Prepare for optional MindLink features

MindLink products provide a range of optional features that you may want to deploy depending on your planning decisions.


Profile Pictures#

MindLink supports user profile pictures. These will be displayed in the web client and can be configured through several sources.

Sources#

User photos in Skype for Business can be specified in three ways:

  • URL
  • Exchange
  • Active Directory

MindLink will attempt to resolve a user's photo in the order that these types are listed, so if you have a photo set in Exchange and have also configured a user photo image URL through the native client, the URL image will be shown in MindLink.

Setting User Photos in MLA#

  • MindLink Client

MindLink also offers the ability to set your user photo directly through the client. This feature is provided by the Exchange server (version 15.1 and above) which must be configured correctly to work along-side MindLink.

When a user uploads a new user photo from the client, the MindLink server acts on their behalf using its service account domain credentials to authorize a request against the Exchange Web Services. This single Active Directory service account is therefore responsible for accessing Exchange information for all users, and as such, requires special elevated permissions.

Exchange administration is restricted by Role-Based Access Control (RBAC), a system whereby rights to certain administrative operations and features are defined by distinct "management roles" and granted to users/groups in Active Directory either directly, via a Universal Security Group or via a role group assignment.

Exchange installs with a large set of pre-defined roles out-of-the-box; these typically cover all the different access scenarios administrators are likely to require.

One such role is the Mail Recipients role which includes (but is not limited to) the following entry:

  • SetUserPhoto

It is also configured with the appropriate scopes that MindLink requires to access all user accounts across the organization. For the simplest way of granting these permissions, you can assign this role directly to the service account user:

  • New-ManagementRoleAssignment –Role "Mail Recipients" –User "YourServiceAccountName"

The preferred approach would be to create a new admin role group, assign the role, and then add the service account as a member of the group. This can be easily achieved through the Exchange Admin Center. If you already have MindLink configured with Exchange to enable private conversation history then you may have to create a new admin role group to apply the ApplicationImpersonation role to the service account. If this is the case, then you can simply add the Mailbox Recipients role to this group too; otherwise, create a new role.

The Mail Recipients role comes with a lot of other entries that aren't directly relevant to configuring user photos. If security is a consideration, then it may be desirable to restrict the service account access to only those commands that are directly relevant. This can be done quite easily by creating a new management role that only contains the role entry above. We can do this by "cloning" the Mail Recipients role and removing all other role entries:

  • New-ManagementRole -Name “Set User Photos” -Parent "Mail Recipients"
  • Get-ManagementRoleEntry "Set User Photos\*" | Where {$_.Name -NotLike "SetUserPhoto"} | Remove-ManagementRoleEntry

We now have a new management role "Set User Photos" with all the same scopes as Mail Recipients but that only contains the entry relevant to configuring user photos. This should be assigned to the service account using either of the methods described previously.


Mobile Autodiscovery#

DNS requirements#

It is possible to configure your mobile deployment to accept users domain email addresses i.e. test1@testdomain.local as a means of initializing against a MindLink Mobile deployment. However there a few pre-requisite steps that will be discussed to make this possible. Firstly, ensure that a CNAME (alias) record is setup in your forward lookup zone. \

Once this is done you will want to choose a target host. This will be the server hosting the MindLink Mobile service.


User Aliases#

User aliases allow a user to define their own per-room alias name. This custom name will show as their primary name in the active conversation, with their real username shown lest distinctly below it.

SQL Database#

Aliases are stored in an SQL database. Before aliases can be set up in the Management Center a database must be created.

To create a database we begin by visiting your SQL server and open the Microsoft SQL Server Management Studio.

Right-click databases and select New Database. Give it a name and click OK

Now refresh the database list and you should see the newly created database. What you do with it now will depend on what you want to use the database for.

When we create a database for Aliases it will need a few permissions and user accounts to be added. Expand the database and Right-click the security folder > New > User... New User

Now add your service account to ensure adequate permissions.

Ensure the user is set up with Schemas

And don't forget to also set the membership

Then do the same for SQLUser SQLUser

Setting the Schemas and Membership as above

Now that the database is set up you are ready to configure the management center to connect to the database. This will be covered in the Management Center sections later.