Blog Post
Microsoft Teams Blog
4 MIN READ
DanielaChocron
Microsoft
Jun 18, 2024
Microsoft Teams Phone is a cloud-based phone system that enables smart communication and effortless collaboration for Teams users. To enable Teams Phone features such as auto attendants and call queues, resource accounts are required. Resource Accounts These specific accounts are associated with these features and are not intended for actual users.
We are committed to providing secure and compliant services to our customers and users. As part of this commitment, we continuously identify areas of improvement for our security privileges for administrative roles in Microsoft 365.
Currently, Teams administrators can create and manage resource accounts without requiring any user management permissions in Microsoft 365. As part of our commitment to deliver secure solutions that meet the highest standards, we are implementing changes to the management of resource accounts. Going forward, Teams administrators will need to have user management permissions in Microsoft 365 to create and manage resource accounts. This change will take effect 3rd quarter of 2024.
This change will impact the Teams administrative experiences and workflows, as well as the Teams end-user features that depend on resource accounts. To prepare for this change, we have created the guidance below for Teams administrators:
- Ensure you have the appropriate user management permissions in Microsoft 365 to create and manage resource accounts. These permissions include User Administrator, Global Administrator, or custom roles that include the User Management permission. To assign these permissions, use the Microsoft 365 admin center or the Azure Active Directory PowerShell for Graph.
- Review the existing resource accounts in your tenant and make sure that they are configured correctly and assigned to the relevant Teams Phone features. Resource accounts can be viewed and managed in the Teams Admin Center or using PowerShell cmdlets.
- Update your processes and documentation to reflect the new requirements and best practices for creating and managing resource accounts. Resource accounts should have a clear naming convention and description that indicate their purpose and association with the Teams Phone features. Resource accounts should also have a valid license assigned to them, such as Microsoft Teams Phone Resource Account
- Communicate the change and its implications to the relevant stakeholders and end-users in your organization. End-users may experience service disruptions or feature unavailability if the resource accounts are not created or managed properly by the Teams Phone administrators. For example, if a resource account is deleted or disabled, the associated auto attendant or call queue will stop working. If a resource account is not licensed or assigned to a phone number, the associated voicemail or conference bridge will not function.
Possible paths forward
To streamline the creation and management of resource accounts, Teams Phone administrators can consider the following options:
- Use split provisioning to divide the tasks of creating and configuring resource between user administrators and Teams administrators. Split provisioning is a process that allows user administrators to create resource accounts using the Microsoft 365 Admin Center or PowerShell, and then assign them to Teams administrators who can configure them using the Teams Admin Center or PowerShell.
- Use staged resource accounts to pre-create a set of resource accounts in bulk and then assign them to the Teams Phone features as needed. Staged resource accounts are resource accounts that are assigned a license and a phone number
- Use Privileged Access Management (PAM) to delegate the permissions and roles needed to create and manage resource accounts. PAM is a feature of Microsoft 365 that allows you to control who can perform certain administrative actions and when. With PAM, you can create policies that grant access to specific tasks or cmdlets for a limited time period and require approval from designated approvers. For example, you can create a policy that allows a Teams administrator to run the New-CsOnlineApplicationInstance cmdlet to create a resource account, but only after getting approval from a global administrator. To learn more about PAM and how to use it, see Privileged Access Management in Microsoft 365.
- Use Power Platform to create a custom solution that automates the creation and management of resource accounts. Power Platform allows you to build low-code apps that connect to various data sources and services. With Power Apps or Microsoft Forms, you can create a user interface that collects the required information for creating a resource account, such as the name, description, phone number, and license. Then, you can use Power Automate to trigger a workflow that validates the input, creates the resource account using Entra ID Connectors or Graph API, and sends a notification to the Teams Phone administrator. The created resource account will appear in the Teams Admin Center and can be managed from there. To learn more about Power Apps and how to use it, see What is Power Apps? and Create an app from scratch.
- Organizations may also decide to add Teams administrators to the User Administrator group.
We appreciate your understanding and cooperation as we work to enhance the security and compliance of Microsoft 365 services. For more information and guidance on this change, please refer to the Teams documentation.
Updated Jun 19, 2024
Version 2.0
microsoft teams
DanielaChocron
Microsoft
Joined
April 16, 2019
View Profile
Microsoft Teams Blog
Welcome to the Microsoft Teams Blog! Learn best practices, news, and trends directly from the team behind Microsoft Teams.