Configure Microsoft Entra Connect for Teams and Skype for Business
Skype for Business Online operated by 21Vianet in China will be retired on October 1, 2023. If you haven't upgraded your Skype for Business Online users yet, they will be automatically scheduled for an assisted upgrade. If you want to upgrade your organization to Teams yourself, we strongly recommend that you begin planning your upgrade path today. Remember that a successful upgrade aligns technical and user readiness, so be sure to leverage our upgrade guidance as you navigate your journey to Teams.
Skype for Business Online, excluding the service operated by 21Vianet in China, was retired on July 31, 2021.
To use Teams, organizations with an on-premises deployment of Skype for Business Server or Lync Server 2013 must configure Microsoft Entra Connect to synchronize their on-premises directory with Microsoft 365. Organizations with Skype for Business Server on-premises must ensure that the proper msRTCSIP attributes are synchronized into Microsoft Entra ID. In this article, any reference to "Skype for Business Server" also applies to Lync Server 2013.
- To get full functionality, existing Teams users who also have Skype for Business on-premises will need to have their Skype for Business on-premises account moved to the cloud. For example, to get functionality such as the ability to interoperate with Skype for Business users, and to communicate with users in federated organizations. If the on-premises user will only be using Teams, you must still move the user to the cloud to provide full Teams functionality as a TeamsOnly user. For this migration to take place, you must configure Microsoft Entra Connect so that you can enable hybrid.
- If you are not planning to move users from on-premises to the cloud any time soon, you must still configure Microsoft Entra Connect so that the Teams and the Skype for Business Server accounts co-exist.
Microsoft Entra Connect keeps your on-premises Active Directory continuously synchronized with Microsoft 365. Your on-premises directory remains the authoritative source of identity, while changes from your on-premises environment are synchronized into Microsoft Entra ID. For more information, see Microsoft Entra Connect Sync. Users in your organization will be represented in both your on-premises and online directories. All users who use Teams or Skype for Business on-premises must be synchronized from on-premises into Microsoft Entra ID to ensure coexistence of these accounts. In addition, you may facilitate communication between on-premises and online users via Skype for Business hybrid connectivity, which also requires configuration of Microsoft Entra Connect.
Configuring Microsoft Entra ID when you have Skype for Business Server
For an on-premises deployment of Skype for Business Server to co-exist with Teams, certain Active Directory attributes from the on-premises deployment must be synchronized into Microsoft Entra ID using Microsoft Entra Connect. Setup for Microsoft Entra Connect automatically configures the required attributes to be synchronized by default when it detects the presence of Skype for Business Server in your on-premises environment. These attributes include general identity attributes, such as user principal name, as well as attributes prefaced with "msRTCSIP," which are specific to Skype For Business Server. The full set of attributes is listed at Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID.
If you choose to customize the synchronization settings in Microsoft Entra Connect, you must ensure that the following attributes are synchronized for user objects:
|The user's sip address in the on-premises environment
|Indicates if the user is homed on-premises or in the cloud
|Whether the user is enabled for SIP functionality
|The user's phone number
|Indicates if the user is enabled for voice functionality
|Used to identify hybrid application endpoints
It is the customer’s responsibility to ensure proper configuration for populating the attributes into Microsoft Entra ID. Keep the following in mind:
Using a non-standard configuration for synchronizing to Microsoft Entra ID is risky. Nonstandard configurations could cause data corruption in your online directory.
As products evolve, Microsoft will continue to verify standard synchronization configurations in which all relevant forests are synchronized. Customers with custom synchronization configurations are responsible for ensuring their configurations deliver the correct attributes and values into Microsoft Entra ID.
Whether you have one on-premises Active Directory forest or multiple forests, Microsoft Entra Connect can be used in a variety of supported topologies, as described in Topologies for Microsoft Entra Connect. From the perspective of Skype for Business Server, there are three variations:
A single forest, which contains authoritative user identities and hosts Skype for Business Server.
Multiple forests, only one of which hosts Skype for Business Server, as well as one or more other forests that contain authoritative user identities (the account forests).
Multiple deployments of Skype for Business Server in multiple forests. Provided certain requirements are met, organizations can consolidate these multiple deployments into a single Microsoft 365 organization.
If user accounts and Skype for Business are all hosted in a single forest, you must ensure that Microsoft Entra Connect is configured to synchronize users from this forest into Microsoft Entra ID. By default, the appropriate attributes will automatically be synchronized into Microsoft Entra ID. Customers are advised against modifying the built-in synchronization rules and/or connectors that manage the configuration (which is not possible from the installation wizard).
Multiple forests with one Skype for Business deployment
This scenario is often referred to as a resource forest topology. Users’ authoritative identities are hosted in one or more account forests, and Skype for Business is deployed in a separate resource forest (which itself may also host authoritative user identities). In general, Skype for Business users’ authoritative identities can be in the same forest as Skype for Business Server and/or in another forest, provided:
Users with authoritative identities from the account forest(s) are represented in the resource forest (where Skype for Business Server is deployed) as disabled user objects. The msRTCSIP-OriginatorSID attribute in the resource forest must match the SID in the account forest. For more details see Configure a multi-forest environment for hybrid Skype for Business.
The resource forest hosting Skype for Business Server trusts the account forest(s).
All relevant user objects and attributes for both identity (from account forests) and Skype for Business (from resource forest) are synchronized into Microsoft Entra ID with the correct values through Microsoft Entra Connect.
To achieve proper object and attribute synchronization into Microsoft Entra ID in a multi-forest on-premises scenario, Microsoft strongly recommends using Microsoft Entra Connect to synchronize all forests that have enabled user accounts and the forest that contains Skype for Business. Assuming you synchronize from all forests, you must then configure Microsoft Entra Connect to merge these identities and synchronize to Microsoft Entra ID. Microsoft Entra Connect is designed to handle this scenario, and provides a built-in option in the installation wizard to set this up, including setting up anchors to join identities. Choose the following: User identities exist across multiple directories, and Match using --> ObjectSID and msExchangeMasterAccountSID attributes.
Multiple Skype for Business Server deployments in multiple forests
In this scenario, there are multiple forests, each containing Skype for Business Server and a single Microsoft 365 organization. Each forest containing Skype for Business Server can be synchronized into Microsoft Entra ID for that organization using Microsoft Entra Connect. At most, only one forest can be configured for Skype for Business hybrid at a given time. Before enabling hybrid in a forest, all SIP domains from all other forests must be disabled using disable-csonlineSipDomain. For more information, see Cloud consolidation for Teams and Skype for Business.