While Teams may have its own PowerShell module, many of the management tasks still reside in legacy Skype for Business Online PowerShell. To connect to this service, you need to download and install the latest SkypeOnlineConnector module and create a remote PowerShell session to the service.

However, when I was recently working on my PluralSight course, I created a tenant for recording the course demos. I had some issues connecting to the service with a user using the <tenant name>.onmicrosoft.com domain suffix. The solution for this also assisted a fellow consultant on Twitter who had issues connecting due to a different error. This blog post is going to cover each scenario and the workaround.

Update
Microsoft is retiring the Skype for Business Online PowerShell module on February 15, 2021. The module will no longer be available for download. The Skype for Business Online PowerShell module will continue to function until July 31, 2021.

Instead, please install the MicrosoftTeams PowerShell module from the PowerShell Gallery, which includes the New-CsOnlineModule to connect to Skype for Business Online. PowerShell scripts should be updated to import the MicrosoftTeams PowerShell module instead of the retired Skype for Business Online module.

To learn more about using the MicrosoftTeams PowerShell module to connect to Skype for Business Online, check out my other article Exploring New Functionality in the Microsoft Teams PowerShell Module for more information.

Error in XML Document

I was using the following code to create a session out to Skype Online with a user account using the default .onmicrosoft.com domain (replace <tenant name> with your tenant name):

$skypeSession = New-CsOnlineSession -UserName skypeadmin@<tenant name>.onmicrosoft.com -Verbose

Without a prompt for a password, this was the result:

Get-CsOnlinePowerShellEndpoint : There is an error in XML document (1, 123).

Error creating CsOnlineSession

Important!
The New-CsOnlineSession cmdlet in the Microsoft Teams modules does not use the -UserName parameter. Instead, create a PSCredential object using Get-Credential cmdlet and assign it to the -Credential parameter.

Looking at the details of the error, it is having an issue running this command found in the SkypeOnlineConnectorStartup.psm1 file with the $adminDomain being the UPN of the user trying to sign in:

$targetUri = Get-CsOnlinePowerShellEndpoint -TargetDomain $adminDomain

Unfortunately, you cannot view the contents of the Get-CsOnlinePowerShellEndpoint command, and the command is not defined in the module’s PSM1 file. The command is likely imported from a DLL in the module, so I’m unable to see what this command is doing. Running this command individually with -Verbose does not yield any more information.

I searched for a solution and came across this option. When creating the online session, use the -OverridePowerShellUri parameter and input a specific URL. In my case, it is:

https://admin4a.online.lync.com/OcsPowerShellLiveId

However, the 4a portion might be different for you as I believe this indicates what forest your Skype for Business Online tenant is located. To locate yours, you’ll need to log into the legacy Skype for Business Online admin center by going to the Teams admin center and selecting Legacy portal:

Navigating to legacy portal

From here, take a look at your URL and take note of what is after webdir:

Finding Skype for Business Online forest information

Important!
With the retirement of the Skype for Business center, here is another method for finding your datacenter identifier.

In a Skype for Business Online PowerShell session (if you are able to connect another way), run the following command:

Get-CsTenant | ft Identity

This will display information on your OCS tenant location, like this:

OU=<guid>,OU=OCS Tenants,DC=lyncXX001,DC=local

The two- or three-digit code to use is in the section DC=lyncXX001 where the code is in the XX section. You can find more information in this section in Microsoft Docs.

At this point, my new connection command looks like this and now successfully creates the session:

$skypeSession = New-CsOnlineSession -UserName skypeadmin@<tenant name>.onmicrosoft.com -OverridePowerShellUri "https://admin4a.online.lync.com/OcsPowerShellLiveId" -Verbose
Connecting using OverridePowerShellUri parameter

You’ll notice the third line in the output is a warning message that it converted my URI to a different OAuth URI and asks to use it in the future. I tried the command again using the new URI of https://admin4a.online.lync.com/OcsPowershellOAuth and was also able to successfully connect:

$skypeSession = New-CsOnlineSession -UserName skypeadmin@<tenant name>.onmicrosoft.com -OverridePowerShellUri "https://admin4a.online.lync.com/OcsPowershellOAuth" -Verbose
Connecting using converted OAuth URI

What’s interesting is this seems specific to this tenant created in February 2020. I have a several year old tenant that I can connect using the .onmicrosoft.com tenant domain name just fine. Not sure if there is an issue in provisioning but I have tried multiple accounts in this tenant with varying admin permissions without luck.

LyncDiscover Remote Name Could Not Be Resolved

I recently came across Eric Marsi (@EricMarsi) on Twitter that was having issues creating a Skype for Business Online PowerShell session.

When trying to create his session, he was getting the error:

Get-CsOnlinePowerShellEndpoint : The remote name could not be resolved: ‘lyncdiscover.<tenant name>.onmicrosoft.com’

He was also trying to log in with a user using the .onmicrosoft.com default domain name, and the lyncdiscover record for it was missing. He was able to connect after making a peer-to-peer (P2P) call inside of Teams, and this seemed to finish some lingering automated provisioning issues (looking at other comments, this seems to be a common “solution” to tenant issues).

However, in the reply thread fellow consultant Trevor Miller (@TrevorAMiller) was having the same issue with his fairly new tenant also missing the lyncdiscover.<tenant name>.onmicrosoft.com DNS record. Despite trying the P2P call trick and waiting several days, the record still did not exist. I suggested he try the fix above for specifying the -OverridePowerShellUri to create his PowerShell session and this worked for him.

If you have a new tenant and the lyncdiscover URL is missing (even after making a P2P call), try using that parameter with your tenant-specific admin URL to workaround the issue. If that does not work, you should open a ticket with Microsoft and work through support to find out why your DNS record for your tenant isn’t being created.

Questions or comments? If so, drop me a note below or find me on Twitter or LinkedIn to discuss further.

This Post Has One Comment

Leave a Reply