Microsoft Teams Direct Routing GA

Today Microsoft Teams Direct Routing was announced as General Available. This is the means for you to bring your own SIP trunk to Microsoft Teams using only a standard SBC. Today AudioCodes and Ribbon are certified SBC’s for Direct Routing and more are in the works. There are three flavors to Direct Routing

Hosted in Azure!

Yes you read correct. AudioCodes has a certified SBC that now is supported in Azure, which means you can run your Direct Routing SBC in Azure as an appliance.

DRGA6.PNG

Installed in your datacenter connected to your PBX or SIP trunk

With Direct Routing you do not need any Skype for Business or Teams components installed in your datacenter to provide voice for your Teams users. All you need is a certified SBC, a public IP address and a public certificate to connect. Read my blogpost on infrastructure requirements for setting up Direct Routing in your datacenter

DRGA2.png

Hosted by a partner

One SBC can connect to multiple Office 365 tenants making this scenario scalable. This means you can consume native Microsoft Teams services from your own tenant and have a service provider host your voice connectivity.

DRGA3

Thoughts

I think Direct Routing will make Cloud Voice mainstream and it can be combined with Calling Plans where available, which means that you can freely choose how to consume voice. Being able to install the SBC in Azure means that anyone can now host and conenct their own sip trunk to Office 365. With the ability to either get this hosted or set up with next to no on-premises infrastructure you have a solution that can be consumed by most customer types from SMB to Enterprise.

References

Office 365 Multi-Factor Authentication requirements explained

Short version

mf_authMulti-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD

Longer version with links to deep dives

  • What is MFA?
    • Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
    • MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
    • Read more here
  • What is Modern Authentication?
    • Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
    • In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
    • Read more here
  • What is oAuth?
    • Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
    • Read more here
  • What is ADAL?
    • Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
    • Read more here
  • Two options are available for SSO with on-premises AD that requires Modern Authentication
    • Pass Through Authentication (PTA)
      • Works with Office 365 only
      • Enabled on latest AADC with outbound connection only, no DMZ server
      • Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
      • Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
      • In combination with password sync you are not dependent on AADC uptime
      • Read more here and here
    • ADFS 3.0
      • Used for hybrid Skype for Business and Exchange environments
        • Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here 
        • I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
        • Exchange Server hybrid requires MFA Server, read more here
        • For best Azure MFA result an Online only deployment is recommended
      • ADFS is best for larger organizations
      • More complex and requires proxy servers in DMZ with public IP and Certificate
      • Requires loadbalancer for high-availability
      • Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
      • Read more here
  • You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
  • Read about conditional access, MFA with Intune Hybrid and SCCM
  • Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here

mfastalehansen