A discussion on deploying TEAMS first, or running TEAMS without Exchange integration.
Terminology Framework Note: For the discussion below, it is important that we establish a common terminology framework. Discussions around the Microsoft Teams product line can become confusing. Here is the manner in which the term “teams” is used throughout this discussion:
- TEAMS all upper-case: This is the TEAMS Software-as-a-Service.
- Teams with “T” upper-case: This is either the Desktop or the Web Client
- teams/team all lower-case: This is a team, or the collection of personnel and resources which represents an organizational working group. These often are groups of people working in the same office with a shared set of resources such as a file share or a mailbox.
I would strongly recommend that if your organization has not adopted a standard terminology framework within the TEAMS product line, you consider doing so at your earliest convenience. This will assist with reducing the probability of miscommunication and misunderstandings, not to mention simply maintaining some sense of order within meetings.
Teams First – Points of Consideration
Recently I have been working a great deal with a number of organizations which have Exchange on premises and are looking to take advantage of Microsoft 365’s TEAMS. This is very understandable given the number of service improvement and advantages which TEAMS offers over Skype for Business.
Now with this established we need to consider whether this is actually a good idea. The preferred method to adopt TEAMS is actually an Exchange First model where the user’s active mailbox is located within Exchange Online prior to activating TEAMS for the user.
By considering the information provided by Microsoft within How Exchange and Microsoft Teams Interact, it becomes evident that there are some distinct service dependencies which TEAMS requires Exchange to facilitate.
Now, this brings forward a few additional questions we should consider:
- What if the organization does not have the option to move to Exchange Online first?
- Can TEAMS integrate with Exchange on premises?
- What if the organization is not on a supported version of Exchange?
- What must be configured to support TEAMS without Exchange integration?
- What are the apparent limitations with a TEAMS first approach without integration with an Exchange mailbox?
Fortunately, there is a path forward to leverage TEAMS without moving to Exchange Online first. As previously stated, it is recommended to migrate/enable users for Exchange Online first as this is a cornerstone of the TEAMS service (the others rooted deeply in SharePoint + OneDrive). However, let’s look at a couple of scenarios in which Exchange Online is not yet an option.
Scenario 1: Migrating All On-Premises Users to Exchange Online Is Not Possible
This is a bit of a giveaway regarding Question 2, can TEAMS integrate with Exchange on premises?
Yes. TEAMS can.
Scenario 2: The organization intends to run in an Exchange Hybrid deployment with mailboxes located on premises as well as in the cloud.
Fortunately, the same is true in that TEAMS can integrate with Exchange on premises.
Scenario 3: The organization does not plan to run in an Exchange Hybrid deployment. TEAMS will not integrate with Exchange directly.
This is a unique scenario, one which can be configured. It has some unique service limitations. It requires an administrator to manually configure Azure Active Directory Connect (AADC) to replicate specific attributes. This scenario is further address in Question 4, Path 2.
As we previously established, the answer to this is yes. However, TEAMS can not integrate with just any version of Exchange on premises, and there are further authentication considerations. Let’s look at each of these individually:
Exchange Version Requirements
As outlined in How Exchange and Microsoft Teams Interact, Exchange 2016 CU3 or newer must be installed.
Note: Microsoft only officially supports the most recent two CU versions of Exchange. That is to say, the support model for Exchange is N – 1 (N minus one); If the most recent version of the Exchange CU is CU20, then Microsoft officially only supports CU20 and CU19. Upon release of CU21, CU19 is no longer supported.
Always use the Exchange Server Supportability Matrix when planning your organization’s Exchange environment.
Note: Now, a valid question would be why even discuss this if Microsoft only supports certain versions of Exchange? The reason is that many organizations are not running supported versions of Exchange Server on-premises. They simply do not have the staff to keep Exchange up-to-date, or they have other business processes that prevent them from upgrading their Exchange environment.
TEAMS can still be enabled. And many features within TEAMS can be leveraged. There are some unique limitations associated with enabling TEAMS without also integrating Exchange with the service. More information is provided below on how to enable TEAMS without fully integrating with Exchange.
Within this scenario, I’m going to outline how to enable the TEAMS service for users without integrating with Exchange Online or Exchange On-Premises.
There are two paths forward regarding this:
Path One: Enable Azure Active Directory Connect (AADC) and replicate all user identities to AzureAD which need to be enabled for TEAMS – ensure to configure AADC for Exchange Hybrid. Configure Exchange On-Premises Hybrid configuration using the Exchange Hybrid Configuration Wizard (HCW). This will ensure that all the necessary Exchange attributes from on-premises are replicated – during the HCW setup, ensure that the HCW updates AADC to replicate user Exchange attributes.
- msExchMailboxGuid (user)
- msExchMailboxGuid (group)
Note: Lab testing indicates that these attributes are replicated by default when configuring AADC by default. Reviewing the Synchronization Rules indicates these attributes are already included and may not require manual configuration.
- On-Premises user objects replicated to Azure AD via Azure Active Directory Connect replication – all users who will be enabled for TEAMS.
- Replication of the attributes outlined above.
- Microsoft 365 licenses for both TEAMS and Exchange Online.
- Replicate all user objects and attributes.
- The msExchMailboxGuid attributes must be replicated.
- If configuring Exchange in Hybrid with the HCW, these attributes are included.
- If these attributes for a user are not replicated, and then the user is assigned an Exchange Online license, the user will provision a standard user mailbox.
- Once the user identities have been replicated to Azure AD, enable the all the user identities for TEAMS and Exchange Online by assigning licenses.
Why assign Exchange Online license to a user who will not use Exchange Online?
When the msExchMailboxGuid attribute is replicated to Azure AD for a user who has an on-premises Exchange mailbox, this will allow administrators to assign an Exchange Online license. When the user is then assigned a TEAMS license, a shadow mailbox is provisioned for the user. This mailbox is used for retention of specific TEAMS data. This becomes very important when administrators must perform eDiscovery searches for content within the organization. Without this shadow mailbox, the data is not retained. This could introduce certain legal liabilities regarding records management.
Is it required to assign Exchange Online licenses?
No. However, as previously mentioned, there are specific limitations which are imposed if the user is not assigned an Exchange Online license. Specifically:
- eDiscovery Search: User IM’s and data stored within the ExO Mailbox are not discoverable. While the data will appear in the TEAMS client, that is data reflected from the TEAMS Cosmos database. eDiscovery does not search this location. Instead, the substrate service within M365 places a copy in the ExO mailbox for the user which is indexed and discoverable.
- Legal Hold: TEAMS data within the ExO mailbox can be placed on legal hold. Without an ExO mailbox this is not possible.
- Retention of TEAMS Chat History: The user’s chat history is stored within the user’s ExO mailbox. This allows administrators to apply retention policies against the data.
What if I’m already using Skype for Business Online?
Hopefully, this is not the case. However, if you are, and the user mailboxes are not within Exchange Online, then it will not be possible to copy the established meetings to the TEAMS service. If this is a concern for your organization, you should strongly consider migrating all users to Exchange Online or configure Hybrid Modern Authentication between the TEAMS service and the on-premises Exchange organization. That is out of scope of this document. See this article for more technical details.
However, fundamentally, if you configure Hybrid Modern Authentication, then it becomes possible to establish a shadow mailbox for even the on-premises mailboxes. This then allows data to be stored within the shadow mailbox.
Limitation 1 – Scheduling TEAMS Meetings: Users will not have access to the Calendar app within the Teams desktop or web client. Since the TEAMS service will be unable to authenticate to Exchange on-premises, it will be unable to access the user’s calendar within the mailbox. As a result, users must leverage the Outlook desktop client to schedule TEAMS meetings.
In addition to this, users will be required to install the Teams desktop client and authenticate to the TEAMS service using modern authentication. This will then enable the Teams plug-in for Outlook, which then allow users to schedule TEAMS meetings.
They must also then join TEAMS meetings from within the Outlook meeting invite, or they must have the link to the meeting available to them via another means, such as if a participant of the meeting shared the link with them via Chat.
See the images below:
Teams Client without Calendar App
Teams Client with Calendar App
Limitation 2 – Meet Now Unavailable: Users will not have access to the Calendar app within the Teams desktop or web client. As a result, users will be unable to leverage the Meet Now functionality within the Teams desktop or web client.
Teams Client without Calendar App
Teams Client with Calendar App
Limitation 3 – No Access to Availability: Users will not have access to the Calendar app within the Teams desktop or web client. As a result, users will be unable to view availability information of other users. This is rooted in two facts. First, the TEAMS service is unable to access the user’s mailbox. Second, the Teams client must be able to perform web calls to Exchange to access mailbox calendar data. As there is no authentication configured between the TEAMS service and Exchange, the client is unable to obtain.
Teams Client without Calendar App
Teams Client with Calendar App & Availability
Limitation 4 – Delegates Unable to Schedule Meetings On-Behalf-Of: Mailbox delegates are unable to create meetings on behalf of another user. This too is rooted in the fact that the TEAMS service is unable to authenticate with the Exchange service. When a delegate attempts to create a meeting on behalf of another user, they will receive the following error within Outlook:
Limitation 5 – Access to Voicemail Unavailable: The TEAMS service leverages the user’s mailbox to store voicemail. As the TEAMS service will be unable to access the user’s mailbox, it will be unable to retrieve the voicemail.
Teams Client without Voicemail Access
Teams Client with Voicemail Access
Limitation 6 – Users Unable to Change Profile Picture: The user profile picture is stored within the user’s mailbox. As detailed before, the Teams client is unable to access the user’s mailbox and therefore unable to update the profile picture. This can also result in the Teams client unable to display the user’s image.
Microsoft Guide: Change Your Profile Picture in Teams
Teams Client without Access to Profile Picture in Mailbox
Limitation 7 – Outlook Application within Microsoft 365 User Portal – 500 Error: When users login to the Microsoft 365 Portal, they will see the Outlook application icon. The reason that this application is present is due to the fact that the user has been assigned an Exchange Online license and a shadow mailbox has been provisioned. However, if the user attempts to open Outlook, they will receive a 500 Error.
Microsoft 365 Portal
500 Error Message