SfBS 2019 MACP – Modern Admin Control Panel

One of the significant enhancements delivered in today’s Skype for Business Server 2019 CU1 is the new “Modern Administration Control Panel” or MACP.

This is a new HTML5-based admin interface, which shares a particular visual familiarity with the SfB Online and Microsoft Teams Admin Centres – and does so without requiring Silverlight.

Thankfully it still co-exists with its long-established Silverlight equivalent the CSCP, so you can choose between them.

At this release it’s limited to only user-related admin, with more functionality to be added in future CUs.


It’s a doddle to install, as the bulk of the work is performed by the CU installer.

Just in case you took some short-cuts with that, here are the bits you need to do:

  1. install-windowsfeature ManagementOdata,Web-Lgcy-Scripting,Web-WMI,Web-Lgcy-Mgmt-Console,Web-Mgmt-Service
  2. Run bootstrapper, which is by default installed to C:\Program Files\Skype for Business Server 2019\Deployment

Done! Now just browse to https://<FQDN>/macp (if a Standard Edition), or to the internal web services URL with a “/macp” on the end.

User Pre-Req’s

Your admin user needs a few pre-req’s before they can sign in, and you might not be able to use your existing Admin account.

An MACP Admin needs to:

  • be SIP-enabled
  • have their UPN = their SIP address. [This earlier requirement MAY have been dropped at release. I’ll update the post once I can clarify this]
  • belong to the CsAdministrator group

If your account doesn’t meet all those criteria you’ll receive an error message when you try to sign in. See “Troubleshooting” below for some guidance there.

Browser support

  • Microsoft Edge (version >= 44.17763.1.0 is recommended)
  • Google Chrome (version >= 72.0.3626.121 is recommended)
  • Mozilla Firefox (version >= 65.0.2 is recommended)

I’ve used IE11 on Windows 10 and Server 2016 and other than a failure to signin (or throw an error) if your SIP address <> your UPN, it appears to be OK – it’s just untested/uncertified.


Depending on your setup, the MACP may throw the odd red herring at you.

“Exception : Invalid user credentials : User is not an administrator”

Chrome and Edge on my Windows 10 workstation both threw this error. My user WAS correctly an admin, however their SIP and UPN didn’t match.

Otherwise, your user might not belong to the csAdministrator group!

“Exception : Invalid user credentials : No valid Security Token”

Bad username or password.



IE11 did this when I had the same scenario as above – UPN <> SIP Adddress. Try a different user. (NB: IE isn’t a supported browser.)

“The AppliesTo element of web ticket request points to a different web server or site”

Ahhh, I see you’re a fellow fan of short cuts. You’ve browsed to “https://localhost/macp” because the machine’s FQDN is a pain to type, haven’t you? The problem is that when you sign in you’re being redirected to the FQDN, and that’s triggering this redirection error. You have to do it the long way, sorry.



I really like the new MACP and I can’t wait more of the old CSCP’s functionality to be added in future updates.

Revision History

12th July 2019. This is the initial publication.
24th March 2021. Added the “different web server” error image.


– G.


  1. https:///macp
    https:///macp or /cscp

    Did anybody try to figure out why accessing these by simple url works only from localhost (RDP to FE) and not from wherever on the network? Of course simple url’s DNS record resolves to Sfb FE. Credential popup pops up, but nothing happens afterward if using simple url from workstation or terminal server for example.

    I was analyzing URL Rewrite on IIS for Sfb Internal Web Site, but could not figure out where the catch is…

  2. I don’t suppose there is a way to switch from the Forms based Auth to just regular SSO/WindowsAuth?

    Also pretty annoying that the simply Skype admin url doesn’t work, and that it has to be the internal web service url. what’s up with dat.

  3. Hi!
    We did upgrade Skype for Business server 2019 with latest CU last month. We have some AD-accounts that has been member of CSAdministrator and SIP-enabled for a long time. They can login to https://poolfdqn/macp and see Users, Voice Routing, Voice Features, Response Groups, Conferencing and Fedreral and External Access in left menu. We also ave some Administrators with limited access. They has been member of CsUserAdministrators but not SIP-enabled. These users can login into /macp but they only see Voice Routing, Conferencing and Federation and External Access in left menu. We have put these users into CsAdministrator group and SIP-enabled them but they still does not see for exampel Users in the menu. We have also tried to create new AD-accounts with all these permissions and SIP-enabled them but no luck. My question is if there is some permission we miss or why we can not see for example Users in the menu?

  4. On the off chance someone sees this so late in the game :)

    All our CsAdministrator role-holders receive the following “Error : User has insufficient permissions” upon entering their creds. They are all able to log into the OLD Control panel. Not even sure which Event Log on our SfB on-prem servers to have a look at, haven’t been able to find logging related to the attempt.

    Any takers? :)

      • I’ve only seen this one in my Lab, and it coincided with the CMS being offline, which I certainly hope isn’t your issue.

        Trawl through your IINET logs at C:\inetpub\logs\LogFiles\W3SVC34577 for the username you’re trying to sign in as and see what comes up.

        In my case that revealed a 500 error, although in and of itself that’s not particularly forthcoming. This is a heavily edited line:

        2021-07-16 23:17:37 GET /OcsPsws/Service.svc/LoginUser('sip:adminer@sipdomain.net') ... https://sfb2019se.sipdomain.local/macp/login 500 0 0 128037

        ‘Get-CsManagementStoreReplicationStatus’ hung, revealing I had bigger problems, and that led me to my offline CMS.

    • Has MACP previously worked, or is this a new install/update? If the latter, I’d double-check the pre-req’s and re-run bootstrapper anyway.

      @("ManagementOdata","Web-Lgcy-Scripting", "Web-WMI","Web-Lgcy-Mgmt-Console","Web-Mgmt-Service") | foreach {Get-WindowsFeature $_}

      (Are you logging in on the server itself, or from say your desktop/workstation? Does it behave differently if you try the opposite?)

Leave a Reply

Your email address will not be published.

... and please just confirm for me that you're not a bot first: Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.