Based on the last Microsoft Fiscal Year earnings report, more organizations than ever before are using the Microsoft Teams Phone system. In some cases, Microsoft Teams Phone System is implemented from scratch, without an existing phone system. However, most organizations have had an existing phone system for decades and now need to look at how they can migrate their existing phone system to Microsoft Teams Phone System. As a result, they often face some challenges when it comes to legacy devices, such as door openers, DECT systems, or analog phones.
This article reviews the Microsoft Teams SIP gateway, an option to connect native SIP devices to the Microsoft Teams platform. It presents some basic information about this Teams service and how to configure and use it. I will also discuss some usage scenarios and show you how to troubleshoot devices if something does not work properly during a deployment.
Microsoft Teams SIP Gateway Overview
Microsoft introduced the public preview version of the Microsoft Teams SIP gateway in March 2021 with GA following in December 2021. Initially, Microsoft intended the SIP gateway to replace the service that Skype for Business Online-(SfB) certified IP phones used to register with Teams. This way, the Teams SIP Gateway would protect customer investment in Skype for Business-certified IP Phones by using them with Teams Phone. Compared to the SfB Online phone gateway, the Teams SIP gateway already supported a wider feature set by supporting Cisco native SIP phones for Teams. If a customer plans to migrate a Cisco environment to the Teams Phone System, the SIP Gateway can save costs.
A certified SIP device connected with the Teams SIP gateway supports general call features like placing a call, receiving a call, putting a call on hold and resuming a call, or changing the Teams presence state.
Following the release of the SIP Gateway, Microsoft enhanced it quickly by supporting further SIP devices. Today, the Teams SIP gateway supports the deployment of compatible devices like Skype for Business Online certified IP Phones with native SIP firmware, Cisco IP Phones, or SIP native devices from AudioCodes, Ascom, Alcatel-Lucent, Algo, Gigaset, Poly, Snom, Spectralink, or Yealink.
Usage Scenarios for the Teams SIP Gateway
There are various deployment scenarios for the Teams SIP Gateway when introducing the Microsoft Teams Phone System. Think of phones in public areas where you need an easy way to make an emergency call, even when there is no PC with Microsoft Teams Client available. In this scenario, we don’t need a full-blown Teams IP phone with access to an Exchange Online calendar and contacts, call history, or an option to join a Teams Meeting. In this scenario, we need a simple and cheap solution, monitored and managed in the Teams Admin Center.
Furthermore, there was no support from Microsoft for analog devices or DECT infrastructures when using Microsoft Calling Plans or Microsoft Operator Connect. There was simply no way to register these devices to the Teams platform.
Therefore, this was often an exclusion criterion for two of the three PSTN connectivity types and the customer only had the option to use Teams Direct Routing.
But there are also challenges when using Teams Direct Routing with a Session Border Controller (SBC). Even then it can be challenging to use a DECT system in parallel with the Microsoft Teams Phone System.
Both DECT and Teams are independent telephone systems and usually require a special configuration if both are to be used in parallel. For example, if the user makes a call from Teams, the DECT handset should also be busy for this user and vice versa.
These scenarios can now be implemented with the Teams SIP Gateway, regardless of whether Calling Plans, Operator Connect, or Direct Routing is in use. In the case of the DECT system, it is just another endpoint that registers with Teams alongside the desktop client or the mobile app on a cell phone. When a call comes in, Microsoft Teams knows all registered endpoints and lets them ring. It does not matter whether it is the Teams desktop client, the Teams mobile app, or a DECT handset registered with Teams.
Get SIP Devices Registered and Running with Microsoft Teams
We need to differentiate between the configuration tasks in the Teams platform and the tasks for SIP devices. The steps in Teams are very easy and straightforward.
First, you need a user with an assigned Teams Phone license and PSTN connectivity by using Microsoft Calling plans, Operator Connect, or Teams Direct Routing.
Next, you need to enable the Microsoft Teams SIP Gateway in your Calling Policy. Open the Teams Admin Center, go to the Voice category, and open Calling Policies. To enable the Teams SIP Gateway, open a policy and enable the parameter ‘SIP devices can be used for calls’ (figure 1). By default, this parameter is disabled.
As in most cases this feature is required just for a targeted user group (see the usage scenario section in this post), I recommend the creation of a custom Calling policy and assigning it to user accounts instead of modifying the Global Calling policy. But this depends on your requirements and guidelines.
It can take up to 24 hours until the modified and assigned policy is propagated completely to a user in the Teams backend. When you attempt to register a SIP device soon after modifying the Calling policy, the device won’t complain about a missing Teams SIP gateway service. The logon process will complete successfully, but the device will not reboot or register with the service. Wait for at least 24 hours after enabling the Teams SIP gateway in the policy.
The next step is to add the SIP device’s MAC address in the Teams Admin Center for the device provisioning. Open SIP Devices in the Teams devices section. In the upper right corner, open the Actions menu and click on Provision devices. Add a new device by entering the IP Phone’s MAC address. When connecting an ATA device, the MAC address needs to be extended by the analog port.
When you complete these steps, you can begin configuring and registering the SIP device.
Configure and Register SIP Devices
This step depends on the chosen device and how the vendor implements the logon process. In most cases, you need to configure one of these deployment URLs on the device:
NOAM: Region: http://noam.ipp.sdg.teams.microsoft.com
EMEA: Region: http://emea.ipp.sdg.teams.microsoft.com
APAC: Region: http://apac.ipp.sdg.teams.microsoft.com
If the phone’s UI should be localized, by default it is English, Microsoft provides up to five language-specific provisioning URLs. For example, the IP phone uses a German UI with the provisioning URL suffix “/lang_de”.
The SIP device downloads a configuration file from Microsoft during the provisioning process, configures itself for registering at the Microsoft Teams SIP Gateway, and reboots several times. The configuration file includes the basic parameters for the registration process at the Teams platform, as well as the TLS certificates required to establish a trusted and encrypted connection to Microsoft. The initial download is unencrypted.
After a reboot, all further communication is encrypted between both entities. To complete the provisioning process, open the Teams Admin Center, go to Teams Devices, SIP devices, Provision Devices. Here, select the previously added SIP device and click on Generate verification code (figure 2).
Microsoft generates a verification code, which is valid for 24 hours. The final step is to dial *55*<verification code> from the phone.
The device should now be configured correctly, and the user login process can be started.
For personal use, Microsoft provides a URL for the logon process. For common area phones, Microsoft provides a zero-touch deployment which is described in the official Microsoft learn article.
The logon process for a single user is quite simple: the user presses the Sign In button on the phone’s display. The device generates a logon URL (https://aka.ms/siplogin) and a device code. The user opens the URL on the PC and signs into the Microsoft 365 account. Then, the assistant asks for the device code from the phone’s display.
After the user has successfully entered the code and confirmed the login to this device, the phone reboots.
If all goes well, the user account logs into the phone automatically and the phone is ready to use.
Network and Conditional Access
Please verify and check your firewall rules and Conditional Access ruleset in advance.
The phone requires a direct connection to the Microsoft Teams backend and several ports need to be opened on the firewall.
The logon process for a user happens from a Microsoft datacenter and requires special exclusions depending on your Conditional Access ruleset.
Details about the network and Conditional Access requirements can be found in the official Microsoft Learn article.
Troubleshoot Connection Issues
If there are any issues using the Teams SIP Gateway, I recommend first checking the provisioning of the SIP device itself. If the IP phone provisioning was successful, the phone display shows a Microsoft Teams logo.
Also, most SIP devices offer a Management Web UI. Open the management interface and search for onboarding.org as SIP Line URI or obsbc-<regional Code>.sdg.teams.microsoft.com as SIP Server or SIP Registrar, for example, obsbc-euwe.sdg.teams.microsoft.com for Europe (Figure 4).
If the running configuration does not include such values, check if the device has issues downloading the config from Microsoft Teams and if the SIP device has been added successfully to the Teams Admin Center with the correct MAC address. Also, check if the time and date are correct and if the device can resolve external FQDNs.
Next, check if your firewall blocks traffic from the device IP to Teams or if http requests route through a company proxy. If yes, fix this by opening the firewall and removing the Web proxy for this device.
If everything checks out, validate that the Teams SIP Gateway service is enabled in the Teams Calling Policy and that the policy has been assigned to the user account.
If you encounter user sign-in issues, the Entra admin center is your friend. Check the user’s Sign-In logs. You should find entries for the Teams SIP gateway (Sip Gateway UserApp) and get some insights if the sign-in has been blocked by a Conditional Access policy, for example:
Conclusion
The Teams SIP Gateway allows certified DECT systems, analog devices via an ATA device, paging systems, or even IP phones to be easily connected to the Teams platform. The SIP Gateway closes the gap so that legacy telephony devices can continue to be used when migrating to the Microsoft Teams Phone System and can prevent unnecessary new investments in hardware and infrastructure. Also, it is now possible to connect these devices to Microsoft Teams, no matter which PSTN connectivity is used.
In addition, the Teams SIP Gateway allows centralized management and control of call functions, as there is a Teams user behind each registered endpoint and this user can be managed with Teams policies.