Deploy and maintain a survivable branch appliance
There's a possibility that a customer site using Direct Routing to connect to Teams Phone might experience an internet outage. Normally with Teams Phone loss of internet connectivity also means loss of PSTN phone capability.
This section of the module describes how to use a Survivable Branch Appliance (SBA) to enable Teams Phone to continue to make and receive Public Switched Telephone Network (PSTN) calls via a local PSTN connection in the case of an internet outage.
Prerequisites
The SBA is a combination of software provided by Microsoft to SBC vendors who then combine that software with their SBC to create a physical or virtual Survivable Branch Appliance. SBAs are only provided via certified third-party providers.
The following is required:
The SBC needs to be configured for Media Bypass to ensure that the Microsoft Teams client in the branch site can have media flowing directly with the SBC.
TLS1.2 should be enabled on the SBA VM OS.
PSTN connectivity to the SBA that is local and independent of the internet connection
Supported Teams clients
The SBA feature is supported on the following Microsoft Teams clients:
Microsoft Teams Windows desktop
Microsoft Teams macOS desktop
Teams for Mobile
Teams phones
How it works
During an internet outage, the Teams client should switch to the SBA automatically, and ongoing calls should continue with no interruptions. No action is required from the user. As soon as the Teams client detects that the internet is up and any outgoing calls are finished, the client falls back to normal operation mode and connect to other Teams services. The SBA uploads collected Call Data Records to the cloud and call history is updated so that this information is available for review by the tenant administrator.
When the Microsoft Teams client is in offline mode, the following calling-related functionality is available:
Making PSTN calls via local SBA/SBC with media flowing through the SBC
Receiving PSTN calls via local SBA/SBC with media flowing through the SBC
Hold and Resume PSTN calls.
Configuration
For the SBA feature to work, the Teams client needs to know which SBAs are available in each branch site, and which SBAs are assigned to the users on that site.
To connect your SBA to Teams Phone, follow these steps
Create the SBAs.
Create the Teams branch survivability policy.
Assign the policy to users.
Register an application for the SBA with Microsoft Entra ID.
All configuration is done by using Skype for Business Online PowerShell cmdlets. The Teams admin center doesn't yet support the Direct Routing SBA feature.
Refer to your vendor documentation to configure your SBC.
Create the SBAs
To create the SBAs, use the New-CsTeamsSurvivableBranchAppliance cmdlet from the Microsoft Teams PowerShell module.
This cmdlet has the following parameters:
Identity - The identity of the SBA
Fqdn - The FQDN of the SBA
Description - Free format text
New-CsTeamsSurvivableBranchAppliance -identity CPH -Fqdn sba1.contoso.com -Description "SBA 1"
Create the Teams Branch Survivability Policy
To create a policy, you use the New-CsTeamsSurvivableBranchAppliancePolicy cmdlet.
This cmdlet has the following parameters:
Identity - Identity of the policy
BranchApplicanceFqdns - The FQDN of the SBA(s) in the site
Note
Note that the policy can contain one or more SBAs.
New-CsTeamsSurvivableBranchAppliancePolicy -Identity CPH -BranchApplianceFqdns "sba1.contoso.com","sba2.contoso.com"
You can add or remove SBAs from a policy by using the Set-CsTeamsSurvivableBranchAppliancePolicy cmdlet. For example:
Set-CsTeamsSurvivableBranchAppliancePolicy -Identity CPH -BranchApplianceFqdns @{remove="sba1.contoso.com"}
Set-CsTeamsSurvivableBranchAppliancePolicy -Identity CPH -BranchApplianceFqdns @{add="sba1.contoso.com"}
Assign a policy to a user
To assign the policy to individual users, you'll use the Grant-CsTeamsSurvivableBranchAppliancePolicy cmdlet.
This cmdlet has the following parameters:
Identity - Identity of the policy
PolicyName - The identity of the policy
Grant-CsTeamsSurvivableBranchAppliancePolicy -PolicyName CPH -Identity user@contoso.com
You can remove a policy from a user by granting the $Null policy as shown in the next example:
Grant-CsTeamsSurvivableBranchAppliancePolicy -PolicyName $Null -Identity user@contoso.com
Register an application for the SBA with Microsoft Entra ID
To allow different SBAs used within your tenant to read required data from Microsoft 365, you need to register an application for the SBA with Microsoft Entra ID.
You only need to register one application for use by all the SBAs in your tenant.
For the SBA registration, you need the following values created by the registration:
Application (client) ID
Client secret
For the SBA application, keep the following in mind:
The name can be whatever you decide.
Supported account types = Account in this organizational directory only.
The Web Redirect Uri is https://login.microsoftonline.com/common/oauth2/nativeclient.
Implicit grant tokens = Access tokens and ID tokens.
API permissions = Skype and Teams Tenant Admin Access -> Application permissions -> application_access_custom_sba_appliance.
Client secret: you can use any description and expiration.
Remember to copy the client secret immediately after creating it.
The Application (client) ID is shown on the Overview tab.
Then configure a SBA to Microsoft Entra ID follow these steps:
Register the application.
Set the implicit grant tokens.
Set the API permissions.
Create the client secret.
Known issues and considerations
As SBA relies on authentication tokens that are valid for 24 hours and are renewed daily, presently SBA can support outages for up to 24 hours from the last authentication. This means that if an outage occurs 20 hours after the last authentication token renewal, SBA will be operational only for the remaining 4 hours.
Reverse number lookup against Microsoft Entra ID contacts isn't performed.
The SBA doesn't support call forwarding settings.
Making an emergency call to an emergency number configured for dynamic emergency calling (E911) isn't supported.