đĄWe automated the provisioning steps in a PowerShell script for you. It will connect to our environment and get the needed changes applied to your infrastructure.
PLEASE READ BEFORE YOU START
The PowerShell script needs to be run by a tenant admin. Please note:
- The script will automatically apply Required App Permissions used by Nimbus.
- The following modules are used / installed on your machine when running the script:
| Module | |
| 1 | MicrosoftTeams |
| 2 | MSAL.PS |
| 3 | Microsoft.Graph.Authentication |
| 4 | Microsoft.Graph.Applications |
| 5 | Microsoft.Graph.Identity.DirectoryManagement |
| 6 | Microsoft.Graph.Users |
| 7 | Microsoft.Graph.Users.Actions |
- The script is built and tested for PowerShell 5.1 (you can check the version via the "Get-Host" command). Other versions of PowerShell are not supported and may cause problems.
đ Also refer to the "Troubleshooting" section on the bottom of this page. - The script uses a checksum verification based on the MD5 algorithm - if you have policies like FIPS compliancy enabled on your computers which do not allow the usage of MD5, then you may encounter an error during the version check.
đĄ Tip: The script run is also needed when certain Service Settings change (Service Display Name, Service UPN, and PSTN number). Keep the script session window open if you want to test settings. By doing so you don't need to go through all steps again when you need to provision multiple teams.
Microsoft Graph PowerShell Permissions
Microsoft Graph PowerShell Permissions
The Microsoft.Graph.* modules which are used by the Provisioning Script require the user to have the permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application:
| Permission |
Permission Type |
Granted By | Purpose |
|---|---|---|---|
| Application.ReadWrite.All | Delegated | Tenant Admin | Read and write all applications |
| AppRoleAssignment.ReadWrite.All | Delegated | Tenant Admin | Manage app permission grants and app role assignments |
| DelegatePermissionGrant.ReadWrite.All | Delegated | Tenant Admin | Manage all delegated permission grants |
| Domain.Read.All | Delegated | Tenant Admin | Read domains |
| Organization.Read.All | Delegated | Tenant Admin | Read organization information |
| User.ReadWrite.All | Delegated | Tenant Admin | Read and write all users' full profiles |
| openid | Delegated | Tenant Admin | Sign users in |
| profile | Delegated | Tenant Admin | View user's basic profile |
| offline_access | Delegated | Tenant Admin | Maintain access to data you have given it access |
Â
Script Overview
Below is an overview of the steps performed by our provisioning script
Â
Provisioning - Step by Step
Script download
Get the provisioning script via direct link below. Pick the link depending on the chosen location:
INC Nimbus Provisioning Script URLs
SCRIPT REGIONS
đ€ Which region do I pick? Pick the correct script according to the (future or already existing) region of your tenant data. Refer to Nimbus Installation > "Service Provisioning ".Â
đ€ What will this script do? Automate and guide you through the Azure-related setup on your Tenant. Refer to the detail steps below.
đĄ You may have a look inside the script and compare the different scripts we provide, but manual edits are not required.   Â
đĄ When executed the script will check for updates and may request you to download the newest version.   Â
đĄ Once a Nimbus team has already been provisioned y ou can also find a script "Download" button located within the User Preferences (Portal).
Script Details
â TENANT ADMIN To execute the script Tenant Administrator credentials must be provided (â 'Global administrator' role).Â
đ Refer to the diagram above for an overview. During execution and depending on pending Service Settings changes the script will perform the steps below:
- Connect to Microsoft Graph, Microsoft Teams and your Nimbus tenant.
- Grant the needed consent for the main Nimbus application, this will allow Nimbus to read user and team details in the tenant and record voice messages if the latter is configured for the team. â See: Required App Permissions
- Create, update or delete an Application Instance and grant the required consent to it to be able to set up conversations.
- Associate or remove Phone System license đ Refer to Installation Prerequisites > PSTN licensing for details.
- Apply an Online Voice Routing Policy from the ones defined and selectable on your tenant. This is only required for Nimbus services which are using a Direct Routing phone number.
- Add, update or delete PSTN phone number. â Note that a PSTN number causes additional license cost by Microsoft. Get in touch with your local O365 integrator.
- Lastly the script will apply Service Settings - either new or future changes made by you or any service team owners (e.g. a name, UPN, or phone number change).
DONE?
â After execution, the Script reports back to Nimbus. If everything was successful all changes are reflected in the Service Settings.
đĄ Please allow for a few minutes before making calls to a newly (re)configured Application Instance or PSTN number as it might take a moment for Microsoft Azure services to synchronize all the changes. Â
đĄ Note that a rerun of this script is necessary for every additional Service and/or within your tenant.
Script Execution
- Execute the script and wait for the connection to Microsoft Graph, Teams, and Nimbus. đĄ If the script is not up-to-date you will be requested to download the latest version.
- When requested to login, provide your tenant admin credentials
- You may be asked for your admin consent on the first run of the script. đĄWhen using a Global Admin account you can grant these Permissions for your entire organization, so other administrators do not need to repeat this step.
- The script will now proceed to grant Required App Permissions to the Nimbus App on your tenant:
- If this has already been done by a tenant admin in the Nimbus Installation chapter, this is not required again.
- Potentially missing calling bot permissions (required e.g., for establishing sessions and posting Adaptive Cards to your Teams) will also be regranted automatically.
- âź The Script now checks whether any Nimbus services have been added, changed in the respective Service Settings , or deleted since the last time the script was run.Â
6. All services with pending changes will be shown as either Delete, Create or Update. You can then choose one of the two options.- I -Â per Team individually - you can inspect and confirm each change.
- A -Â for all Teams - all changes are auto-confirmed. â Please note that PSTN licenses will be applied automatically as long as they are available - first come, first serve base.
- Carry on with the next step for further technical details.
PSTN Licenses and Voice Policies
The following steps apply only if your Nimbus service has a PSTN number assigned to it via its Service Settings.
PSTN License |
Voice Policy |
|---|---|
|
The script allows you to choose how you would like to apply the required Phone System license to a service (Application Instance). Â Â |
The script will ask before any Online Voice Routing Policy should be applied to a service (Application Instance).       |
|
You have the following options:
|
You have the following options:
|
| đĄ Via the same script functionality you can also remove Phone System licenses from Nimbus services. | đĄ The script will only ask for an Online Voice Routing Policy assignment when a phone number is added or changed. If you wish to manually change the policy later on, you can do this via the Grant-CsOnlineVoiceRoutingPolicy command. |
Script Conclusion and Rerun
When everything runs as expected you will see green DONE indicators and the script finishes.
đĄ At the end you will be asked if you want to rerun the script:
- You want to keep the script instance open until all Service changes are complete, so you don't need to authenticate again.
- For each further pending change in the General Service Settings (e.g. in dialog with your Service Team Owners) the PowerShell instance can be run again until you are satisfied with the results.
Verifying changes via Test Call
Please allow for at least 5 minutes after applying script changes before making the call.
To test the call functionality:Â
- Ensure that team members (service users) are Available for the called team and be set to Active in their Nimbus Dashboard.
- Open General Service Settings on the service you want to test.
- Click on Test Call â The UPN of the service will now be called via Team Client.
đĄ You can test this with 2 different Microsoft Teams client accounts in separate browser windows to simulate this call on your own as both caller and recipient.
đĄ If you have assigned a PSTN license / phone number to the service it is also recommended to test calling it.
PSTN Limitations
INC Transfer to PSTN Limitation
âNimbus and related addons can only perform PSTN transfers according to Microsoft's licensing and constraints.
â
As Administrator you need to acquire Microsoft Teams phone licensesÂ
đ€Which PSTN licenses do I need to acquire?
Service Licensing
|
Target Service using any of the Microsoft | PSTN Connectivity options ⌠|
 Licence to apply for Nimbus Services |
| Direct Routing |
âTeams Phone Resource Accountâ đ See: |
| Calling Plan |
âTeams Phone Resource Accountâ license, plus
đ See: Microsoft Learn |  Microsoft Teams Calling Plans 1 Only required for Outbound Call functionality, also see âAhead notice Pay-as-you-go Calling Plan licensing changesâ below. |
|
Operator Connect  |
âTeams Phone Resource Accountâ đ See: Microsoft Learn | Operator Connect Plan |
User Licensing
| Target User | License to apply to Nimbus Users & Call Targets |
|
All Users, including ⊠+ Agents that handle Nimbus calls + Attendant Console transfer and consultation targets. |
âTeams Phone Standardâ, each account having: đ See: Microsoft Learn | Teams Phone Standard |
âPlease note that Luware staff cannot give recommendations on which license plan is best suited for your needs. Depending on your scenario, additional Teams App licenses may be required. Exact details are to be discussed with your Microsoft contacts.
đ€How does PSTN licensing affect Service and call transfers?
Assuming that the initially called Service has (no) PSTN license assigned - the following scenarios may unfold:
Scenario A - Service A has a PSTN license. Transfers to other Services occur.
âź The PSTN license carries over throughout transfers to other Nimbus Services B and C.
âź As the license carries over, a PSTN transfer to an external target is possible from either Service.
Scenario B - Service B has no PSTN license. A Transfer to Service C occurs which has a PSTN license.
âź The customer skips over Service A and manages to reach Service B instead.
âź The PSTN license is missing on Service B, so nothing is carried over to Service C.
âź Even if Service C has its own PSTN license, a PSTN transfer to an external target is not possible.
đLearnings:
- Nimbus will use the PSTN license â and create a (transfer) Session â from the FIRST Service responding to a call.Â
- Regardless of how many internal Service transfers are performed thereafter, the FIRST Service PSTN license remains in effect.Â
- If a PSTN license is missing, the transfer task will fail and be treated accordingly by the System.1
- Even if a Service being transferred towards has a PSTN license, it cannot be added in post, as the Call Session is already ongoing from the first-responding Service.
â For your licensing needs this means: If you require PSTN transfer functionality, you'll need to ensure that this Service is handling all your incoming calls.
- For ONE first-level / Front Desk Service, you'll need a PSTN license for this particular Service.
- For MULTIPLE first-level Services scenario, you'll need PSTN licenses for all first-level Services.
1đ Assumption: Workflow takes the normal âExitâ Announcement route and Service Session will conclude with a âTransfer failedâ outcome. For more details on analyzing your Reporting results, refer to Nimbus Reporting and Static Dimensions > "Service Session Outcomes"
âNote that handling and tracking of running cost for PSTN licenses is outside of the Luware support scope. If you however require assistance in extending and/or configuring your Nimbus Services for PSTN, our support will gladly assist you:
Luware Support Address
| Â Luware Website | https://luware.com/support/ |
|---|---|
| Luware Helpdesk | https://helpdesk.luware.cloud |
| Cloud Service Status | https://status.luware.cloud/ |
INC PSTN License Check Enforcement Notice
âAhead Notice: Microsoft enforcing PSTN license checks for bot calls
Amendment 07.05.2025: Microsoft has moved the date from June to end of September.
From: https://devblogs.microsoft.com/microsoft365dev/enforcement-of-license-checks-for-pstn-bot-calls/Â
đ Whatâs changing?
Effective September 30, 2025:
- Teams users will still have the option to transfer calls to other Teams users manually even if they donât have a PSTN phone system license.
- Bot-initiated transfers and add participant requests to non-phone system enabled users will be blocked.âŻÂ
đ€How does this affect Nimbus?
Nimbus uses bots to initiate and monitor (safe) transfers and create call conferences. If Microsoft decides to pull through with this change by September 30, 2025, all Nimbus transfers and consultation calls will be blocked and fail without any possible workaround or error handling.
Topic: Microsoft announced changes to PSTN license checks for bots. From the Blog Post of Microsoft:
As part of Microsoftâs feature parity with Teams Phone extensibility, weâre announcing the enforcement of Phone System license checks for Bot-initiated transfers to Teams users. This current gap in our systems will be addressed in September 2025.
Microsoft Teams requires that Teams users behind applications such as queue applications require a phone system license and the user to be Enterprise Voice Enabled. Weâre aligning the Microsoft Graph API with that requirement.âŻÂ
What is the change?
Effective September 30, 2025:
- Teams users will still have the option to transfer calls to other Teams users manually even if they donât have a PSTN phone system license.
- Bot-initiated transfers and add participant requests to non-phone system enabled users will be blocked.âŻÂ
đ§ What is the Impact for Luware Nimbus Users?
- Transfers Within Nimbus: Transfers to users without a Teams Phone license will no longer work. This includes internal transfers between agents or service users.
- Supervision Features: Supervisors must have a Teams Phone license to monitor or intervene in calls. Without it, supervision capabilities are disabled.
- Â Workflow Transfers: Any transfer initiated from a Nimbus workflow to a user lacking the appropriate license will fail. This disrupts automated routing logic and impacts service continuity.
- Â Attendant Console Transfers: Transfers via the Attendant Console to unlicensed users are blocked. This affects manual call handling and redirection.
â What you need to do
â To ensure uninterrupted service:Â
This change mandates the use of a PSTN License on all Users you either transfer to or start a consultation call with.
- Audit User Licenses: Verify that all users involved in call handling, transfers, and supervision have the Microsoft Teams Phone license assigned.
- Update Workflows: Adjust workflows to route calls only to licensed users. This includes adjusting any Distribution Policies and Agent Service Settings for Agents with the according skills and responsibilities.
- Train Supervisors: Ensure supervisors understand the licensing requirements and have the necessary access.
- Monitor License Status: Implement checks or alerts to identify users without valid licenses.
âAhead Notice: Pay-as-you-go Calling Plan licensing changes
Microsoft Licensing Change: What Nimbus Users Need to Know About Pay-As-You-Go Calling Plans
Effective November 1, 2025:Â
- Microsoft will enforce a significant licensing change that directly impacts how outbound PSTN calls are handled in Microsoft Teamsâespecially for services like Call Queues (CQ) and Auto Attendants (AA).Â
- This change affects all organizations using Microsoft Calling Plans for telephony and has direct implications for Luware Nimbus users using Outbound Call functionality.
You will find the full announcement on the MSFT Learn page.
Starting November 1, 2025, a Pay-As-You-Go license will be required for Teams Voice Applications (Call Queues and Auto Attendants) Resource Accounts that use Calling Plan numbers for outbound PSTN calls.
The following scenarios will require a Pay-As-You-Go license:
- Outbound PSTN calls made by Teams Call Queue agents on behalf of a Resource Account
- Outbound PSTN calls made by Auto Attendants or Call Queues
- Callback PSTN calls initiated from Teams Call Queue or Teams Auto Attendant
- On-behalf-of calls made via Graph API and Phone System Extensibility
If Pay-As-You-Go licenses aren't assigned to the relevant Call Queue or Auto Attendant Resource Accounts by November 1, 2025, outbound calls will fail.
đ Whatâs changing?
If PAYG licenses are not assigned by November 1, 2025, these outbound calls will fail.
đ€How does this affect Nimbus?Â
Nimbus uses bots to initiate and monitor conferences well as monitor and report any Outbound Call calls and Call On Behalf of a Nimbus Service. Any transfer scenario also requires the Nimbus bot to take calls back safely.
This includes:
- CQ agents making calls on behalf of a Resource Account (RA)
- Callback scenarios configured in Call Queues
- Auto Attendants transferring calls externally
- Calls initiated via Graph API or Phone System extensibility
đ§ What is the Impact for Luware Nimbus Users?
For customers using Microsoft Telephony exclusively and leveraging Call On Behalf features via Luware Nimbus, this change means:
- You must replace existing Calling Plan licenses on resource accounts with PAYG (Pay-as-you-go) licenses.
- Failure to do so will result in service interruptions for Outbound Calls initiated by Nimbus services, e.g. within either Attendant Console, Workflows in Contact Center routing.
- As highlighted in internal discussions with Microsoft, this enforcement aims to curb misuse but inadvertently affects legitimate use cases like those supported by Luware Nimbus.
â What you need to do
â To ensure uninterrupted service: We urgently recommend for Customers begin transitioning to PAYG licenses well before November 1st to avoid last-minute disruptions.
- Review all resource accounts configured for outbound PSTN calls.
- Assign PAYG Calling Plan licenses to these accounts via the Microsoft 365 Admin Center.
- Validate license coverage for all users and services involved in call transfers.
- Consider setting up Communication Credits to fund PAYG usage if needed.
đ Need Help?
If youâre unsure how this change affects your setup or need assistance updating your licensing, please reach out to your Luware Customer Success Manager or contact our Support Team.
INC Luware Support Address
| Â Luware Website | https://luware.com/support/ |
|---|---|
| Luware Helpdesk | https://helpdesk.luware.cloud |
| Cloud Service Status | https://status.luware.cloud/ |
 Troubleshooting & Known Issues
FIRST-TIME SCRIPT EXECUTION
When the script is run for the first time on a given machine it will try to install the required PowerShell modules if they aren't already available.Â
â This may require you to run the script as a local administrator:Â Right click on the "Windows PowerShell" item in Windows search and select "Run as administrator".Â
| Issue / Error | Analysis/Workaround |
|
Error shown: "Script cannot be loaded because running scripts is disabled on this system." |
This error will occur if your local script execution policy does not allow running signed scripts. |
| During Service Name Change: The script may encounter an error when trying to update the display name of a service. | â Workaround: Change the Display Name of the User Object via Microsoft 365 or Microsoft Entra ID. This information will be synchronized with Microsoft Teams. This process can take a few days until the changes are visible in the Microsoft Teams Client. |
|
Powershell fails to open popup window when authenticating to Nimbus.   |
Reported issue on MSFT side  https://github.com/AzureAD/MSAL.PS/issues/58 affecting users that default into the new âTerminal Previewâ. â Workaround: Run the script either via the classic Terminal or Powershell ISE. |
Â