This post might seem obvious to some but it keeps coming up so thought I would share the experience. For organizations looking to move from Skype for Business Server to Skype for Business Online or even those looking to establish Hybrid connectivity this may come in handy.
The process to setup Hybrid connectivity is fairly well documented here and things generally go well for smaller organizations where you have a single Administrator or a small group of administrators that generally have global admin rights both on-premises and in the cloud. However, in larger Enterprise organizations this is generally not the case.
In many larger organizations, the group that is responsible for Skype for Business is not necessarily the same group that handles Active Directory and/or Exchange Server, etc. While Microsoft has provided organizational roles for Skype for Business Online, there is a specific scenario where user moves will fail as a result of lack of permissions.
An organization has a group of Administrators that are responsible for Skype for Business Server on premises. They have required permissions to handle everything related to Skype including setup and administration. They even have the appropriate rights to manage voicemail for the users which is granted via the Exchange Online UM Management Role.
At some point the organization wants to explore Skype for Business Online and sets up Hybrid Connectivity. Their corporate Office 365 Administrator diligently assigns them the Skype for Business Admin Role assuming that this will allow the group to administrate all things Skype for Business Online. Here is where the issue comes to light. The Skype group would like to move a few pilot users into the cloud to test out functionality. They validate that the users have the appropriate Office 365 license assigned to them (i.e. Skype for Business Online Plan 2) and set out to move the first user.
They encounter the following issue when running the required PowerShell to move the first user:
PS C:\Users\administrator.ENABLEUC> Move-CsUser -Identity email@example.com -Target sipfed.online.lync.com -Credential $creds
Move-CsUser : Index was outside the bounds of the array.
At line:1 char:1
+ Move-CsUser -Identity firstname.lastname@example.org -Target sipfed.online.lync.com -Cred ...
+ CategoryInfo : InvalidOperation: (CN=MS Test01,OU...enableUC,DC=ca:OCSADUser) [Move-CsUser], IndexOutO
+ FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet
Results from this operation can be found at "C:\Users\administrator.ENABLEUC\AppData\Local\Temp\1\MoveResults-3114a09d-3
When researching the error “Move-CsUser : Index was outside the bounds of the array.”, you will find a few references to permissions or licensing being the culprit. The Microsoft documentation does not specifically call out what is required execute this user move. It would seem logical that having both the CSAdministrator permissions on premises and the Skype for Business Admin role would be sufficient to perform this operation.
To troubleshoot the issue, you decide to add the “User Management Role” to the account that you are connecting to Skype Online with. You rerun the PowerShell cmdlet and find that it not works!
PS C:\Users\administrator.ENABLEUC> Move-CsUser -Identity email@example.com -Target sipfed.online.lync.com -Credential $cred
Results from this operation can be found at "C:\Users\administrator.ENABLEUC\AppData\Local\Temp\1\MoveResults-d765fe62-6
Solution – Minimum required permissions
Clearly the Skype for Business Admin role is not sufficient to perform this operation. At a minimum, both the Skype for Business Admin Role and the User Management Role are required to perform this operation. As well the single Global Administrator Role will obviously have the appropriate permissions to do this. I’m hoping Microsoft will consider changing this with larger organizations in mind given the User Management Role allows for things like password resets which may not be desirable for certain team. If you consider Exchange Online, all that is required to enable unified messaging (voicemail) for a Skype for Business user is the UM Management Role. The User Management Role is not required for this operation.
Will update this post as I get further details or if anything changes.