Review: SEFAUtil Server – Enterprise Edition

Earlier this year I looked in some depth at the Beta version of Landis Technologies’ “SEFAUtil Server”.

It’s since hit a formal “GA” milestone, and I’m pleased to see it’s a more stable platform as a result of its lengthy gestation.

If you’re not familiar with Microsoft’s “Secondary Extension Feature Activation Utility” for Lync and Skype for Business – or why there’s a burning need for third-party add-ons like SEFAUtil Server – have a read of the intro from my Installing SEFAUtil Server and pop back here when you’re done.

Community vs Enterprise Edition

SEFAUtil Server is offered in a free Community Edition and a paid Enterprise Edition. As a result of a recent licence revamp Community Edition is now limited to deployments of less than 50 users, but gains the benefit of the full suite of features. This table shows the differences between the versions:


For a more detailed breakdown of the features, download the PDF User Manual.

CE vs EE

In my earlier look I focussed on the (then) limited Community Edition, and this time I wanted to take *all* of the features for a spin.

Both versions use the same code-base, so you can start with a Community Edition installation and then upgrade to Enterprise at any time as your deployment grows. That’s as easy as contacting Landis Technologies (see below) and installing your new RegistrationKey with “Set-SefautilServerRegistration”:


These following commands are now available to all users, regardless of version.


Without SEFAUtil Server there’s no easy way to build or manage a user’s contact list programmatically. To date your officially-sanctioned options are using the AutoInitiateContacts attribute of “Get-CsPrivacyConfiguration” or the similar Smart contacts list. Alternatively you’ll find tools that go digging around in SQL from regular contributors like Guy Bachar & Corky Caragol on the gallery.technet site.

Here now is the ability to populate or edit a customised contact list for a new starter, a department, or perhaps for everyone after an acquisition, relocation or product launch.

To “Set-CsUserContactList” you supply a user and one or more contacts, then the groups to add them to or remove them from. Here are your options for where to add to or remove from:

  • GroupsToAddContactsTo
  • GroupsToRemoveContactsFrom
  • AddToFavoritesGroup
  • AddToOtherContactsGroup
  • RemoveFromFavoritesGroup
  • RemoveFromOtherContactsGroup
  • RemoveFromAllGroups

A feature not captured in the documentation is the ability to create a new Group: you just reference the new Group name in the “GroupsToAddContactsTo” attribute. If it doesn’t exist it will be created, and the contact(s) added to it.


PS C:\> Set-CsUserContactList -ContactsSipAddress -RemoveFromFavoritesGroup

When I executed the above Commandlet, Chode vanished from Jessica’s Favourites in an instant. Having repeated the command I received the same output, where I would have liked to have seen the familiar “WARNING: Object with identity <blah> was not changed”. (I’ve already fed that back as a PI request).

Absent is the expected “get” version of this command, which would increase its utility significantly by allowing you to view and clone user contacts, although perhaps it was deliberately omitted for privacy reasons (despite the information already being accessible through other tools).

Get/Set-CsUserNote & Get/Set-CsUserPresence

These two Commandlet pairs let you easily change someone’s personal note or presence state in real-time. They deliver as expected in an instant, with changes visible immediately.

GetSet-Presence Note

PS C:\> set-CsUserPresence –Presence Busy Presence changed to Busy
PS C:\>
PS C:\> set-CsUserNote -Note "Testing SEFAutil Server!” Note changed to Testing SEFAutil Server!
PS C:\>

I think a feature unique to SEFAUtil Server is that Get-CsUserPresence shows the last device to set the presence state. Here it’s shown as “Computer”, but I was also able to get it to show “DeskPhone”. Dissapointingly, if you change the presence via SEFAUtil server, it doesn’t appear to update the PresenceSource – but that’s apparently a weakness in the SDK not the app.

Instant Message BOT

One of the *major* value-adds is the IM Bot. Back in the installation process you were prompted to create a TrustedApplicationEndpoint with a SIP address, and you can send that address an IM to set a Personal Note or change someone’s Presence:

/ChangePresence:<PresenceState> sip:<user_uri>

Valid presence states are Available, Busy, DoNotDisturb, Away, BeRightBack, OffWork, Offline, Reset

/ChangeNote:<Note> sip:<user_uri>
/ChangeNote:”I’m testing SEFAUtil Server EE”

(See these messages in the context of an IM in the image under “Fine-Grained Access Control”, below.

The Bot is also able to Enable & Disable call forwarding and sim-ring.

A weakness in the current GA build requires you to water down your IM Filtering before the Bot will accept commands. The work-around is to remove the filter on the “sip:” prefix

Set-CsImFilterConfiguration -Prefixes @{remove="sip:"}

Notify Users

Elsewhere there‘s a global setting that controls whether SEFAUtil Server will notify users when changes are made to their account, or remain silent:


Here’s a sample of an IM that popped to my user when I made a change to their presence state:


Fine-Grained Access Control

A JSON file on the server lets you restrict who can make changes, to whom, and even what commands they can execute!

Out of the box it’s open slather, so you’re likely to want to lock this down before it gets anywhere near production. Check out the file “SSAdminPermissions.txt” and the examples in “SSAdminPermissions_Example.txt”. Both are in C:\Program Files\Landis Technologies LLC\SefaUtilServer\.

This was all I needed to add to lock it down so I’m the only person who can change Jessica’s account:

"Admin": "",
"Users": [
Sip": ""

Here’s a demo of the Bot, with me updating the permissions file in between – hence why the responses change from “ACCESS DENIED” to “SUCCESS” apparently mid-conversation:


I noticed that the change made to SSAdminPermissions.txt wasn’t picked up instantly and I needed to restart the SEFAUtil service for it to take effect. Hopefully the app reads the file occasionally and you don’t need to take it offline each time you make a change to the permissions.


Enterprise Edition is licenced in two components, with an initial fixed cost and an ongoing annual support payment. The entry-level Enterprise Edition licence (for up to 300 users) is $1500 and on a diminishing cost per user after that, scaling to well beyond 10,000 users. To the smallest (Enterprise-Edition) installation, add $600 for annual support. These are list prices in USD.

To procure a licence, just send an e-mail to sales #


SEFAUtil Server simply blitzes Microsoft’s native offer – there’s no comparison. Deploying the Community Edition into a small on-premises EV deployment is [and I hate this cliché] a no-brainer. If your deployment is large enough to warrant Enterprise Edition I think its breadth of features – some unmatched anywhere else – combined with its performance will deliver a favourable cost-benefit analysis, and there will be plenty of customers for whom its benefits are INSTANTLY justifiable.

I like:

  • its ability to manage a user’s contact lists through PowerShell
  • that the P$ Commandlets follow the usual syntax and structure. (Did you see in the screen-grabs I skipped specifying the “-SipAddress” & just started with the user?)
  • the inbuilt auto-complete makes it REALLY easy to structure your commands without a detailed knowledge of the module
  • that the IM Bot and PowerShell module aren’t case-sensitive
  • how fast it executes! (Again, if you’ve ever used Microsoft’s native SEFAUtil you’ll know what I’m talking about)
  • the deep level of access control built into the IM Bot
  • the extra value that Get-CsUserPresence provides, with the user’s timezone, inactive duration and last presence update source captured
  • that Community Edition now includes the full feature set – so your lab/demo setup can be used for fully-featured demos and training

I dislike:

  • that some of the Commandlets have the “<Verb>-cs” prefix. That’s a personal thing, but I wish it didn’t have that overlap with the native commandlets and the potential for clash should MS add a Commandlet of the same name to the SfB module
  • the absent functionality referred to above
  • that “Notify Users” is currently a global setting. (I’d like to see greater control over who’s told you’ve made changes)

SEFAUtil server is still in its relative infancy but it’s improving in leaps and bounds. It still has a few foibles, but they’re being addressed by a responsive and enthusiastic vendor.

WITHOUT A DOUBT if you’re using Enterprise Voice in your on-premises SfB deployment, you need SEFAUtil Server. If you don’t think you can justify the expense of Enterprise Edition, I’ll just leave you to run with Microsoft’s rudimentary SEFAUtil until you come to your senses. ;-)

My trial licence came gratis courtesy of Matt and the team at Landis Computer.


Revision History

18th November 2017: Updated the comparison table and removed erroneous references to CE support.

17th November 2017: This is the initial post.

– G.

One Comment

  1. This is also only the start of the things you can do with this tool.
    Matt’s team added this functionaility into Attendant Pro allowing you to change users presence and tag line all from within the user app with the appropriate permissions set in sefautil server you can have teams of PA’s managing Execs without IT ever needing to get involved.

Leave a Reply

Your email address will not be published. Required fields are marked *

... and please just confirm for me that you're not a bot first: Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.