Platform Guide
Microsoft Teams SIP Trunk
9 min read · Updated April 2026
Microsoft Teams Phone System connects to the PSTN via SIP trunk — either through Operator Connect (carrier-managed) or Direct Routing (SBC-managed). The SIP requirements are strict and the failure modes are specific. Here is how to configure it correctly and troubleshoot when calls fail.
1. Operator Connect vs Direct Routing
Microsoft Teams Phone System offers two ways to connect to the PSTN via SIP:
Option A
Operator Connect
Microsoft-certified carrier provides both the SIP trunk and the SBC infrastructure. You connect through the Teams Admin Center — no SBC to manage. Simplest option. Fewer configuration choices but fully managed. Numbers ported to or obtained from the carrier. Limited to carriers on the Operator Connect program.
Option B
Direct Routing
You deploy and manage a certified SBC that connects Teams to your choice of SIP trunk provider. Full control over routing, codecs, and trunk providers. More complex — requires SBC expertise, TLS certificate management, and PowerShell configuration. Required when you have existing SIP trunk contracts or need custom routing.
For most new deployments without existing infrastructure, Operator Connect is simpler. For enterprises with existing SIP trunks, SBCs, or complex routing requirements, Direct Routing is the right choice.
2. SBC and SIP requirements for Teams Direct Routing
- Certified SBC — must be on the Microsoft certified SBC list. Uncertified SBCs are not supported.
- TLS 1.2 minimum on port 5061 — TLS 1.0/1.1 rejected. TLS 1.3 supported.
- Public CA certificate — self-signed not accepted. CN or SAN must match the FQDN in Teams admin.
- SRTP for media — plain RTP not accepted on the Teams leg.
- G.711, G.722, G.729, SILK, Opus — Teams supports all of these. G.711 is safest for compatibility.
- OPTIONS keepalives — SBC must respond to OPTIONS pings from Microsoft SIP proxies.
- Public FQDN and IP — SBC must be reachable from the internet on port 5061.
Microsoft SIP proxy addresses
; Primary SIP proxy
sip.pstnhub.microsoft.com (port 5061)
; Secondary proxies (configure for failover)
sip2.pstnhub.microsoft.com
sip3.pstnhub.microsoft.com
; Verify reachability from SBC
openssl s_client -connect sip.pstnhub.microsoft.com:5061
3. TLS and certificate setup for Teams
Certificate errors are the most common cause of Teams Direct Routing failures:
Requirement 01
Public CA only
Let's Encrypt, DigiCert, Comodo, and other public CAs work. Your internal enterprise CA will not. The certificate must be trusted by Microsoft's SIP proxy without custom CA installation.
Requirement 02
FQDN must match Teams Admin Center
The certificate CN or SAN must exactly match the FQDN you entered in Teams Admin Center under Direct Routing. If your cert is for sbc.example.com, your Teams SBC record must use sbc.example.com.
Requirement 03
Full chain required
Present the full certificate chain including intermediates. Use fullchain.pem from Let's Encrypt, not cert.pem. Missing intermediates cause TLS handshake failure even with a valid end-entity certificate.
; Let's Encrypt for Teams SBC
certbot certonly --standalone -d sbc.example.com
; Use fullchain.pem (includes intermediates)
; /etc/letsencrypt/live/sbc.example.com/fullchain.pem
; /etc/letsencrypt/live/sbc.example.com/privkey.pem
; Test Teams TLS connectivity
openssl s_client -connect sip.pstnhub.microsoft.com:5061 -tls1_2
openssl x509 -enddate -noout -in fullchain.pem
4. SIP trunk configuration for Teams
Teams Admin Center — PowerShell setup
; Connect to Teams PowerShell
Connect-MicrosoftTeams
; Add SBC
New-CsOnlinePSTNGateway -Identity sbc.example.com `
-SipSignalingPort 5061 `
-Enabled $true `
-MaxConcurrentSessions 100 `
-MediaBypass $false
; Create voice routing policy
New-CsOnlineVoiceRoutingPolicy -Identity "US-Routing" `
-OnlinePstnUsages "US-Usage"
; Assign to users
Grant-CsOnlineVoiceRoutingPolicy -Identity user@example.com `
-PolicyName "US-Routing"
; Check SBC status
Get-CsOnlinePSTNGateway | Select Identity, Enabled, SipSignalingPort
Voice routing — number normalization
Teams normalizes numbers to E.164 format (+12025551234). Your SBC must handle E.164 numbers from Teams on inbound calls. For outbound from Teams, ensure your dial plan translates numbers to E.164 before they reach the SBC.
5. Common Teams SIP trunk issues
Issue 01
SBC shows "Not Reachable" in Teams Admin
Teams cannot reach your SBC on port 5061. Check: firewall allows inbound TLS 5061 from Microsoft IP ranges (published at aka.ms/o365ips), SBC FQDN resolves to correct public IP, TLS certificate is valid and matches the FQDN, SBC responds to OPTIONS from Microsoft proxies.
Issue 02
Calls fail with 403 or 488
403 = authentication or authorization issue — check that the SBC FQDN in the INVITE matches what is configured in Teams Admin. 488 = codec mismatch — ensure G.711 (PCMU/PCMA) is offered in the SDP from your SBC to the downstream trunk.
Issue 03
No audio on calls (SRTP issue)
The Teams leg requires SRTP. If your SBC is presenting RTP/AVP to Teams instead of RTP/SAVP or UDP/TLS/RTP/SAVPF, media will fail. Check the m= line transport protocol in the SDP your SBC sends to Teams.
Issue 04
Media bypass not working
Media bypass requires the SBC to have a public IP reachable by Teams clients directly. Check the SBC advertises its correct public IP in the SDP. Enable media bypass only after basic call flow works without it.
6. Diagnosing Teams SIP issues
Teams Admin Center health dashboard
Teams Admin Center → Voice → Direct Routing → Health Dashboard. Shows SBC status, OPTIONS ping health, and recent call failures with SIP response codes and error descriptions.
PowerShell diagnostics
; Check SBC health and last contact time
Get-CsOnlinePSTNGateway | Select Identity, Enabled, `
SipSignalingPort, FailoverTimeSeconds
; Get recent call records for a user
Get-CsUserSession -UserPrincipalName user@example.com `
-StartTime (Get-Date).AddHours(-24)
; Test call routing
Test-CsOnlineUserVoiceRouting -TargetUri sip:+12025551234@pstnhub.microsoft.com
SBC-side capture
Capture SIP on the SBC for calls to/from Teams. Look for TLS handshake failures (no SIP messages after TCP connect), 4xx responses from Teams, codec negotiation in SDP, and SRTP crypto line presence. Upload the PCAP to SIPSymposium for automated analysis.
Frequently asked questions
What are the SIP requirements for Microsoft Teams Direct Routing?
Teams Direct Routing requires a certified SBC, TLS 1.2+ on port 5061, a public CA-signed certificate matching the SBC FQDN in Teams Admin Center, SRTP for media, and the SBC must respond to OPTIONS pings from Microsoft SIP proxies (sip.pstnhub.microsoft.com). Self-signed certificates and plain RTP are not accepted.
What is the difference between Teams Operator Connect and Direct Routing?
Operator Connect is a fully managed service where a Microsoft-certified carrier provides both the SIP trunk and SBC infrastructure — configured through Teams Admin Center with no SBC to manage. Direct Routing requires you to deploy and manage a certified SBC connecting Teams to your own SIP trunk provider, giving full control over routing but requiring more expertise.
How do I troubleshoot Teams Direct Routing call failures?
Check the Teams Admin Center Direct Routing Health Dashboard for SBC status and recent call errors. Use Get-CsOnlinePSTNGateway in PowerShell to check SBC health. Capture SIP on the SBC and look for TLS handshake failures, 403/488 responses, and SRTP mismatches. Verify the SBC FQDN certificate matches exactly and the full certificate chain is presented.
Having Microsoft Teams SIP trunk issues?
Paste your SBC SIP trace into SIPSymposium. The analyzer identifies TLS failures, codec mismatches, SRTP configuration issues, and media bypass problems in Teams Direct Routing deployments.