--- title: Online deployment with Office 365 (Surface Hub) description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1 keywords: device account for Surface Hub, online deployment ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article ms.date: 02/21/2018 ms.localizationpriority: medium --- # Online deployment with Office 365 (Surface Hub) This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. 1. Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets. ```PowerShell Set-ExecutionPolicy RemoteSigned $org='contoso.microsoft.com' $cred=Get-Credential admin@$org $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $sess ``` 2. After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub. If you're changing an existing resource mailbox: ```PowerShell Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` If you’re creating a new resource mailbox: ```PowerShell New-Mailbox -MicrosoftOnlineServicesID HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. ```PowerShell $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false -AllowNonProvisionableDevices $True ``` Once you have a compatible policy, then you will need to apply the policy to the device account. ```PowerShell Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id ``` 4. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. ```PowerShell Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" ``` 5. Connect to Azure AD. You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command : ```PowerShell Install-Module -Name AzureAD ``` You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect. ```PowerShell Import-Module AzureAD Connect-AzureAD -Credential $cred ``` 6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. ```PowerShell Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration" ``` 7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online). Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant. Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable. ```PowerShell Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US" Get-AzureADSubscribedSku | Select Sku*,*Units $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense $License.SkuId = SkuId You selected $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses $AssignedLicenses.AddLicenses = $License $AssignedLicenses.RemoveLicenses = @() Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses ``` 8. Enable the device account with Skype for Business. If the Skype for Business PowerShell module is not installed, [download the Skype for Business Online Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366). - Start by creating a remote PowerShell session from a PC. ```PowerShell Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*): ```PowerShell (Get-CsTenant).TenantPoolExtension ``` OR by setting a variable ```PowerShell $strRegistrarPool = (Get-CsTenant).TenantPoolExtension $strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1) ``` - Enable the Surface Hub account with the following cmdlet: ```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress ``` OR using the $strRegistarPool variable from above ```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress ``` For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account.