Exchange Mailbox requirements for MS Teams and Troubleshooting

  • [アーティクル]

Exchange Mailbox Location

The ideal state is for all Skype Teams users to have their mailboxes homed on Exchange Online.

The minimum state for users to use Skype Teams are Exchange mailboxes on-premises with their identities synchronized to Office 365. For these Exchange hybrid customers, note that Meetings, Changing Profile Photo, and Connectors are not available if user's mailbox is hosted on-premises or in legacy Dedicated online (Azure ADSync required) and there are no current plans to fix this. Root cause is that is not possible yet connect to user´s mailbox using Exchange API's.

However, as long as one IT Pro / user can add Connectors for a given team, the rest of the team members can have Exchange mailboxes homed on-premises with their identities synchronized to Office 365.  Exchange mailbox enabled ('online' or 'on-premises + directory sync') is required.

Actions supported:              
User's mailbox is hosted in: Create teams Join teams Create channels Create and view meetings Modify User Profile Picture Add and configure connectors Add and configure tabs Add and configure bots
Exchange Online Yes Yes Yes Yes Yes Yes Yes Yes
Exchange Online Dedicated vNext Yes Yes Yes Yes Yes Yes Yes Yes
Exchange Online Dedicated – Legacy (Sync to Azure AD required) Yes Yes Yes No No No Yes Yes
Exchange on-premises (Sync to Azure AD required) Yes Yes Yes No No No Yes Yes

Group Creation Enablement

Group Creation needs to be enabled as a feature under Exchange (it is on by default for everyone) so that groups can be created by anyone.  Administrators can limit the users who can create groups through updating MSOL settings in Powershell and narrow down to a specific security group.

 

Azure Active Directory Connect for Hybrid Users

All O365 subscribers are assigned a free license by default for Azure Active Directory.  In the case where tenant have users' mailboxes homed on-premises, they must go through O365 Directory synchronization to either:

-          Synchronize Identities

Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365.

-          Federate Identities

Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on.

 

We have a FAQ for that topic which you can find on this Admin support page.  

Troubleshooting

How to collect Web app and Desktop logs?

-          Windows

  • Web logs
    • Press (CTRL+ALT+SHFT+1) in client to download logs
    • %downloads%\MSTeams Diagnostics Log <timestamp>.txt

Best logs to start with

Contains most all client activity

  • Desktop logs
    • %appdata%\Microsoft\Teams\logs.txt

Contains framework and bootstrapping info

App Bootstrap process

Plugin initialization

Update Management

Some SSO info when using SSO builds (Desktop Auth)

-          MAC

  • Web logs
    • Press (Command+Option+SHFT+1) in client to download logs
    • Downloads\MSTeams Diagnostics Log <timestamp>.txt

Best logs to start with

Contains most all client activity

  • Desktop logs
    • ~/Library/Application Support/Microsoft/Teams/logs.txt

Contains framework and bootstrapping info

App Bootstrap process

Plugin initialization

Update Management

Some SSO info when using SSO builds (Desktop Auth)

 

How to collect from Exchange side ?

-          The Unified Audit logs feature in the Security and Compliance Center can be utilized to search audit logs for Microsoft teams. Please note that it may take up to 24 hours before the activity is seen in the Unified Audit Log.

-          Using PowerShell you can certainly use the Search-UnifiedAuditLog cmdlet and specify the -RecordType as MicrosoftTeams

-          The following article articulates the supported audited activities for Microsoft Teams : Search the audit log in the Office 365 Security & Compliance Center

-          There isn’t any special audit setting that needs to be turned on at the mailbox level for this activity. Mailbox auditing is only supported for mailboxes of type UserMailbox

-          Please note that even though there is a mailbox for the team, it is same as a modern group mailbox, meaning the user associated with the mailbox is a group object (not a user object). Following is an example:

 

PS C:\Temp> Get-Mailbox -GroupMailbox MSContoso_abc |fl DisplayName,RecipientType*,Audit*

DisplayName          : MSContoso

RecipientType        : MailUniversalDistributionGroup

RecipientTypeDetails : GroupMailbox

AuditEnabled         : False

AuditLogAgeLimit     : 90.00:00:00

AuditAdmin           : {Update, Move, MoveToDeletedItems, SoftDelete...}

AuditDelegate        : {Update, SoftDelete, HardDelete, SendAs...}

AuditOwner           : {}

 

-          By design you cannot runs cmdlets such as the following. It will simply error out.

Get-Mailbox -GroupMailbox GroupMailbox MSContoso_abc | Set-Mailbox -AuditEnabled $true

The set-mailbox cmdlet cannot work against this type of mailboxes and hence the AuditLogAgeLimit cannot be increased.