Provisioning via Microsoft PowerShell

💡We automated the provisioning steps in a PowerShell script for you. It will connect to our environment and get the needed changes applied to your infrastructure.

PLEASE READ BEFORE YOU START

The PowerShell script needs to be run by a tenant admin. Please note:

  • The script will automatically apply Required App Permissions used by Nimbus.
  • The following modules are used / installed on your machine when running the script:
Module
1 MicrosoftTeams
2 MSAL.PS
3 Microsoft.Graph.Authentication
4 Microsoft.Graph.Applications
5 Microsoft.Graph.Identity.DirectoryManagement
6 Microsoft.Graph.Users
7 Microsoft.Graph.Users.Actions
  • The script is built and tested for PowerShell 5.1 (you can check the version via the "Get-Host" command). Other versions of PowerShell are not supported and may cause problems.
    🔍 Also refer to the "Troubleshooting" section on the bottom of this page.
  • The script uses a checksum verification based on the MD5 algorithm - if you have policies like FIPS compliancy enabled on your computers which do not allow the usage of MD5, then you may encounter an error during the version check.

💡 Tip: The script run is also needed when certain Service Settings change (Service Display Name, Service UPN, and PSTN number). Keep the script session window open if you want to test settings. By doing so you don't need to go through all steps again when you need to provision multiple teams.

 

Microsoft Graph PowerShell Permissions

Microsoft Graph PowerShell Permissions

The Microsoft.Graph.* modules which are used by the Provisioning Script require the user to have the permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application:

Permission

Permission

Type

Granted By Purpose
Application.ReadWrite.All Delegated Tenant Admin Read and write all applications
AppRoleAssignment.ReadWrite.All Delegated Tenant Admin Manage app permission grants and app role assignments
DelegatePermissionGrant.ReadWrite.All Delegated Tenant Admin Manage all delegated permission grants
Domain.Read.All Delegated Tenant Admin Read domains
Organization.Read.All Delegated Tenant Admin Read organization information
User.ReadWrite.All Delegated Tenant Admin Read and write all users' full profiles
openid Delegated Tenant Admin Sign users in
profile Delegated Tenant Admin View user's basic profile
offline_access Delegated Tenant Admin Maintain access to data you have given it access 

 

Script Overview

Below is an overview of the steps performed by our provisioning script

 

An overview of our provisioning script

Provisioning - Step by Step

Script download

Get the provisioning script via direct link below. Pick the link depending on the chosen location:

INC Nimbus Provisioning Script URLs

SCRIPT REGIONS

đŸ€” Which region do I pick? Pick the correct script according to the (future or already existing) region of your tenant data. Refer to Nimbus Installation > "Service Provisioning ". 

đŸ€” What will this script do? Automate and guide you through the Azure-related setup on your Tenant. Refer to the detail steps below.

💡 You may have a look inside the script and compare the different scripts we provide, but manual edits are not required.    
💡 When executed the script will check for updates and may request you to download the newest version.    
💡 Once a Nimbus team has already been provisioned y ou can also find a script "Download" button located within the User Preferences (Portal).

 

Script Details

✅ TENANT ADMIN To execute the script Tenant Administrator credentials must be provided (→ 'Global administrator' role). 

🔍 Refer to the diagram above for an overview. During execution and depending on pending Service Settings changes the script will perform the steps below:

  • Connect to Microsoft Graph, Microsoft Teams and your Nimbus tenant.
  • Grant the needed consent for the main Nimbus application, this will allow Nimbus to read user and team details in the tenant and record voice messages if the latter is configured for the team. → See: Required App Permissions
  • Create, update or delete an Application Instance and grant the required consent to it to be able to set up conversations.
  • Associate or remove Phone System license 🔍 Refer to Installation Prerequisites > PSTN licensing for details.
  • Apply an Online Voice Routing Policy from the ones defined and selectable on your tenant. This is only required for Nimbus services which are using a Direct Routing phone number.
  • Add, update or delete PSTN phone number. ☝ Note that a PSTN number causes additional license cost by Microsoft. Get in touch with your local O365 integrator.
  • Lastly the script will apply Service Settings - either new or future changes made by you or any service team owners (e.g. a name, UPN, or phone number change).
Pending changes on a Service will inform about a necessary Script-rerun

DONE?

→ After execution, the Script reports back to Nimbus. If everything was successful all changes are reflected in the Service Settings.

💡 Please allow for a few minutes before making calls to a newly (re)configured Application Instance or PSTN number as it might take a moment for Microsoft Azure services to synchronize all the changes.  
💡 Note that a rerun of this script is necessary for every additional Service and/or within your tenant.

 

Script Execution

  1. Execute the script and wait for the connection to Microsoft Graph, Teams, and Nimbus. 💡 If the script is not up-to-date you will be requested to download the latest version.
  2. When requested to login, provide your tenant admin credentials
Login Request
  1. You may be asked for your admin consent on the first run of the script. 💡When using a Global Admin account you can grant these Permissions for your entire organization, so other administrators do not need to repeat this step.
Permission request dialog
  1. The script will now proceed to grant Required App Permissions to the Nimbus App on your tenant:
  • If this has already been done by a tenant admin in the Nimbus Installation chapter, this is not required again.
  • Potentially missing calling bot permissions (required e.g., for establishing sessions and posting Adaptive Cards to your Teams) will also be regranted automatically.
Permission grant process
  1. ⼑ The Script now checks whether any Nimbus services have been added, changed in the respective Service Settings , or deleted since the last time the script was run. 
    6. All services with pending changes will be shown as either Delete, Create or Update. You can then choose one of the two options.
    • I - per Team individually - you can inspect and confirm each change.
    • A - for all Teams - all changes are auto-confirmed. ☝ Please note that PSTN licenses will be applied automatically as long as they are available - first come, first serve base.
  2. Carry on with the next step for further technical details.

PSTN Licenses and Voice Policies

The following steps apply only if your Nimbus service has a PSTN number assigned to it via its Service Settings.

 

PSTN License

Voice Policy

The script allows you to choose how you would like to apply the required Phone System license to a service (Application Instance).

 

 

The script will ask before any Online Voice Routing Policy should be applied to a service (Application Instance).     
🔍 This is only required if your service is using a Direct Routing phone number. If you are using a phone number provided through Calling Plans or Operator Connect, you can skip the voice policy assignment.

 

 

You have the following options:

  • Automatic Assignment - Let the script assign a 'Microsoft Teams Phone Resource Account' license automatically.
    ☝ Ensure that your account has the required permissions to perform this action.
  • Manual Assignment
    ⼑ The script will wait for you to manually assign the license (e.g., via the M365 portal), then performs a check after you have pressed Enter.
  • Skip (no license and phone number will be assigned)

You have the following options:

  • When No is selected, no changes will be applied.
  • When Yes is selected, available Online Voice Routing Policies from your tenant are polled.     
    → You will be requested to confirm the Online Voice Routing Policy name to assign it.     
    🔍 When choosing the policy, please use the full name including “Tag:”
💡 Via the same script functionality you can also remove Phone System licenses from Nimbus services. 💡 The script will only ask for an Online Voice Routing Policy assignment when a phone number is added or changed. If you wish to manually change the policy later on, you can do this via the Grant-CsOnlineVoiceRoutingPolicy command.

Script Conclusion and Rerun

When everything runs as expected you will see green DONE indicators and the script finishes.

Script conclusion and rerun dialog

💡 At the end you will be asked if you want to rerun the script:

  1. You want to keep the script instance open until all Service changes are complete, so you don't need to authenticate again.
  2. For each further pending change in the General Service Settings (e.g. in dialog with your Service Team Owners) the PowerShell instance can be run again until you are satisfied with the results.

Verifying changes via Test Call

Please allow for at least 5 minutes after applying script changes before making the call.

 

To test the call functionality: 

  1. Ensure that team members (service users) are Available for the called team and be set to Active in their Nimbus Dashboard.
  2. Open General Service Settings on the service you want to test.
  3. Click on Test Call → The UPN of the service will now be called via Team Client.
Test call option in the service settings

💡 You can test this with 2 different Microsoft Teams client accounts in separate browser windows to simulate this call on your own as both caller and recipient.

💡 If you have assigned a PSTN license / phone number to the service it is also recommended to test calling it.

PSTN Limitations

INC Transfer to PSTN Limitation

☝Nimbus and related addons can only perform PSTN transfers according to Microsoft's licensing and constraints.
✅ As Administrator you need to acquire Microsoft Teams phone licenses 

đŸ€”Which PSTN licenses do I need to acquire?

Service Licensing

Target Service
using any of the Microsoft | PSTN Connectivity options ▌
 Licence to apply for Nimbus Services
Direct Routing

“Teams Phone Resource Account”


🔎  See: 

Calling Plan

“Teams Phone Resource Account” license, plus

  • "Microsoft Teams Domestic Calling Plan" OR
  • "Microsoft Teams Domestic and International Calling Plan" OR
  • “Microsoft Teams Calling Plan pay-as-you-go”1 PLUS
  • "Communication Credits" (if these aren't already included as part of your plan)

🔎 See: Microsoft Learn |  Microsoft Teams Calling Plans

1 Only required for Outbound Call functionality, also see “Ahead notice Pay-as-you-go Calling Plan licensing changes” below.

Operator Connect
 

“Teams Phone Resource Account”


🔎 See: Microsoft Learn | Operator Connect Plan

User Licensing

Target User License to apply to Nimbus Users & Call Targets
All Users, including 

+ Agents that handle Nimbus calls
+ Attendant Console transfer and consultation targets.

“Teams Phone Standard”, each account having: “EnterpriseVoiceEnabled”


🔎  See: Microsoft Learn | Teams Phone Standard

☝Please note that Luware staff cannot give recommendations on which license plan is best suited for your needs. Depending on your scenario, additional Teams App licenses may be required. Exact details are to be discussed with your Microsoft contacts.

 
 
 

đŸ€”How does PSTN licensing affect Service and call transfers?

Assuming that the initially called Service has (no) PSTN license assigned - the following scenarios may unfold:

Scenario A - Service A has a PSTN license. Transfers to other Services occur.

⼑ The PSTN license carries over throughout transfers to other Nimbus Services B and C.
⼑ As the license carries over, a PSTN transfer to an external target is possible from either Service.

Scenario B - Service B has no PSTN license. A Transfer to Service C occurs which has a PSTN license.

⼑ The customer skips over Service A and manages to reach Service B instead.
⼑ The PSTN license is missing on Service B, so nothing is carried over to Service C.
⼑ Even if Service C has its own PSTN license, a PSTN transfer to an external target is not possible.

🌟Learnings:

  • Nimbus will use the PSTN license – and create a (transfer) Session – from the FIRST Service responding to a call. 
  • Regardless of how many internal Service transfers are performed thereafter, the FIRST Service PSTN license remains in effect. 
  • If a PSTN license is missing, the transfer task will fail and be treated accordingly by the System.1
  • Even if a Service being transferred towards has a PSTN license, it cannot be added in post, as the Call Session is already ongoing from the first-responding Service.

✅ For your licensing needs this means: If you require PSTN transfer functionality, you'll need to ensure that this Service is handling all your incoming calls.

  • For ONE first-level / Front Desk Service, you'll need a PSTN license for this particular Service.
  • For MULTIPLE first-level Services scenario, you'll need PSTN licenses for all first-level Services.

1🔎 Assumption: Workflow takes the normal “Exit” Announcement route and Service Session will conclude with a “Transfer failed” outcome. For more details on analyzing your Reporting results, refer to Nimbus Reporting and Static Dimensions > "Service Session Outcomes"

 
 

☝Note that handling and tracking of running cost for PSTN licenses is outside of the Luware support scope. If you however require assistance in extending and/or configuring your Nimbus Services for PSTN, our support will gladly assist you:

Luware Support Address

 Luware Website https://luware.com/support/
Luware Helpdesk https://helpdesk.luware.cloud 
Cloud Service Status https://status.luware.cloud/
Luware support contact details
 

INC PSTN License Check Enforcement Notice

☝Ahead Notice: Microsoft enforcing PSTN license checks for bot calls

Amendment 07.05.2025: Microsoft has moved the date from June to end of September.

From: https://devblogs.microsoft.com/microsoft365dev/enforcement-of-license-checks-for-pstn-bot-calls/ 

🔍 What’s changing?

Effective September 30, 2025:

  • Teams users will still have the option to transfer calls to other Teams users manually even if they don’t have a PSTN phone system license.
  • Bot-initiated transfers and add participant requests to non-phone system enabled users will be blocked.  

đŸ€”How does this affect Nimbus?

Nimbus uses bots to initiate and monitor (safe) transfers and create call conferences. If Microsoft decides to pull through with this change by September 30, 2025, all Nimbus transfers and consultation calls will be blocked and fail without any possible workaround or error handling.

Topic: Microsoft announced changes to PSTN license checks for bots. From the Blog Post of Microsoft:

As part of Microsoft’s feature parity with Teams Phone extensibility, we’re announcing the enforcement of Phone System license checks for Bot-initiated transfers to Teams users. This current gap in our systems will be addressed in September 2025.

Microsoft Teams requires that Teams users behind applications such as queue applications require a phone system license and the user to be Enterprise Voice Enabled. We’re aligning the Microsoft Graph API with that requirement.  

What is the change?
Effective September 30, 2025:

  • Teams users will still have the option to transfer calls to other Teams users manually even if they don’t have a PSTN phone system license.
  • Bot-initiated transfers and add participant requests to non-phone system enabled users will be blocked.  

🧭 What is the Impact for Luware Nimbus Users?

  • Transfers Within Nimbus: Transfers to users without a Teams Phone license will no longer work. This includes internal transfers between agents or service users.
  • Supervision Features: Supervisors must have a Teams Phone license to monitor or intervene in calls. Without it, supervision capabilities are disabled.
  •  Workflow Transfers: Any transfer initiated from a Nimbus workflow to a user lacking the appropriate license will fail. This disrupts automated routing logic and impacts service continuity.
  •  Attendant Console Transfers: Transfers via the Attendant Console to unlicensed users are blocked. This affects manual call handling and redirection.
 
 

✅ What you need to do

✅To ensure uninterrupted service: 

This change mandates the use of a PSTN License on all Users you either transfer to or start a consultation call with.

  • Audit User Licenses: Verify that all users involved in call handling, transfers, and supervision have the Microsoft Teams Phone license assigned.
  • Update Workflows: Adjust workflows to route calls only to licensed users. This includes adjusting any Distribution Policies and Agent Service Settings for Agents with the according skills and responsibilities.
  • Train Supervisors: Ensure supervisors understand the licensing requirements and have the necessary access.
  • Monitor License Status: Implement checks or alerts to identify users without valid licenses.
 
 

☝Ahead Notice: Pay-as-you-go Calling Plan licensing changes

Microsoft Licensing Change: What Nimbus Users Need to Know About Pay-As-You-Go Calling Plans

Effective November 1, 2025: 

  • Microsoft will enforce a significant licensing change that directly impacts how outbound PSTN calls are handled in Microsoft Teams—especially for services like Call Queues (CQ) and Auto Attendants (AA). 
  • This change affects all organizations using Microsoft Calling Plans for telephony and has direct implications for Luware Nimbus users using Outbound Call functionality.

You will find the full announcement on the MSFT Learn page.

Starting November 1, 2025, a Pay-As-You-Go license will be required for Teams Voice Applications (Call Queues and Auto Attendants) Resource Accounts that use Calling Plan numbers for outbound PSTN calls.

The following scenarios will require a Pay-As-You-Go license:

  • Outbound PSTN calls made by Teams Call Queue agents on behalf of a Resource Account
  • Outbound PSTN calls made by Auto Attendants or Call Queues
  • Callback PSTN calls initiated from Teams Call Queue or Teams Auto Attendant
  • On-behalf-of calls made via Graph API and Phone System Extensibility

If Pay-As-You-Go licenses aren't assigned to the relevant Call Queue or Auto Attendant Resource Accounts by November 1, 2025, outbound calls will fail.

🔍 What’s changing?

If PAYG licenses are not assigned by November 1, 2025, these outbound calls will fail.

đŸ€”How does this affect Nimbus? 

Nimbus uses bots to initiate and monitor conferences well as monitor and report any Outbound Call calls and Call On Behalf of a Nimbus Service. Any transfer scenario also requires the Nimbus bot to take calls back safely.

This includes:

  • CQ agents making calls on behalf of a Resource Account (RA)
  • Callback scenarios configured in Call Queues
  • Auto Attendants transferring calls externally
  • Calls initiated via Graph API or Phone System extensibility

🧭 What is the Impact for Luware Nimbus Users?

For customers using Microsoft Telephony exclusively and leveraging Call On Behalf features via Luware Nimbus, this change means:

  • You must replace existing Calling Plan licenses on resource accounts with PAYG (Pay-as-you-go) licenses.
  • Failure to do so will result in service interruptions for Outbound Calls initiated by Nimbus services, e.g. within either Attendant Console, Workflows in Contact Center routing.
  • As highlighted in internal discussions with Microsoft, this enforcement aims to curb misuse but inadvertently affects legitimate use cases like those supported by Luware Nimbus.
 
 

✅ What you need to do

✅To ensure uninterrupted service: We urgently recommend for Customers begin transitioning to PAYG licenses well before November 1st to avoid last-minute disruptions.

  1. Review all resource accounts configured for outbound PSTN calls.
  2. Assign PAYG Calling Plan licenses to these accounts via the Microsoft 365 Admin Center.
  3. Validate license coverage for all users and services involved in call transfers.
  4. Consider setting up Communication Credits to fund PAYG usage if needed.

📞 Need Help?

If you’re unsure how this change affects your setup or need assistance updating your licensing, please reach out to your Luware Customer Success Manager or contact our Support Team.

INC Luware Support Address

 Luware Website https://luware.com/support/
Luware Helpdesk https://helpdesk.luware.cloud 
Cloud Service Status https://status.luware.cloud/
Luware support contact details
 
 

 Troubleshooting & Known Issues

FIRST-TIME SCRIPT EXECUTION

When the script is run for the first time on a given machine it will try to install the required PowerShell modules if they aren't already available. 
→ This may require you to run the script as a local administrator:  Right click on the "Windows PowerShell" item in Windows search and select "Run as administrator". 

 
Issue / Error Analysis/Workaround

Error shown:

"Script cannot be loaded because running scripts is disabled on this system."

This error will occur if your local script execution policy does not allow running signed scripts.
→ Workaround: Changing execution policy to "RemoteSigned" will help to solve this, please check the Microsoft Documentation for more details.

During Service Name Change: The script may encounter an error when trying to update the display name of a service.

→ Workaround: Change the Display Name of the User Object via Microsoft 365 or Microsoft Entra ID. This information will be synchronized with Microsoft Teams. This process can take a few days until the changes are visible in the Microsoft Teams Client. 

Powershell fails to open popup window when authenticating to Nimbus. 

 

 

Reported issue on MSFT side  https://github.com/AzureAD/MSAL.PS/issues/58 affecting users that default into the new “Terminal Preview”. 

→ Workaround: Run the script either via the classic Terminal or Powershell ISE.
 

 

Table of Contents