The Nimbus "Tenant" view allows to assign security groups and change tenant details

Access Tenant details

As administrator you can use the " Edit " button for each tenant to access and change details.

Tenant Information

Within here you can check on details for your tenant, change or access the billing address and / or technical contacts. 

View differences

The Tenant administration may look different for single- and multi-tenant admins. 

Access to configuration elements is determined by Roles and Permissions. For instance, single tenant admin permissions may restrict you to only edit non-technical information such as: 

  • Company Name / Division 
  • Billing Address
  • Technical Contact

(lightbulb) Note: Depending on Roles and Permissions, certain fields described below may not be shown or protected against change. If you need to change restricted fields or have questions, get in touch with with customer support.

SectionOption / ElementDescription
Tenant InformationName

Name as displayed in the tenant list

O365 Domain

The first or sub-level domain that the tenant is under.

Tenant ID

The tenant ID of the group as defined in Microsoft Azure Portal.

Company NameClear name field for the Company behind that tenant.

Partner Administration Security Group (GUID)

Azure Security Group GUID for which corresponds to the " Partner Admin of a Tenant " permission set. In most scenarios this group will usually have access to some tenants under that partner domain.

(info) See info below for details

Tenant Administration Security Group (GUID)

Azure Security Group GUID for which corresponds to the " Tenant Admin " permission set. In most scenarios this group will usually have access to one tenants under that partner domain.

(info) See info below for details

About Security Group permissions

If fields are greyed-out they are managed by a higher permission level. Refer to Roles and Permissions for details.

(lightbulb) You can retrieve the Security Group GUID from Microsoft Azure Portal > Groups > <Your Security Group Name> > Overview > Object ID

(lightbulb) Upon entering the ID Nimbus will check if permissions and if the ID is valid. If so, the "Details" button for the security group becomes enabled and you can inspect the group members.

CRM IDID for your Customer Relationship Management tool.
Billing Address

Billing Address

  • Street Address 1 & 2
  • Zip Code
  • City
  • Country

Address of the partner to which the bill for this tenant should be sent to.

(lightbulb) Note that the country / address is just for billing purposes and does not reflect or change the Nimbus tenant data storage location.

Technical Contact

Technical Contact

  • Name
  • Email
  • Phone Number, E 164 Format
  • SIP Address

Support contact for this partner tenant.


Assigns a Partner to this tenant.

(info) Settings in this section may be visible/restricted to Luware and Partner administrators. Visit our website to learn more about the → Luware Partner program .

MS Graph Filter

Option / Element


Global Contact Search MS Graph Filter

Uses the MS Graph REST API to filter1 users according to your tenant admin account permissions. This filter will be applied to the O365 like Attendant Console to provide internal Nimbus users a narrowed-down pool of search results. (lightbulb) By default this filter (textbox) is empty, allowing users to perform a search on your entire tenant.

 1 See:

(warning) Please note that this field requires only parameters for the "filter" field of a MS graph query, not the whole API request URL. Keep this in mind when using MS Graph Explorer to test, copy & paste your updated filter parameters.

(lightbulb) End-users will not see this filter in the frontend UI, but will have search results narrowed down accordingly.

(info) Refer to our Use Case - Filtering Attendant contact search via MS Graph.

Example filter for users within domain and preferred language:

endsWith(userPrincipalName,'') and preferredLanguage eq 'en-GB'

Notes and known limitations

KNOWN LIMITATION The filter will be applied to all O365 accounts, including those of Nimbus Services! Overly strict filters may limit the Nimbus users' capability to forward calls via search.

  • This text field does not perform validity checks for correct syntax. → Please refer to the official MS Graph REST API documentation for details.
  • Nimbus combines both visible and backend filters with an 'AND' clause. When a frontend user (e.g. via Attendant Console) searches within the same fields as defined in your query there can be a clash. 
  • Depending on the field(s), on which the filter is applied, additional permissions might be required for Nimbus to make a query on your behalf. Without these permissions, search functions in Attendant Console might not work at all.
  • If the filter query is broken for any reason (e.g. missing permissions, typos, syntax) the search in any Frontend may not show any results at all.

Data Privacy

(info) Settings in this section may be visible/restricted to Luware and Partner administrators. Visit our website to learn more about the → Luware Partner program .

Option / Element


Allow Partner to see User Identifiers

Determines if the partner is able to see Nimbus user (team member) clear names.

  • When enabled, the full user names are shown.
  • When disabled, Nimbus users will be shown anonymized with asterisk * placeholders.

Allow Partner to see Customer Identifiers

Determines if the partner is able to see Nimbus calling customer identifiers.

  • When enabled, the full customer identifiers are shown.
  • When disabled, Nimbus calling customers will be shown anonymized with asterisk * placeholders.

Track User States

Contact Center This feature can be enabled Tenant-wide, but mainly makes use of Contact Center service features for reporting.

With this feature active, extended User States are tracked and added as part of the Nimbus Reporting Model , and exposed via the Nimbus OData interface.

  • When enabled, data becomes visible in Power BI reports (User State Tab). (tick) You require a "User Supervisor" role to query these extended user details.
  • When disabled, existing User Presence State reports will be closed and no further entries are generated. (lightbulb) Already existing data is not affected by this.

(question) When to enable this? Tracking presence states can generate considerable amounts of personal user data. Aside from Power BI query performance considerations on a large userbase you need to consider privacy and EU GDPR compliance before enabling this feature.

(question) What data is being tracked? User, User ID, Organization Unit, Responsibility Profiles (User State), MS Teams Presence Status and all related event changes with timestamps and durations.

For its Reporting Model Nimbus distinguishes sessions by various user presence states (call, task, duty, presence) - or just user states for short. Whether or not a user is in – or can transition into – a certain state is determined by the following factors:

FactorDefinition / ConditionNimbus-Tracked User State

Call Status

Reserved and blocked for a Nimbus task.
Not Available Reason
Shown as User changes MS Teams presence (manually or idle).
RONA (Redirect on No Answer)
User flag after not responding to a task, blocked for the next tasks.

User reserved for new task, but has not accepted yet

User accepted task, is blocked by it
ACW (After Call Work)
User has an fixed (optionally extensible) time to complete work after a call.

Task Selectability

Available for a Nimbus task.
Set to " Active " in any Teams-Based Nimbus service

This includes Busy/Selectable and Away/Selectable
Not Selectable
User not available due to the presence state OR set "inactive" for all Nimbus teams

Duty State

Has an active Nimbus responsibility profile selected.
The profile is contains fitting skills and responsible skill-based services.

"OffDuty" responsibility profile
Any "Duty" type responsibility profile selected by the user.

Presence in MS Teams

Online (includes Busy/Selectable and Away/Selectable) as defined per Service-individual distribution Service Settings.OfflineOnline

Can either be selectable or not (determined per Service Settings)

Interact and Assistant

Optional Features

This section allows you to enable and configure Interact and Assistant, both optional features of Nimbus. If you want to learn more head over to our Luware Solutions page.

For detailed setup steps, refer to:

Option / Element


Interact enabled

The global setting which activates Interact for Nimbus

  • When enabled, the calls in Interact will reach an agent in Teams.
  • When disabled, the calls in Interact will not reach an agent, even if the tenant is configured for Interact calls.
ACS connection string

Connection string for Azure Communication Services. Required for both Interact and Assistant.

(info) Learn how to generate this string via the Microsoft Documentation .

(tick) "Check"- performs a check if it's possible to create a token for the user using this string. If the connection fails (with a correct string) it most likely means there are insufficient permissions.

O365 UserIDID of the user on behalf of whom meetings on the backend will be created.
Widget Key

Random guide generated for the Tenant. The key is sent with each request to the backend and checks the validity of the widget, depending on which it either allows or rejects the request for the backend.

  • "Copy" - copies the guide value for (future) use in a web client.
  • "Refresh" - updates the guide with a new one.
Session recovery timeout in seconds

Time in seconds before a closed session is ended permanently. 

Default: 20; Min: 5; Max: 60.


Determine if a session requires further authentication:

  • None (default) - when set, the token is not verified. 
  • Verify Token - when set, verifies the validity of the token. The error will occur if the token is expired or invalid.
  • Verify Token & Tenant - when set, verifies the validity of the token and that it belongs to a certain tenant.

Steps below refer directly on the Daemon application MSFT help article and the subchapters. 

Create an Azure Application

  • Add a new app under app registrations in the Azure Portal
  • Preferably a single tenant application
  • No reply-URL needed for the client-credential flow (standard OAuth 2.0 client credentials grant)

(info) Refer to:

Generate Secret / Certificate

  • Generate a secret or certificate which will be used as the applications credentials

(info) From

To add credentials to your confidential client application's app registration, follow the steps in Quickstart: Register an application with the Microsoft identity platform for the type of credential you want to add:

Create own Daemon App with .NET/Java/Node/Python

  • Based on the language instantiate the confidential client application with the client secret or the certificate

(info) Refer to the table on

Acquire a token and pass it to the SDK

  • Based on the language instantiate the confidential client application with the client secret or the certificate

(info) Refer to:

Presence Tracking

(tick) "Presence Tracking" allows Nimbus to make smarter routing decisions by determining if your users are already in a Teams call (non-Nimbus). Please note that a few steps are required on your Microsoft Tenant for this feature to work. Read the instructions below carefully and contact Support in case you need assistance. 

Track Presence over Guest Accounts

Allows you to use two Luware-provided guest accounts which enable Nimbus to poll the extended presence status on all users within your Tenant.

(info) Also see related Microsoft Documentation: User Presence States in Teams.

(question) Why is this necessary?

  • Without a guest presence account, Nimbus can only retrieve a simplified presence status such as "Busy" "Away" or "Available" for your users.
  • For extended status presence such as "Busy → In a Call" or "Busy → In a Conference" these presence accounts are required to improve call routing. When activating the presence tracking feature, call handling is handled according to the MS Teams status as follows:
Calls are delivered whileCalls are NOT delivered while
  • Available

  • Busy*

  • Busy in a Meeting*

  • Away*
  • Busy in a call
  • in DND (Do Not Disturb)
  • Offline

*Only when Distribution Service Settings are set accordingly within the individual Service.

With extended presence enabled, Nimbus can now distinguish a "Busy" status and plan/avoid call distribution accordingly.

KNOWN LIMITATION For "Away" and "BRB" states the "In a Call" extended status is not returned by Microsoft. W hen any of these status were manually set by users, Nimbus doesn't have additional information whether or the user is already in a call and will follow the plain "Away" status as defined in Distribution Service Settings to route the calls. → As this is a Microsoft-limitation we cannot provide a fix or workaround for this at the moment.

Grant Permission (Copy to Clipboard)
(tick) An auto-generated link that you (as Tenant Admin) need to paste into your browser. → Grants the delegated permissions listed below to the Nimbus App. The Azure guest accounts use these to read presence on all users on your tenant.
(lightbulb) You can do this step regardless of the Presence Account 1&2 field contents. The permissions will remain even if the guest users change.
Extended permissions are:
  • Presence.Read.All
  • User.Read
  • User.ReadBasic.All

(question) What are these Permissions used for? Nimbus uses these extended permissions to enable presence-based features, primarily for targeted call distribution and updating availability in the frontend UI. Also read → Track Presence over Guest Accounts above.

(tick) T o test these permissions y ou need to invite at least one presence account. → See "Presence Account 1&2" and → "Test UPN" below for further details.

Presence Account 1&2

Used for extended presence status tracking on your tenant. Account 2 acts as (temporary) fallback when account 1 does not work for any reason.

(info) These guest accounts require extended permissions → see "Grant Permission" above.

In this Use Case we explain how to track extended user presence. For this you need to invite Nimbus Guest Users to your tenant.


  • Nimbus Installation is complete and at least one Service is provisioned on your tenant.
  • In extension you should know about the Distribution Service Settings, accessible to you if you are Team Owner or Tenant Admin. (lightbulb)These settings define when service calls are distributed to the users (team members) based on their MS Teams status (Away, DND, etc). More on this will explained below.
  • You require Tenant Administrators rights to access the Nimbus Tenant Administration > "Presence Tracking" section.
    • You also need Tenant Admin credentials to invite guest users within your Azure Portal.

(question) What is extended user presence and why guest accounts?

For an extended status presence such as "Busy → In a Call" or "Busy → In a Conference" these presence accounts are required to improve call routing. Without having guest users on your Tenant as means to check, Nimbus cannot see any extended user presence status.

(question) What happens after this setting is active?

When activating the presence tracking feature, call handling is handled according to the MS Teams status as follows:

Calls are delivered whileCalls are NOT delivered while
  • Available

  • Busy*

  • Busy in a Meeting*

  • Away*
  • Busy in a call
  • in DND (Do Not Disturb)
  • Offline

(lightbulb) Note that Nimbus will adhere to Distribution Service Settings, so ensure to check there if your calls are not delivered as expected.

(info) Also refer to the related Microsoft Documentation: User Presence States in Teams.

Guest user details

(tick) Before you can use the extended presence feature you need to invite two guests users to your tenant. The steps are described below.

  1. Within the Nimbus UI > Tenant Administration > head to the "Presence Tracking" section
  2. Take note and mouse over the "Presence Account 1 & 2" user mail addresses to see their details.
    (lightbulb) These accounts are individual to your Nimbus cluster. Examples below have been blurred to prevent mistakes.
  3. Make sure to copy your individual presence account name, including the @ domain ending. The account details will be used in a step below.

Screenshot showing two individual presence accounts

Invite Guest Users

  1. As Tenant Admin, log into your Azure Portal.
  2. Go to Users and select Add a new "Guest User".

  3. Invite both guest user 1&2 on your tenant.
    Add each of the previously copied Email-addresses and click "Invite" → A standard Azure invite mail will be send out to Luware.
  4. (warning) Note that MFA (Multi Factor Authentication) needs to be disabled for these users. Otherwise this feature will not work as the guest users cannot sign into your tenant.
  5. Let your Customer Success Specialist know that the Guest users have been invited.
  6. Please wait while steps are done in the background:
    1. Luware cloud operations team must accept the guest invitations. Please allow for some time for this to happen.
    2. Once successful → The "Account is not added as guest" message should disappear from your side in the Nimbus admin UI.
    3. If this is not the case, please get in contact with support.

Grant delegated permissions

(lightbulb) This step can be done in parallel to the previous steps. Once granted, either of the presence accounts will make use of these permissions and no further actions are required on your side.

Copy & paste URL from the "Grant Permissions" area into your browser. This link must be opened by logged-in a Tenant Administrator in order to work.

(question) Which permissions are granted to these users? Refer to Nimbus Required Permissions > "Presence Tracking"


  • Once granted, the "Permission is not granted" note should disappear in the admin UI.
  • You can now enable the "Track Presence Over Guest account" feature and test the status tracking via the "Test UPN" field.

Adjust your Service Settings

(lightbulb) With all previous "track presence" steps successfully performed, Nimbus is now able to distinguish between busy states.

(tick) We recommend to check your Service Settings > Distribution > Conversations Distribution tab and have converations "Distributed to the user" even while busy. Nimbus will automatically detect if an existing Nimbus service call is already handled by that user and re-route incoming calls accordingly.


Error DescriptionSolution

Unknown Error (XX0000) 

Enhanced Presence has been enabled, Guest Accounts have been added, Permissions have been approved, Multi-Factor Authentication has been disabled for the Guest Accounts.

However, the following error message appears when trying to check the status of users:

  1. Head to In Azure Portal > Users > User Settings > External Users > Manage External Collaboration Settings.

  2. Set the "Guest User Access Restrictions" to either "Most inclusive" or "Limited access" 

This is a global setting and applies to all (future) guest accounts. If you do not want to change this, consider solution B below.

Since the External Collaboration Settings are a global setting, you may not want to relax these rules just for one application. Instead you can just assign a special role to the guest accounts.

  1. Head to In Azure Portal > Users > Nimbus Guest Account > Assigned roles > Add assignments.

  2. In the "Membership" Tab, assign the "Directory Readers" role to the Luware Guest Account(s).

  3. In the "Settings" Tab, ensure the assignment is "Active" and "Permanently assigned"

After the setting is changed, it may take up to an hour for the Nimbus Enterprise App to properly read the users' presence data.


Test UPN

(tick) We highly recommend to live-test the new presence accounts 1&2 individually and check different users on your Tenant to see if the extended presence status updates correctly. 

(lightbulb) The extended presence status should be shown / updated immediately. If you encounter problems with this or see an error message, please get in touch with your Nimbus customer success / onboarding contact.


Configures the Service Provisioning default settings for when new Nimbus services are created.

Default OU for MS Teams creation

Sets the default Organization Unit (OU) for new services during their first provisioning.

(info) Please Note:

  • During Service Provisioning users can still change the default to any provided "sub" level OU during installation. The OU can also be changed later in General Service Settings of that service. 
  • When the OU gets deleted, the OU default selection is moved one level higher (up to root). 
  • If either user or service are completely new in Nimbus – or the OU cannot be selected for other reasons – both the user and service are placed in a "Default Organization Unit for Microsoft Teams-based teams". Both can be moved to other Organization Units via the User Administration and Service Administration respectively.
Allow service provisioning via MS Teams

Set the minimum roles required to Provision a new Nimbus team directly from the MS-Teams UI.

Settings are: 

  • Everyone (default)
  • Tenant & Organization Unit Administrators
  • Tenant Administrators
  • No one → provisioning disabled on MS Teams side

(lightbulb) This setting does not prevent users from installing the Nimbus Personal App.

(info) Non MS-Teams synched Service types can still be provisioned via the backend by any administrator, regardless of the setting made here.

(warning) Users without the permission to Provision new services may still remove the Nimbus tab from MS Teams (as Nimbus cannot impact or restrict the default MS Teams interface). However, they can not trigger a removal of the service itself and its data and the Nimbus tab can be re-added.

Pushing Tenant updates

Major technical changes on a Tenant-level may require a re-execution of a downloadable script, using tenant admin privileges. The script will push those changes to Azure, and updates should be reflected within minutes.

A change requiring powershell script execution

(question) Where to find the script? You can retrieve the script either from the Nimbus Frontend Portal > User Settings or via the following links: 

(info) Related info can be found on: 

Delete a Tenant

The provisioning script is also is used to push a pending deletion request of a whole tenant. 

Please Read BEFORE deleting a Tenant

Deleting a tenant will also mark all Nimbus services under that tenant for deletion.

(tick) Confirm Check: As this cannot be undone, you have to confirm the deletion in a separate pop-up by typing out "YES" and confirming this step.

After your confirmation, these effects are to be expected:

→ Underlying Nimbus teams shift to "pending deletion" state in the Administration Overview and individual Service Administration views respectively. 
→ At this point Nimbus services will cease to operate.
→ The next run of the provisioning script (see Nimbus Installation) removes the related team entries from Azure.
→ When the provisioning script was successful, all Nimbus functionality is removed.

Good to know

Previously existing structures within your MS Teams instance - such as team definitions, channel names, team members / team owners - remain unaffected. Only Nimbus related tabs and functionality are removed from your tenant.