTP address we want to use and also apply a license with a user pop up screen.
Licenses can be applied through the GUI or Powershell
if this was a Surface hub we’d be setting the surface hub to rotate the password every 7 days. Also added some time wasting to ensure that once the Teams Room license is applied there’s sufficient time for the account to receive a registrarpool.
Next we just need to finish up and display some final information, also add the Teams Meeting room to a Room list that you might have pre-populated for your Outlook GAL
by Robbie Jackson