Introduction
This guide is intended for the customer to be able to implement the LoopUp DDI configuration reporting script either in Azure or via an on-premises windows device.
What is the DDI configuration reporting script?
The DDI configuration reporting script is a customer hosted solution to enable accurate cloud telephony billing when external access to the loopup.service account is not possible. By default, the DDI configuration reporting script is designed to run daily to provide accurate platform usage. All data that is exported from your tenant to LoopUp is not PII (personal identifiable information) and will be kept internally by LoopUp.
What is happening?
From a high level the script functions as follows:
- Your tenants Entra ID display name and ID is discovered to allow us to identify the incoming data
- A Get-CsOnlineUser command is ran with specific select-object filters applied to keep the data complaint with non PII (see collected data below)
- LineURI
- OnlineVoiceRoutingPolicy
- The data is then converted into JSON and sent to our API endpoint hosted in LoopUp’s tenant via HTTPS
Prerequisites
Option 1: Azure Automation
The following requirements need to be met to allow for the script to be deployed into the customer Azure
tenant.
- Access to an account holding the Azure Owner role for the subscription to use for the "Deploy to Azure" process
- The LoopUp Service account created, and roles configured as per design in the signed proposal (account will not be accessed externally from the customer environment)
- LoopUp provided Client ID, Client Secret and Customer ID
Option 2: On-premises Task Scheduler
The following requirements need to be met to allow for the billing script to be ran via a Windows based device utilizing task scheduler functionality.
- A customer provided Windows device
- Internet connectivity is required
- Microsoft Teams PowerShell Module
- Microsoft Secret Store PowerShell Module
- User account to allow for script configuration
- This user account will store the required SecretVault which will contain the password for the LoopUp Service Account
- "Allow log on locally” local security policy is configured to allow the user account
- The LoopUp Service account created, and roles configured as per design in the signed proposal (account
- will not be accessed externally from the customer environment).
- LoopUp provided Client ID, Client Secret and Customer ID
Deployment
Option 1: Azure Automation
The below "Deploy to Azure" button can be used to automatically provision the following components into the customer tenant:
- Automation Account
- Microsoft Teams PowerShell Module
- Credentials
- Schedule
- Runbook
Deploy to Azure
- Click the "Deploy to Azure" button and login to the customers Azure tenant utilizing an account with the required Azure Owner role
- Input the following information:
- Subscription
- Resource Group
- Automation Account Region
- LoopUp Service Account Username
- LoopUp Service Account Password (The password is encrypted during runtime and in the automation assets)
- LoopUp Client Id (provided by LoopUp)
- LoopUp Client Secret (provided by LoopUp)
- LoopUp Customer Id (provided by LoopUp)
If there is a requirement to only export certain information, the filter feature can be configured. To configure this, enter the prefix of an OnlineVoiceRoutingPolicy e.g LoopUp (policies can be found in your Teams Admin Center).
- Click "Review & create"
- Click "Create"
- Click "Go to resource group"
- Click on the runbook
- Click "Start" at the top of the page
Option 2: On-premises Task Scheduler
- Create a folder named LoopUpHostedBillingScript in your C:\ drive
- Take a copy of all the files from the GitHub repository and save in the above folder:
- Import the Microsoft Teams and Microsoft Secret Store PowerShell Modules
- Create a SecretVault to store the LoopUp Service Account password via PowerShell
Register-SecretVault -Name LoopUpHostedBillingScript.vault -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault
- Verify that the secret vault has been created
Get-SecretVault
- Create Secret for LoopUp Service Account Password
Set-Secret -Name LoopUpHostedBillingScript.connection -Secret [LoopUp Service Account Password]
- A create password input for the SecretVault may be displayed, please enter a password (you will need this to disable SecretStore authentication below)
- Disable SecretStore password authentication
Set-SecretStoreConfiguration -Authentication None
- Import the task using the "LoopUpHostedBillingScript_Task.xml" file into Task Scheduler (taskschd.msc)
- Select the account which is used to execute the task (make sure this is the same account used to create the above SecretVault and Secret)
- Press “Ok” and reenter the user account password when prompted
- Edit the Scheduled Task action and include the following:
- the loopup.service account username after “-luServiceAccountUsername”
- the Cliend ID after “-luClientID” (provided by LoopUp)
- the Client Secret after “-luClientSecret” (provided by LoopUp)
- the Customer ID after “-luCustomerID” (provided by LoopUp)
- If required Add the argument (-filterOVRP) and specify the OnlineVoiceRoutingPolicy e.g LoopUp to output only LoopUp Cloud Telephony users
- Test the task runs correctly by clicking “Run” on the Task in Task Scheduler
- If there are any issues, please contact LoopUp support and attach the “ddi_[timestamp].log” file.
Why disable authentication on SecretVault?
The script is going to execute based on a schedule without any opportunity for user input. Due to this the ability to automate this process without user interaction would not be possible if any authentication was implemented.
This means the vault is protected solely by the authentication of the service account under which the secret will be stored. It's important for the service account to have limited permissions. By following the principal of least privilege, you minimize the scope and impact of a security breach.
Troubleshooting
Below are some troubleshooting steps if issues arise when deploying the DDI configuration reporting script.
Azure Automation Account Runbook Status = Failed
- Does the LoopUp Service account have any restrictions applied? For example:
- MFA (Multi Factor Authentication)
- Conditional Access
- MFA (Multi Factor Authentication)
- Make sure the loopup.service account has been logged into at least once via portal.office.com to fully activate the account
LoopUp Service Account Credential Expiration
To stop the account password from expiring in Azure Active Directory for a specific user you can run the following PowerShell commands after installing AzureAD PowerShell module and authenticating:
Set-AzureADUser -ObjectId <user ID or UPN> -PasswordPolicies DisablePasswordExpiration