Extensions Tenant Settings

Configure behavior of Nimbus UI Extensions and Apps

ūüĒć Here you can¬†configure all additional Nimbus extensions and separately enabled¬†Nimbus Features.

ūüí° Note that certain extensions may be configured but will not take effect until the licenses for your users (User Administration) and services (Service Administration) are applied.

Outbound

Option / Element Description
Max Scheduled Outbound Tasks per service

Limits the maximum outbound tasks per service that can be simultaneously scheduled / in progress. 

Default 20 / Min 1 / Max 50

 

ūüĒć Note: Outbound Tasks ‚Äď same as inbound tasks ‚Äď are distributed among available Nimbus users and shown in the¬†Personal Dashboards¬†> in the¬†"Service Outbound Tasks Tabular"¬†widget. Tasks are scheduled using the¬†Microsoft Power Automate Connector¬†>¬†Flow Actions. Once the limit is reached, a flow error is returned and the task will be discarded.

Directly invite PSTN for Outbound calls

If enabled, PSTNs are directly added to a group call in case of a scheduled outbound session or Call On Behalf, avoiding audio delay between agents and customers.

  • Default: false

ūü§Ē Why is this toggle read-only?

Enabling this feature is done by Luware Support and requires testing on your tenant as Microsoft has not yet rolled out dependent functionality globally for all MS Teams tenants.

Directly invite UPN for Outbound calls

If enabled, UPNs are directly added to a group call in case of a scheduled outbound session or Call On Behalf, avoiding audio delay between agents and customers.

  • Default: false

ūü§Ē Why is this toggle read-only?

Enabling this feature is done by Luware Support and requires testing on your tenant as Microsoft has not yet rolled out dependent functionality globally for all MS Teams tenants.

Interact

Configures options for Interact, an optional feature of Nimbus. If you want to learn more head over to our Luware Solutions page.

Option / Element Description
Interact enabled

The global setting which activates Interact for Nimbus

  • When enabled, the calls in¬†Interact¬†will reach an agent in Teams.
  • When disabled,¬†the calls in¬†Interact¬†will not reach an agent, even if the tenant is configured for Interact calls.

ūüĒć Enabling this requires you to fill in an ACS connection string. Refer to our¬†Use Case - Setting up Interact¬†which explains setup steps in detail.

Interact disabled

If Interact is disabled, all corresponding fields are hidden in the section.

ūüí° Configured values are not cleaned up and can be used when enabling the functionality again.

ACS connection string

Connection string for Azure Communication Services. Required to use Interact. 

ūüĒć Learn how to generate this string via the¬†Microsoft Documentation¬†.

‚úÖ "Check"- performs a check if it's possible to create a token for the user using this string. If the connection fails (with a correct string) it most likely means there are insufficient permissions.

O365 UserID ID of the user on behalf of whom meetings on the backend will be created.
Widget Key

Random guide generated for the Tenant. The key is sent with each request to the backend and checks the validity of the widget, depending on which it either allows or rejects the request for the backend.

  • "Copy"¬†- copies the guide value for (future) use in a web client.
  • "Refresh"¬†- updates the guide with a new one.
Session recovery timeout in seconds

Time in seconds before a closed session is ended permanently. 

Default: 20; Min: 5; Max: 60.

KNOWN ISSUE Currently the timeout behavior is different between a direct (to Agent) conversation and a Service-distributed conversation:

  • On a direct conversation:¬†A session timeout starts when the customer leaves the conversation. When an agents leaves an ongoing conversation, they are re-invited if the customer rejoins within the timelimit.
  • On a service conversation:¬†The session is¬†only¬†restored when the agent¬†remains¬†in the conversation. When the agent leaves, a new session is started (including a complete re-execution of the IM workflow).
Authorization

Determine if a session requires further authentication:

  • None¬†(default) - when set, the token is not verified.¬†
  • Verify Token¬†- when set, verifies the validity of the token. The error will occur if the token is expired or invalid.
  • Verify Token & Tenant¬†- when set, verifies the validity of the token and that it belongs to a certain tenant.

Learn how to set up authorization...

Use Case - Enabling additional authorization for Interact

In this use case, we're going to describe how you can set up an access token to be used for Interact.

ūüĒć This use case is optional in case you want to¬†verify user access additionally via tokens in your¬†Tenant Administration¬†> Interact¬†settings.

Steps below refer directly on the Daemon application MSFT help article and the subchapters. 

 

Create an Azure Application

  • Add a new app under¬†app registrations¬†in the Azure Portal
  • Preferably a single tenant application
  • No reply-URL¬†needed for the client-credential flow (standard OAuth 2.0 client credentials grant)

ūüĒć Refer to:¬†https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-registration

Generate Secret/Certificate

  • Generate a¬†secret¬†or¬†certificate¬†which will be used as the applications credentials

ūüĒć From¬†https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-registration

To add credentials to your confidential client application's app registration, follow the steps in Quickstart: Register an application with the Microsoft identity platform for the type of credential you want to add:

Create own Daemon App with .NET/Java/Node/Python

  • Based on the language instantiate the confidential client application with the client secret or the certificate

ūüĒć Refer to the table on¬†https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-configuration?tabs=dotnet

Acquire a token and pass it to the SDK

  • Based on the language instantiate the confidential client application with the client secret or the certificate

ūüĒć Refer to:¬†https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=dotnet

 
 

Assistant

Configures options for Assistant, an optional feature of Nimbus.

Option / Element Description
Use your own ACS Instance

Toggle. Enable when you have your own Azure Communication Services instance.

ūüĒć Enabling this requires you to fill in an ACS connection string. Refer to¬†Use Case - Setting up Assistant¬†which explains the setup steps in detail.

ūüí° When this option is disabled, all corresponding fields are hidden in the section. Configured values are not cleaned up and can be used when enabling the option again.

ACS connection string

Connection string for Azure Communication Services. Required to use Assistant with your own ACS instance.

ūüĒć Learn how to generate this string via the¬†Microsoft Documentation¬†.

ūüí° Once a string is entered a "Check" option verifies if it's possible to create a token for the user using this string. If the connection fails (with a correct string) it most likely means there are insufficient permissions.

Attendant Console

Allows to configure an MS Graph Filter that automatically limits the search used in Attendant Console. 

Option / Element Description
Global Contact Search MS Graph Filter

Uses the MS Graph REST API to filter1¬†users according to¬†your¬†tenant admin account permissions.¬†This filter will be applied to the O365 like¬†Attendant Console¬†to provide internal Nimbus users a narrowed-down pool of search results. ūüí° By default this filter (textbox) is empty, allowing users to perform a search on your entire tenant.

 1 See: https://docs.microsoft.com/en-us/graph/api/overview


‚ėĚ Please note that this field requires¬†only¬†parameters for the "filter" field¬†of a MS graph query,¬†not¬†the whole API¬†request URL. Keep this in mind when using MS Graph Explorer to test, copy & paste your updated filter parameters.

ūüí° End-users will not see this filter in the frontend UI, but will have search results narrowed down accordingly.

ūüĒć Refer to our¬†Use Case - Filtering Attendant contact search via MS Graph.


Example filter for users within domain and preferred language:

endsWith(userPrincipalName,'onmicrosoft.com') and preferredLanguage eq 'en-GB'
 

NOTES AND KNOWN LIMITATIONS

KNOWN LIMITATION The filter will be applied to all O365 accounts, including those of Nimbus Services! Overly strict filters may limit the Nimbus users' capability to forward calls via search.


  • This text field does not perform validity checks for correct syntax. ‚Üí Please refer to the official¬†MS Graph REST API documentation¬†for details.
  • Nimbus combines both visible and backend filters with an 'AND' clause. When a frontend user (e.g. via¬†Attendant Console) searches within the same fields as defined in your query there can be a clash.¬†
  • Depending on the field(s), on which the filter is applied, additional¬†permissions¬†might be required for Nimbus to make a query on your behalf. Without these permissions, search functions in¬†Attendant Console¬†might not work at all.
  • If the filter query is broken for any reason (e.g. missing permissions, typos, syntax) the search in any Frontend may not show any results at all.
 
Team Visibility in Attendant Console

The Attendant Console search allows to forward calls to Nimbus teams and services. To avoid bypassing queues of services, the visibility of team members can be hidden.

  • Do not show any members¬†- Only limits the search to Nimbus services and their overall availability. No individual team members are shown.
  • Shown own members¬†- will only show available team members of Nimbus services that the Attendant user themself is a part of.
  • Show all members¬†- will show the availability of all team members of any Nimbus service.

Presence Tracking

✅ "Presence Tracking" allows Nimbus to make smarter routing decisions by determining if your users are already in a Teams call (non-Nimbus). Please note that a few steps are required on your Microsoft Tenant for this feature to work. Read the instructions below carefully and contact Support in case you need assistance. 

Track Presence over Guest Accounts

Allows you to use two Luware-provided guest accounts which enable Nimbus to poll the extended presence status on all users within your Tenant.

ūüĒć Also see related Microsoft Documentation:¬†User Presence States in Teams¬†.

‚ėĚ If you want to keep using¬†"Presence Privacy mode"¬†on your Tenant you¬†need¬†these guest account.¬†Otherwise Nimbus cannot route anything.

ūü§Ē Why is this necessary?

Without a guest presence account, Nimbus can only retrieve a simplified presence status such as "Busy" "Away" or "Available" for your users. For extended status presence such as " Busy → In a Call " or " Busy → In a Conference " these presence accounts are required to improve call routing. When activating the presence tracking feature, call handling is handled according to the MS Teams status as follows:

Calls are delivered while Calls are NOT delivered while

Available

Busy*

Busy in a Meeting*

  • Away*
  • Busy in a call
  • in DND (Do Not Disturb)
  • Offline

*Only when Distribution Service Settings are set accordingly within the individual Service.

With extended presence enabled, Nimbus can now distinguish a "Busy" status and plan/avoid call distribution accordingly.

KNOWN LIMITATION For "Away" and "BRB" states the "In a Call" extended status is not returned by Microsoft. W hen any of these status were manually set by users, Nimbus doesn't have additional information whether or the user is already in a call and will follow the plain "Away" status as defined in Distribution Service Settings to route the calls. → As this is a Microsoft-limitation we cannot provide a fix or workaround for this at the moment.

Grant Permission (Copy to Clipboard)
✅ An auto-generated link that you (as Tenant Admin) need to paste into your browser. → Grants the delegated permissions listed below to the Nimbus App. The Azure guest accounts use these to read presence on all users on your tenant.
ūüí° You can do this step regardless of the Presence Account 1&2 field contents. The permissions will remain even if the guest users change.
Extended permissions are:
  • Presence.Read.All
  • User.Read
  • User.ReadBasic.All

ūü§Ē What are these¬†Permissions¬†used for?¬†Nimbus uses these extended permissions to enable presence-based features, primarily for targeted call distribution and updating availability in the frontend UI. Also read ‚Üí¬†Track Presence over Guest Accounts¬†above.

✅ To test these permissions you need to invite at least one presence account. → See "Presence Account 1&2" and → "Test UPN" below for further details.

Presence Account 1&2

Used for extended presence status tracking on your tenant. Account 2 acts as (temporary) fallback when account 1 does not work for any reason.

ūüĒć These guest accounts require extended permissions ‚Üí see¬†"Grant Permission"¬†above.

Click here to learn how to set up Presence Accounts

Use Case - Tracking extended user presence via Azure guest accounts

In this use case, we explain how to track extended user presence. For this you need to invite Nimbus Guest Users to your tenant.

PRECONDITIONS

  • Nimbus Installation¬†is complete and at least one¬†Service is provisioned¬†on your tenant.
  • In extension you should know about the¬†Distribution Service Settings, accessible to you if you are Team Owner or Tenant Admin. ūüí° These settings define when¬†service calls are distributed to the users (team members) based on their MS Teams status (Away, DND, etc). More on this will explained below.
  • You require¬†Tenant Administrators¬†rights to access the Nimbus¬†Tenant Administration¬†> "Presence Tracking" section.
    • You also need Tenant Admin credentials to invite guest users within your Azure Portal.
 

ūü§Ē What is extended user presence and why guest accounts?

For an extended status presence such as "Busy → In a Call" or "Busy → In a Conference", these presence accounts are required to improve call routing. Without having guest users on your Tenant as means to check, Nimbus cannot see any extended user presence status.

ūü§Ē What happens after this setting is active?

When activating the presence tracking feature, call handling is handled according to the MS Teams status as follows:

Calls are delivered while Calls are NOT delivered while

Available

Busy*

Busy in a Meeting*

  • Away*
  • Busy in a call
  • in DND (Do Not Disturb)
  • Offline

ūüí° Note that Nimbus will adhere to¬†Distribution Service Settings, so ensure to check there if your calls are not delivered as expected.¬†
ūüí° Note that Nimbus can still forward calls when you are in the middle of doing an outbound calls via Teams, as your presence status will only change when you are in an established call.

ūüĒć Also refer to the related Microsoft Documentation:¬†User Presence States in Teams.

Guest User Details

‚úÖ Before you can use the extended presence feature you need to invite two guests users to your tenant. The steps are described below.

  1. Within the Nimbus UI > Tenant Administration > head to the "Presence Tracking" section
  2. Take note and mouse over the "Presence Account 1 & 2" user mail addresses to see their details. 
    ūüí° These accounts are¬†individual to your Nimbus cluster. Examples below have been blurred to prevent mistakes.
  3. Make sure to copy your individual presence account name, including the @ domain ending. The account details will be used in a step below. 
    Screenshot showing two individual presence accounts

Invite Guest Users

INC Invite Azure Guest Accounts

  1.  As Tenant Admin, log into your Azure Portal.
  2. Go to¬†Users > New Users and select ‚ÄúInvite external User‚ÄĚ.
     
  3. Invite both guest users 1&2 on your tenant. Add each of the previously copied email addresses (e.g. svr_nimbus_guest@onmicrosoft.com) and click Invite.
    ‚ģĎ A standard Azure invite mail will be sent out to Luware.

    ‚ėĚ Note that MFA (Multi Factor Authentication) needs to be disabled for these users. Otherwise, this feature will not work as the guest users cannot sign in to your tenant.
  4. Let your Customer Success Specialist know that the guest users have been invited.
  5. Please wait while steps are done in the background:
    1. Luware cloud operations team must accept the guest invitations. Please allow for some time for this to happen.
    2. Once successful, the "Account is not added as guest" message should disappear on your side in the Nimbus admin UI.
    3. If this is not the case, please get in contact with the Luware support.

Grant Delegated Permissions

ūüí° This step can be done in parallel to the previous steps. Once granted, either of the presence accounts will make use of these permissions and no further actions are required on your side.

Copy & paste URL from the "Grant Permissions" area into your browser. This link must be opened by logged-in a Tenant Administrator in order to work.

ūü§Ē Which permissions are granted to these users?¬†Refer to Nimbus¬†Required App Permissions¬†>¬†"Presence Tracking"


Results:

  • Once granted, the¬†"Permission is not granted"¬†note should disappear in the admin UI.
  • You can now enable the¬†"Track Presence Over Guest account"¬†feature and test the status tracking via the "Test UPN" field.

Adjust Your Service Settings

ūüí° With all previous "track presence" steps successfully performed, Nimbus is now able to distinguish between busy states.

✅  We recommend to check your Service Settings > Distribution > Conversations Distribution tab and have converations "Distributed to the user" even while busy. Nimbus will automatically detect if an existing Nimbus service call is already handled by that user and re-route incoming calls accordingly.

Secure Workaround for MFA

INC Secure Workaround for MFA

In some cases Nimbus will require you to invite Guest Accounts to support extended features on your Tenant. We realize that not using MFA for presence accounts is a big limitation. If your IT policy mandates MFA on all accounts, there is a workaround that whitelists IP ranges. To circumvent this problem you can use the following workaround:

  • Add trusted Locations with the Nimbus Server IP Addresses (Switzerland)
  • Add a conditional access policy to limit the access to the given trusted location.

Learn more…

Add Trusted Location

  1. Go to Named locations within Azure Portal (https://portal.azure.com)
  2. Add a new IP ranges location
  3. Enter a Name and add the IP addresses for the location and check the Mark as trusted location option
  4. Add all IP addresses for the location (see table below)

    and click on Create

Add a conditional access policy

  1. Go to the Azure portal (https://portal.azure.com)
  2. Switch to Conditional Access and select Policies
  3. Select an existing you want to change or create a new policy and configure the Condition section to add your trusted location as excluded from the MFA policy

Nimbus Cluster IPs

Switzerland North 01
20.250.90.30
20.250.90.31
20.250.90.136
4.226.36.167
Switzerland North 02
4.226.11.105
20.250.216.126
4.226.25.247
4.226.26.8
Germany West Central 01
20.52.208.117
20.52.208.209
20.170.103.21
20.52.209.237
Germany West Central 02
98.67.132.41
98.67.225.28
98.67.132.74
98.67.132.61
United Kingdom South 01
20.49.226.93
20.49.226.86
20.49.226.126
4.159.33.63
Nimbus Cluster IPs provided by Microsoft (Status 14/05/2024):

Caution: These IPs are configured by Microsoft and can be changed without prior notice.

 
 

Troubleshooting

Error  Description Solution

Unknown Error (XX0000) 

Enhanced Presence has been enabled, Guest Accounts have been added, Permissions have been approved, Multi-Factor Authentication has been disabled for the Guest Accounts.

However, the following error message appears when trying to check the status of users: 

Solution A: Change global collaboration settings

  1. Head to In Azure Portal > Users > User Settings > External Users > Manage External Collaboration Settings.
  2. Set the "Guest User Access Restrictions" to either "Most inclusive" or "Limited access" 

This is a global setting and applies to all (future) guest accounts. If you do not want to change this, consider solution B below.

 
 
 

Solution B: Change individual user role assignment

Since the External Collaboration Settings are a global setting, you may not want to relax these rules just for one application. Instead you can just assign a special role to the guest accounts.

  1. Head to In Azure Portal > Users > Nimbus Guest Account > Assigned roles > Add assignments.
  2. In the "Membership" Tab, assign the "Directory Readers" role to the Luware Guest Account(s).
  3. In the "Settings" Tab, ensure the assignment is "Active" and "Permanently assigned"
 
 

After the setting is changed, it may take up to an hour for the Nimbus Enterprise App to properly read the users' presence data.

 
 
 
Test UPN

✅ We highly recommend to live-test the new presence accounts 1&2 individually and check different users on your Tenant to see if the extended presence status updates correctly. 

ūüí° The extended presence status should be shown / updated immediately. If you encounter problems with this or see an error message, please get in touch with your Nimbus customer success / onboarding contact.

Table of Contents