Everything you ever wanted to know about team resource accounts (2023)

Today we're going to take a detailed look at team resource accounts.

Resource accounts are special Azure AD objects (or Microsoft 365 user accounts if you prefer) that can only be created in the Teams admin center or using Teams PowerShell. This account cannot be created in M365 Admin or Azure AD. The funny thing is, they can only be removed from M365 Admin or AAD, not Teams Admin Center or Teams PowerShell.

Fundamentals

There are currently two different types of Home Resource (Microsoft) accounts. Call queues and answering machines. These accounts are then associated with the appropriate types of voice applications, which are call queues or answering machines.

Each resource account can only be associated withAVoice app, but multiple resource accounts can be associated with a voice app. As with Teams users, each resource account can only have oneAassigned phone number. For example, you might have an answering machine assigned to several resource accounts, with each resource account having a phone number from a different country. That way, you can have an answering machine serving customers in multiple countries, but each customer will be able to call a local number.

How to create a resource account

You can create new resource accounts within the TAC. are underVoice Accounts/Features.

There are a few things to consider here. The first is the name. If you have a complex call flow, you likely have multiple answering machines, call queues, and resource accounts. I always use the prefix and suffix system.

The display name is followed by the suffix "AA" or "CQ". This will help you to identify the correct resource account when associating it with the Voice application. The username prefix leads to "ra_aa_" or "ra_cq_" so they can be easily filtered in AAD. This is just a suggestion, of course, you can call them whatever you like.

I typically use the tenant name *.onmicrosoft.com as the domain suffix. External users won't be able to interact with these accounts, so it doesn't matter if you don't use the default custom domain name.

They are hereEquivalent PowerShell commandsto create resource accounts.

Voice mail:

# Auto Attendant Application ID: ce933385-9390-45d1-9512-c8d228074e07New-CsOnlineApplicationInstance -UserPrincipalName "ra_aa_example_ps@domain.com" -ApplicationId "ce933385-9390-45d1-9512-c8d228074e07" -DisplayName "AAPS"

Connection queues:

# Application ID call queues: 11cd3e2e-fccb-42ad-ad00-878b93575e07New-CsOnlineApplicationInstance -UserPrincipalName "ra_cq_example_ps@domain.com" -ApplicationId "11cd3e2e-fccb-42ad-ad00-878b93575e07" -DisplayName "Przykładowe PS CQ"

Search resource accounts

If you want to return all resource accounts from PowerShell, the MicrosoftTeams 4.6.0 module now supports a parameter to return resource accounts only:Get-CsOnlineUser -AccountType ResourceAccount. If we do not include the prefix or suffix, it is currently impossible to know whether the returned objects are queues or partners.

We have to use it for that.Get-CsOnlineApplicationInstance. This will return a list of basic information such as display name, UPN, phone number and application ID.

Resource account licensing

A resource account must be licensed in the following cases:

• If you want to assign him a phone number
• If resource accounts need to forward calls to external numbers

Update 01/29/2023

Microsoft has updated its documentation. From now on,allThe resource account must be licensed regardless of whether the phone number is assigned or not. You can find more informationHere.

An easy way to ensure that each resource account in a group has the appropriate license is to use an Azure AD dynamic user group that automatically assigns a license. The easiest way to do this is to filter by the Department attribute.

(user.department -eq "Microsoft communications sample application")

If you need step-by-step instructions on how to create an Azure ad group with a dynamic query, seeDezarticle and just replace the query with the one above.

/Modernize

Update 02/06/2023

Thanks to the readercomment, I remembered that Volume Licensing actually requires an Azure AD Premium P1 license for each user using the feature. It is documentedHere.

I don't know if the resource account qualifies as "user" because it is a resource account and the connection is blocked. If you want to be absolutely sure, I recommend having a P1 license for each resource account, or contacting your Microsoft account administrator and asking about it.

/Modernize

Licensing cannot be done through the TAC. We need to use AAD or M365 Admin. As we can see, the "Example AA" account has now been created in AAD.

Because it is a special type of account, login is blocked. This means that the account does not support interactive login.

Another important piece of information is that these accounts have "Microsoft Communication Application Instance" set as the segment. Just leave it as it is and don't change anything.

However, in my experience, changing the display name or base username is not a problem.

If you want to assign a phone number to a resource account, you must assign permissions to the resource account. Microsoft has recently renamed the former “Microsoft Teams Phone – Virtual User” license to “Microsoft Teams Phone Resource Account”.

What's really cool about these licenses is that they're free.at least to some extent. If you have at least one Teams Phone license, you get 25 Teams Phone feature account licenses for free. You will then receive 1 asset account license for every 10 Teams phone licenses. The "PowerShell name", or rather the AccountSkuId for this license, is still called "TenantName:PHONESYSTEM_VIRTUALUSER". Unlike Teams Phone, which requires a “basic license” such as Business Premium or Enterprise E3, resource account licenses can be assigned as standalone licenses.

(Video) Creating Microsoft Teams Room Resource Accounts

How to assign phone numbers to resource accounts

After assigning a license to a resource account, you can use TAC or PowerShell to assign a phone number to the account.

For PowerShell, you can use the same command as a normal user. You may find outdated articles that mention the following command.

Set-CsOnlineApplicationInstance -Identity "ra_aa_example_ps@domain.com" -OnPremPhoneNumber +4144512xxxx

What's new is:

Set-CsPhoneNumberAssignment -Identity "ra_aa_example_ps@domain.com" -PhoneNumber +4144512xxxx -PhoneNumberType DirectRouting

Although a phone number has been assigned to the feature account, the phone number will not be active until the feature account is associated with the voice application. We'll talk about that later.

Assigning a Voice Routing Policy to a Resource Account

If the resource account can forward calls to external PSTN numbers using Direct Routing, we must also assign it a Voice Routing Policy. This can also be done with the TAC. Select a resource account and click Edit. Now select the desired voice routing policy and click Save.

Doing this with PowerShell is again the same as if it were a normal user.

Grant-CsOnlineVoiceRoutingPolicy - Identity "ra_aa_example_ps@domena.com" -Policy name "Test"

How to change resource account type

In the same Edit Resource Account window, you can also change the resource account type. You can also do this in PowerShell. just use itDefinir CsApplicationInstancecmdlet and include it-ID cardEU- application numberparameters. While this should work in theory, I haven't tried it myself as I suggest recreating them if necessary. Also, be careful when using accounts for third-party features such as the Operator Console or Contact Center. The TAC only supports custom application IDs and does not allow you to save your changes without selecting a resource account type. Use PowerShell if you want to assign Internet Voice Routing policies to a third-party resource account.

Associating a Resource Account with a Voice Application

In most cases, one resource account per queue or operator is sufficient. Let's get out of the way for a moment and talk about naming again. To avoid confusion, I always make sure the queue/handler display name and resource account are the same. If Voice requires multiple resource accounts, use numbering in resource account names. Note that the resource account display name is the name that the recipient of a forwarded call from an operator or queue will see in the group's system notification.

Here we see that this call queue is called "MS Test CQ", but the associated resource account is called "Team Green CQ".

Since the toast will show the resource account's display name, it will say that there is a call to "Team Green CQ" and not "MS Test CQ".

I talked about the meaning of the AA/CQ suffix at the beginning of this post. Microsoft has improved the TAC and now it displays the assigned phone numbers in a drop down list if we are looking for a voice app redirection target.

But let's assume that none of these accounts had a phone number, nor did we use a suffix. Good luck figuring out which is the answering machine and which is the call queue.

the voice of the company

This is interesting. As far as I know, resource accounts created at least a few months ago still support Enterprise Voice, even if they haven't been granted permission for the Teams Phone resource account.

Here is an example of such a relic. This resource account supports Enterprise Voice even if it doesn't have a LineURI or FeatureType. FeatureTypes is a relatively new property returned byGet-CsOnlineUser.

Display Name: AA Support Number Business Hours
EnterpriseVoice Enabled: Prawda
Line:
Attribute types: {}

For reference, here is a screenshot of the M365 admin portal.

If we check the "AA Support Number" (Licensed) in PowerShell using the query below, we will see that it contains "VoiceApp" in the FeatureTypes section.

Get-CsOnlineUser – Identityra_aa_support_number@mozzism.ch| FL DisplayName, EnterpriseVoiceEnabled, LineURI, FeatureTypesProduction:Display Name: AA Support Number
EnterpriseVoice Enabled: Prawda
LinhaUri: tel: +4144xxxxxxx
Resource types: {voice app}

If we check a normal Teams user account, we will see that it will contain “PhoneSystem” and “Teams” in its attribute types.

Display name: Ben Kim
EnterpriseVoice Enabled: Prawda
Attribute types: {PhoneSystem, Teams}

Note, however, that a user can also enable the "PhoneSystem" feature type without actually having Enterprise Voice enabled. (In this case, the user has a Teams phone license but is not yet configured for EV.)

Display name: Bill Stearns
EnterpriseVoiceEnabled: Falso
Attribute types: {PhoneSystem, Teams}

I couldn't recreate this scenario. When I created a new resource account and didn't assign a license, it was always set to False with Enterprise Voice enabled.

Display name: Example PS AA
EnterpriseVoiceEnabled: Falso
Attribute types: {}

Let's see how it looks after adding the Microsoft Teams phone asset account license to the PS AA example. After a few minutes, the mode type will be added and EV will be set to True. I spammed the Get-CsOnlineUser query so much that I was able to get the result before and after the change.

Here we see that the "VoiceApp" feature type was added, but the Enterprise Voice feature was still disabled.

Display name: Example PS AA
EnterpriseVoiceEnabled: Falso
Resource types: {voice app}

Literally a few seconds later I rebooted and now Enterprise Voice is on.

Display name: Example PS AA
EnterpriseVoice Enabled: Prawda
Resource types: {voice app}

Borrowing the license will automatically set Enterprise Voice to True. This is different from normal user accounts. They will remain fake until we assign them a number via TAC or use themSet-CsPhoneNumberAssignment -EnterpriseVoiceEnabled $true.

If the entitlement is removed from the resource account, the EV will be disabled again.

External PSTN transfer of resource accounts

You can see the official documentation of the technical requirements needed for external PSTN transportsHere. In this article, I only discuss direct routing scenarios.

All resource accounts associated with the Voice app must meet these requirements. For example, if you have two account/feature numbers assigned to one answering machine and you transfer them to an outside number outside of business hours, both resource accounts must have a valid voice routing policy assigned to them. The TAC will not display a warning or error message even if none of the associated resource accounts have an Internet Voice Routing policy assigned to them. In other words, if a call is placed to a resource account that has not been assigned a voice routing policy, the transfer of the call will fail.

And the take? While I don't think this is officially documented, I've found that only the top-level resource account, i.e. the one with the number being called, needs to be set up correctly.

Let's see how to configure the resource accounts used in this scenario.

Apparently the call queue "Test EV Enabled CQ", not "Test EV Enabled AA", is doing the PSTN transfer. However, only Auto Attendant is configured for outgoing PSTN calls. Call forwarding works in this scenario.

DisplayName: EV test with AA support
EnterpriseVoice Enabled: Prawda
Resource types: {voice app}
Zasady OnlineVoiceRouting: FirstTrunkDisplayName: EV Capable QC Test
EnterpriseVoiceEnabled: Falso
Attribute types: {}
OnlineVoice routing rules:

In the PSTN and SMS usage report (preview) in the TAC, we see that it is the originally called resource account, not the one associated with the call queue, that is making the outbound call. Direct outgoing calls from voice apps are tagged as "dr_out_bot".

To be absolutely sure, I created another configuration. This time it's the other way around. The top-level answering machine does not have an Internet voice routing policy, but the nested call queue does.

When I called the auto attendant number, the PSTN call queue transfer was not working even though the queue was set up for outgoing calls. When I called the queue number directly, the transfer to PSTN worked perfectly.

P.S. In case you're wondering how I created this flowchart and didn't get an advance notice, in addition to being a blogger, I'm also the creator of thisFerramenta PowerShellwhich allows anyone to automatically render these beautiful graphics for free.

Find answering machines and call queues in groups

If you can't find all your answering machines and call queues when you search for them in Teams, you should definitely take a look atThis article.

last thing

Although many things can be done now, such as assigning Internet voice routing rules or phone numbers to the TAC system, there are still some things missing from the TAC system. For example, you won't find resource accounts in Manage Users. However, you can replace the user's object ID in the URL with the resource account's object ID. This will allow you to view some data like recent calls.

If you are too lazy to get the object ID, you can also click on the resource account display name in PSTN and SMS usage report (preview).

This will result in an error message stating that the TAC cannot get the policy for this account. However, you will still be able to view your call history in the Meetings & Calls tab.

(Video) Teams Rooms Resource Accounts 3: Setting Location in the Teams calendar

I hope this article helps you better understand how resource accounts work in Teams Phone. Please don't hesitate to contact us if you have any questions.