Professional Documents
Culture Documents
20347A
Enabling and Managing Office 365
MCT USE ONLY. STUDENT USE PROHIBITED
ii Enabling and Managing Office 365
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2016 Microsoft Corporation. All rights reserved.
Released: 05/2016
MCT USE ONLY. STUDENT USE PROHIBITED
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
MCT USE ONLY. STUDENT USE PROHIBITED
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
MCT USE ONLY. STUDENT USE PROHIBITED
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following individuals for their contribution
towards developing this title. Their effort at various stages in the development has ensured that you have
a good classroom experience.
Contents
Module 1: Planning and provisioning Office 365
Module Overview 1-1
Lesson 4: Managing Office 365 users and groups with Windows PowerShell 2-20
Lesson 2: Planning and managing user-driven Office 365 ProPlus deployments 5-9
Lesson 1: Planning and configuring Skype for Business Online service settings 8-2
Lesson 2: Configuring Skype for Business Online users and client connectivity 8-12
Lesson 3: Planning voice integration with Skype for Business Online 8-15
Course Description
This course provides students with the knowledge and skills required to evaluate, plan, deploy, and operate
Microsoft Office 365 services, including its identities, dependencies, requirements, and supporting
technologies. Students also will learn how to set up an Office 365 tenant including federation with existing
user identities, and sustain an Office 365 tenant and its users.
Audience
This course is intended for IT professionals who are responsible for planning, configuring, and managing an
Office 365 environment. Students who attend this course are expected to have a fairly broad understanding
of several on-premises technologies such as Domain Name System (DNS) and Active Directory Domain
Services (AD DS). In addition, they should have a general understanding of Microsoft Exchange Server,
Microsoft Lync Server or Skype for Business Server, and Microsoft SharePoint Server.
This course also is intended as preparation material for IT professionals who are looking to take the exams
70-346: Managing Office 365 Identities and Requirements, and 70-347: Enabling Office 365 Services, to
obtain the MCSA: Office 365 certification.
Student Prerequisites
This course requires that you meet the following prerequisites:
A minimum of two years of experience administering the Windows Server operating system, including
Windows Server 2012 or Windows Server 2012 R2
Experience working with certificates, including public key infrastructure (PKI) certificates
Experience working with Exchange Server 2013 or later, Lync Server 2013 or Skype for Business Server
2015, and SharePoint Server 2013 or later is beneficial, but not required
Course Objectives
After completing this course, students will be able to:
Plan an Office 365 deployment, configure the Office 365 tenant, and plan a pilot deployment.
Manage Office 365 users, groups, and licenses, and configure delegated administration.
Plan and configure directory synchronization between Microsoft Azure Active Directory (Azure AD)
and on-premises AD DS.
Plan and configure an Office 365 collaboration solution that includes Yammer Enterprise, Microsoft
OneDrive for Business, and Office 365 groups.
Plan and configure the integration between Office 365 and Azure Rights Management, and configure
compliance features in Office 365.
Monitor and review Office 365 services, and troubleshoot Office 365 issues.
Plan and implement identity federation between on-premises AD DS and Azure AD.
Course Outline
The course outline is as follows:
Module 1, “Planning and provisioning Office 365" reviews the features of Office 365 and identifies recent
improvements to the service. It describes the process of provisioning an Office 365 tenant. This module also
identifies the challenges in deploying Office 365 and the benefits of the Microsoft FastTrack for Office 365
approach, as compared to the traditional plan, prepare, and migrate deployment process.
Module 2, “Managing Office 365 users and groups" explains how to manage users, groups, and licenses,
and configure administrative access by using the Office 365 console and the Windows PowerShell
command-line interface.
Module 3, “Configuring client connectivity to Microsoft Office 365” covers the different types of client
software that you can use to connect to Office 365. It also explains the infrastructure requirements that the
clients need to connect to Office 365, in addition to how to configure different types of Office 365 clients.
Module 4, “Planning and configuring directory synchronization" explains how to plan, prepare, and
implement directory synchronization as a methodology for user and group management in an Office 365
deployment. It explains how to prepare an on-premises environment, and install and configure directory
synchronization. It also explains how to manage Office 365 identities after you enable directory
synchronization.
Module 5, “Planning and deploying Office 365 ProPlus” explains how to plan for a client deployment and
ensure that users receive the tools that they need to interact with Office 365 effectively. It also explains the
planning process, how to make Office 365 ProPlus directly available to end users, and how to deploy it as a
managed package. Finally, it describes how to set up Office telemetry so that administrators can track how
users are interacting with Microsoft Office.
Module 6, “Planning and managing Exchange Online recipients and permissions” describes Exchange
Online, and explains how to create and manage recipient objects and how to manage and delegate
Exchange security.
Module 7, “Planning and configuring Exchange Online services” explains how to plan for and configure
email flow, and anti-malware and anti-spam settings in Office 365. It also explains how to plan and
configure policies for Exchange clients. Additionally, it describes how to plan and configure a migration to
Exchange Online.
Module 8, “Planning and deploying Skype for Business Online” explains how to plan and configure Skype
for Business Online service settings. It also explains how to configure Skype for Business Online user settings
and clients, and plan for voice integration with Skype for Business Online.
Module 9, “Planning for and configuring SharePoint Online” describes how to configure SharePoint Online
services. It explains how to plan and configure SharePoint site collections and external user sharing. It also
provides a brief overview of additional portals, such as the video portal.
Module 10, “Planning and configuring an Office 365 collaboration solution” describes how to enable and
configure Yammer Enterprise. It also explains how to configure OneDrive for Business and Office 365
groups.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xxi
Module 11, “Planning and configuring Rights Management and compliance” describes the compliance
features in Office 365 and how to manage them. It explains how to plan and configure Azure Rights
Management. Additionally, it explains the security features in Office 365.
Module 12, “Monitoring and troubleshooting Microsoft Office 365” explains how to troubleshoot issues
with Office 365 connectivity and services, and monitor Office 365 service health.
Module 13, “Planning and configuring identity federation” explains how identity federation works, and
how you can use Active Directory Federation Services (AD FS) to implement identity federation. It explains
how to plan an AD FS deployment to support identity federation with Office 365. It also describes how to
deploy AD FS to enable single sign-on (SSO) for Office 365. Finally, it describes hybrid solutions for
Exchange Server, Skype for Business Server, and SharePoint Server.
MCT USE ONLY. STUDENT USE PROHIBITED
xxii About This Course
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical information
in a crisp, tightly focused format, which is essential for an effective in-class learning experience.
o Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
o Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned in
the module.
o Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.
Modules: include companion content, such as questions and answers, detailed demo steps, and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers,
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: include well-categorized additional resources that give you immediate access to the most
current premium content on TechNet, MSDN, or Microsoft Press.
Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
Software Configuration
The following software is installed on each virtual machine:
Windows 10
Office 2016
Course Files
Microsoft frequently updates the features in Office 365 and the user interface that is used to manage those
features. Therefore, in some situations you might notice that the Office 365 user interface that you are
using does not match with the lab instructions. This could be because the changes in Office 365 might have
occurred either during your training session or before the courseware can be updated to address the
changes. In such situations, you have to adapt to the changes and work through them in the labs as
necessary.
One of the changes that occurred close to the end of courseware development is the change in the
Office 365 admin center. Microsoft changed the Office 365 admin center to a new portal. As much as
possible, this course uses the new Office 365 admin center for all the labs. However, at the time of writing
this course, some functionality was not available in the new portal, and therefore some lab steps instruct
you to access the previous admin center.
When this course refers to the Office 365 admin center, it means the new admin center. When there is a
need to make a distinction between the two admin centers, the course uses the terms new Office 365
admin center and previous Office 365 admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
xxiv About This Course
Classroom Setup
Learning Centers simply need to provide students with Internet access. Students can then access the
hosted-lab platform by accessing the URL provided by the hosting partner.
Note: The lab steps included in the Student Manual are for post-class reference. During the classroom
session, students will use the lab steps located in the online lab user interface. The hosting partner
dynamically updates these lab steps as changes occur in the Office 365 user interface. Therefore, the hosted
lab steps will be as up-to-date as possible for each training session.
Module 1
Planning and provisioning Office 365
Contents:
Module Overview 1-1
Module Overview
The Microsoft range of software and services includes Microsoft Exchange, Microsoft SharePoint, Microsoft
Skype for Business, and Microsoft Office. Users who are located anywhere in the world can access these
services over the Internet. Office 365 is now a major part of this suite of services, and it can be delivered on
multiple platforms to provide enterprise-grade email, conferencing, and other IT services.
To implement Office 365 effectively, organizations must ensure that they can manage identities effectively.
User accounts exist both in the cloud and potentially on-premises. Therefore, administrators and
consultants must be able to plan for and manage a wide range of factors that affect how Office 365 works.
These individuals must also be able to identify the best way to manage user accounts and services.
This module reviews the features of Office 365 and identifies recent improvements to the service. It
describes the process of provisioning an Office 365 tenant. This module also identifies the challenges in
deploying Office 365 and the benefits of the Microsoft FastTrack for Office 365 approach as compared to
the traditional plan/prepare/migrate deployment process.
Note: This course does not cover the entire Microsoft for Office 365 FastTrack process; that
content is covered in course 10968B: Designing for Office 365 Infrastructure.
Objectives
After completing this module, you will be able to:
Describe the features and benefits of Office 365.
Lesson 1
Overview of Office 365
Office 365 is Microsoft’s cloud-based productivity suite that delivers software as a service (SaaS) to users
around the world. Office 365 products focus in four main areas:
Devices. Office 365 supports a wide variety of devices in which the user interface supports different
methods of interaction, including touch, pen, mouse, and keyboard.
Cloud. Office 365 is designed for the cloud as an on-demand service that is always up to date. Office
365 is an enterprise-grade cloud productivity solution with robust security, guaranteed reliability, and
compliance with industry standards such as ISO-27001, EU Model clauses, the Health Insurance
Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA).
Social media. Office 365 integrates social networking into the organization by providing newsfeeds
and microblogging services that can be extended with Yammer.
Control. With features such as Data Loss Prevention (DLP), eDiscovery, archiving and data-hold
capabilities, Office 365 provides a secure and safe way for organizations to control their business data.
This lesson describes the components of Office 365, and explains the features available in the various
subscription plans. It also explains how to determine the most suitable subscription plan for your
organization.
Lesson Objectives
After completing this lesson, you will be able to:
Additional Reading: For more information, refer to Office 365 Service Descriptions:
http://aka.ms/iv18pg.
Azure AD
Microsoft Azure Active Directory (Azure AD) underpins all the Office 365 services. Azure AD is an online
instance of Active Directory that also provides authentication and authorization services for other Microsoft
cloud offerings, including Microsoft Azure and Windows Intune. Authentication through Azure AD can be
on a cloud-only basis, through directory synchronization (with optional password synchronization), or
include full integration with on-premises directory services through support for Microsoft Active Directory
Federation Services (AD FS) or other SSO providers.
Exchange Online
Microsoft Exchange Online in Office 365 is the latest release of this messaging and collaboration platform,
which provides one location for composing, reading, and storing email, calendar, contact, and task
information in Microsoft Outlook, Outlook Web Access, or Outlook Mobile. Exchange Online includes a
50 gigabyte (GB) mailbox (up from 25 GB) combined with unlimited storage within the archive mailbox in
the Office 365 E3 or E5 plans, or Exchange Online Plan 2. Exchange Online supports access from most
mobile devices, including BlackBerry, iPhone, Nokia, and Windows Phone.
Note: The unlimited storage available within the archive mailbox can store up to 100 GB of
Outlook data without restriction. Additional storage increments are available by contacting
Microsoft Office 365 Support.
SharePoint Online
By using Microsoft SharePoint Online, you can share important documents, insights, and status updates
with colleagues. You can keep teams in sync and manage important projects, find vital documents, and
locate people easily. Using SharePoint Online can also help you to stay up to date on company information
and news, regardless of whether you are in or out of the office. Storage space is initially set at 10 GB per
tenant and 500 MB per user, but storage upgrades are available. In addition, each user receives another
25 GB in OneDrive for Business (up from 7 GB) for additional document storage or transfer.
Office 365 ProPlus supports streaming deployment, which enables users to click the application installation
icon and start using the application itself while the program installs in the background. This deployment
method also enables users to run Office 365 ProPlus alongside earlier versions of Microsoft Office.
MCT USE ONLY. STUDENT USE PROHIBITED
1-4 Planning and provisioning Office 365
Yammer
The Microsoft enterprise social networking tool is
becoming more integrated with Office 365, and
SharePoint Online users now have the option to
replace their activity stream in SharePoint Online
with Yammer. To make this change, users click a Yammer link and sign in to this service through a separate
browser window. Future integration will include SSO between the Yammer service and Office 365, and will
use the Yammer Newsfeed instead of the SharePoint Online one.
Project Online
Project Online is the cloud version of Microsoft Project Server, and it enables organizations to get started,
prioritize project portfolio investments, and deliver projects with the intended business value. One key
value proposition with Project Online is that it enables global organizations to plan portfolios of projects in
multiple time zones.
The following table provides a detailed list of Office 365 Business subscription features:
Office 365 Pro Plus includes online versions of Office, including Word, Excel, and PowerPoint, and cloud file
storage and sharing capabilities with 1 TB storage per user. Office 365 ProPlus also includes the option to
fully install Office applications, and it provides enterprise management of apps and self-service business
intelligence capabilities.
The following table provides a detailed list of Office 365 Enterprise subscription features:
Professional digital
storytelling tools to create
interactive reports,
presentations, and more.
Enterprise management of
apps with Group Policy,
Telemetry, and Shared
Computer Activation.
Self-service business
intelligence to discover,
analyze, and visualize data in
Excel.
Office 365 Nonprofit has four subscription options: Office 365 Nonprofit Business Essentials, Office 365
Nonprofit Business Premium, Office 365 Nonprofit E1, and Office 365 Nonprofit E3. Nonprofit organizations
can apply for the Office 365 Nonprofit Business Essentials and Office 365 Nonprofit E1 subscriptions as a
donation, whereas the Office 365 Nonprofit Business Premium and Office 365 Nonprofit E3 subscriptions
have an additional charge.
Additional Reading: For more information, refer to Office 365 Nonprofit plans and pricing:
http://aka.ms/wnd4wq.
Office 365 Government subscriptions plans include Office 365 Enterprise E1 (Government pricing) and
Office 365 Enterprise E3 (Government pricing). Both plans include online versions of Office, including Word,
Excel and PowerPoint, cloud file storage, and sharing capabilities with 1 TB storage per user. They also
include email with a 50-GB mailbox per user, unlimited instant messaging, HD video conferencing, intranet
sites, a corporate social network, and Office Graph.
Additional Reading: For more information, refer to Office 365 plans at Government pricing:
http://aka.ms/knev43.
What business needs will drive your organization to move to Office 365? Some answers might include
better availability, industry standard security, lower cost for hardware and software maintenance, and
support for multiple devices and platforms.
What is the organization’s current IT infrastructure? For example, if organizations have many
on-premises custom applications, the planning process of moving custom applications to the cloud
might be time-consuming. Furthermore, while transitioning infrastructure and applications to the
cloud, organizations might choose to deploy a hybrid solution, in which they move Exchange
mailboxes to Office 365, and continue to host custom applications on-premises.
What is the organization’s change-management process? Every organization has a different change-
management process that defines the deployment process for new solutions. For example,
organizations might use Microsoft Operations Framework (MOF) 4.0, which incorporates the best
practices of the service management industry. MOF is a particularly appropriate framework to apply
MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Planning and provisioning Office 365
when implementing and operating Office 365, as it can also integrate well with the phases of the
FastTrack deployment plan and can help solve service-delivery issues.
How many users will use Office 365, and what are the organization’s plans for growth? Some of the
Office 365 subscriptions are limited in the number of users and the types of functionalities permitted.
Therefore, organizations have to match the requirements for Office 365 functionalities with the
number of users. An organization can mix different Office 365 plans according to its business needs.
For example, one organization can purchase 200 Business Essentials seats, 200 Business Premium seats,
and 200 Enterprise E3 seats on a single tenant.
Note: At the time of this writing, Microsoft is transitioning from the previous Office 365
admin center to a new admin center. Most of the functionality available in the previous admin
center has been transitioned to the new admin center, but not all of it. As much as possible, this
course is based on the new admin center.
When this course refers to the Office 365 admin center, it is referring to the new admin center.
When we need to make a distinction between the two admin centers, the course uses the terms
new and previous admin centers.
Exchange admin center. The Exchange admin center (EAC) is the web-based management console that
you can use to manage Exchange settings in Office 365. These settings include recipients, protection,
mail flow, public folders, and other settings that are not available in the default Office 365 admin
center.
Skype for Business admin center. The Skype for Business admin center is the web-based management
console that you can use to manage Skype for Business settings in Office 365. These settings include
instant messaging, audio and video calls, persistent chat, and online meetings.
SharePoint admin center. The SharePoint admin center is the web-based management console that
you can use to manage SharePoint settings in Office 365. These settings include site collections, user
profiles, business connectivity services, and search.
Compliance Center. The Office 365 Compliance Center is the web-based management console that
you can use to manage compliance features across Office 365 for the organization. These features
include archiving, data loss prevention (DLP), eDiscovery, reports, retention, and search.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-11
By using the Azure Active Directory Module for Windows PowerShell, you can connect to Office 365 to
perform administrative tasks that are not practical, or even possible with the Office 365 admin center web
portal. For example, you can use the Windows Azure Active Directory Module for Windows PowerShell to
automate repetitive tasks such as creating large numbers of user accounts, adding users to groups, and
updating multiple user properties.
Question: How will Office 365 meet your organization’s business requirements?
Question: Which Office 365 subscription would be most suitable for your organization?
MCT USE ONLY. STUDENT USE PROHIBITED
1-12 Planning and provisioning Office 365
Lesson 2
Provisioning an Office 365 tenant
An important part of the Office 365 provisioning process is the creation of the tenant account. This activity
was not as crucial in the traditional Office 365 deployment methodology because the pilot account
typically was not transitioned into deployment. Microsoft FastTrack for Office 365 is a service that includes
best practices, tools, and resources that help organizations move to Office 365. With the FastTrack process,
where the pilot account typically persists into the production environment, it is vital that you enter the right
information, because certain values that you specify cannot be changed later.
This lesson explains the various tenant options available for Office 365, and the process of creating a new
tenant account. It also describes how to plan the process of adding custom domains to Office 365, and how
to plan DNS zones and configure DNS records for custom domains.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the process of planning the addition of custom domains in Office 365.
Explain how to plan DNS zones for custom domains in Office 365.
Explain how to configure DNS records for custom domains in Office 365.
5. Complete the sign-in process by validating the text message or phone call.
Trial accounts are available for the following Office 365 plans:
Education
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-13
Government
As mentioned previously, errors in the sign-up process commonly result from organizations selecting the
wrong Office 365 subscription for the size of their business. It is currently not possible to change to
different product families, such as from the Business plan to the Enterprise plan.
Note: The process for provisioning Office 365 Education, Government, and Nonprofit plans is
different, and this course does not cover it. This course assumes that you are selecting the
Enterprise E3 subscription.
During the trial sign-up, you have to supply a valid email address that already exists. Although the sign-up
process creates an email address in the form username@organizationname.onmicrosoft.com, you cannot
use that as the email address for the sign-up process.
If you work for or through a Microsoft partner, and you need more than 25 pilot users for an Enterprise E3
trial, you can apply for an extended trial account. When you request an extended trial tenant to support the
FastTrack Pilot, you must submit a form to fasttrackpilot@microsoft.com. This form must provide
customer information, partner information, and information about the pilot engagement. After two
business days, you should receive a unique provisioning code. This is a single-use code that you can only
use to provision the pilot tenant for the organization.
Note: The Tenant administrator’s name must be a real name, not “System Administrator.” It is
also important that the email address used does not become inaccessible if the person who
registered the account leaves the company.
When you enter this information, Office 365 will generate a default domain name based on the company
name you supply. The default domain name will end with .onmicrosoft.com. Again, this value cannot be
changed after creation, so it is vital that you check that this name is acceptable. If the name already exists,
then a number will be added to make the name unique, such as Adatum426.onmicrosoft.com.
You are then asked to enter a password and indicate a mechanism for validating the sign-up. Passwords
should be at least 10 characters long and contain a random mixture of uppercase and lowercase letters,
numbers, and special characters.
To validate the sign-up, you can select from either having a text message sent to you or receiving a phone
call. You should specify the country and number for your phone. If you use the text option, ensure that the
phone number is capable of receiving texts.
Once you click the Create My Account link, the confirmatory six-digit number will either be sent to your
phone or you will be called, depending on your prior selection. Enter that number into the confirmation
dialog box to complete the setup of your tenant account.
Factor Considerations
Multiple Domains Plan to add the main domain that your company currently uses along with any
other domain that it uses for email messages within the organization. This
scenario is common when the overall company is a business group, or the
organization has been through a merger process and some employees still have
alternative domain addresses.
Subdomains You might want to register subdomains such as content.Adatum.com within the
account for Adatum. Note that Office 365 Midsize Business and Enterprise plans
allow you to add subdomains under your root domain, whereas the Office 365
Small Business plans do not.
Domain numbers You can register up to 600 domains with Office 365.
Domain adding You must add root domains before subdomains, so you need to register
order Adatum.com before you add content.Adatum.com.
DNS record DNS records might be hosted by your organization’s DNS servers or by an
hosting external hosting provider.
Access to the DNS Check with your DNS hosting organization regarding what access you get to the
console DNS console. To configure Office 365 services, you need to be able to add the A,
CNAME, TXT, MX and SRV records. If your DNS hosting provider does not give
that level of access, you might have to send a request to the DNS hosting
provider to change DNS records needed for your Office 365 deployment.
Not registering It is rare that you would not want to register a DNS domain with Office 365, but it
DNS is a possible option—for example, if you want to have a completely separate
email and directory service for your Office 365 users. One possible scenario is a
university that might want to host its faculty members in the on-premises
environment and have the students in Office 365 with a different domain name.
Not changing all You may not want to change all the DNS records to point to Office 365. An
records upcoming topic in this lesson identifies how to handle the verification process
when you do not change all DNS records.
DNS record DNS records can take up to 72 hours to propagate. Reducing the Time to Live
propagation (TTL) value can speed up this process, but you still need to plan for the replication
timings time.
MCT USE ONLY. STUDENT USE PROHIBITED
1-16 Planning and provisioning Office 365
2. Check that you have access to the DNS console for the domain. Different DNS hosting organizations
provide varying levels of access to DNS records for a hosted domain.
3. Check that you can make changes to the DNS records for the domain.
4. Sign in to the Office 365 admin center, and go to the Domains tab on the Settings menu.
b. Add text (TXT) or mail exchanger (MX) records to the DNS record for the domain, according to the
instructions in the Office 365 setup wizard.
c. Confirm ownership by getting Office 365 to verify that you could make that change to the DNS
records.
6. Change the default domain to the new domain, so that any new accounts use this domain value rather
than the one originally assigned when you set up Office 365.
7. Add users and assign licenses (this is part of the Office 365 setup rather than a DNS-specific operation).
You can cancel out of the domain setup process but still verify that you own the domain. In the Office 365
admin console, you will see the message “setup in progress.”
Note: After you have verified a domain, you can delete the verification TXT record. You
should also be aware that you can only validate each domain (with any attendant subdomains) to
a single Office 365 tenant account.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-17
Organizations use internal DNS zones configured on internal DNS servers, so that internal clients can
resolve computer names and services. Organizations also use external, public DNS zones configured on
Internet-accessible DNS servers so that clients located on the Internet are able to resolve computer names
and services.
When planning DNS zones for custom domains, organizations might choose between the following two
scenarios:
Internal DNS zones and external DNS zones have different names. In this scenario a company might set
up its own internal DNS for its internal domain—Adatum.local, for example—and then use a DNS
forwarder on the internal DNS servers to redirect name resolution requests for external domains to an
external name server. For example, a request for mail.Adatum.local would be redirected to an internal
IP address, such as 192.168.20.10, whereas a request for mail.Adatum.com might go to 131.107.43.19,
the company’s external IP address for that host name. Internal clients that connect to Office 365
services from the internal network will submit resolution requests to the local DNS servers. Then, a local
DNS server will forward the client’s request to the external DNS server, which will resolve the request,
and return the answer to the company’s internal DNS server. Finally, the local DNS server will forward
the resolved request to internal clients.
Internal DNS zones and external DNS zones have the same name (Split brain DNS). Split-brain DNS is a
configuration in which the internal and external DNS environments provide different IP addresses to
requests for the same host name, depending on where the request is generated. If a request for
mail.Adatum.com comes from inside the Adatum.com network, the address returned might be
192.168.20.10 on the internal network, whereas if a user directly connected to the Internet made the
same request to mail.Adatum.com, the IP address returned might be 131.107.43.19. This configuration
is achieved by creating a zone on the internal DNS server for Adatum.com. When a client on the
internal network makes a request for mail.Adatum.com, the internal DNS server responds with the IP
address for that host, using the A (Address) or CNAME (common name) records that the server
maintains for that zone. There is no requirement to forward on the name resolution request to the
external DNS servers. However, external clients who try to contact mail.Adatum.com receive a
response from the external DNS server that is authoritative for that zone. Internal clients that connect
to Office 365 services from the internal network will submit resolution requests to the local DNS
servers. For a local DNS server to be able to resolve the request to Office 365 services, the local DNS
zones and external DNS zones should both be configured with the same records requested by the
Office 365 setup wizard. Once both the internal and external DNS zones are configured with the same
MCT USE ONLY. STUDENT USE PROHIBITED
1-18 Planning and provisioning Office 365
records, clients will be able to connect to Office 365 services, irrespective of whether they connect from
inside the company or using the Internet.
MX. This record is a requirement for SMTP communication between Exchange Online in Office 365 and
mail servers on the Internet.
CNAME. Outlook clients use this record to locate the Autodiscover service in Office 365.
TXT. This record is a requirement for Sender Policy Framework (SPF) anti-spam protection.
The following table lists the requirements for the MX and CNAME records for Exchange Online:
MX 0 @ Adatum- 1 Hour
com.mail.protection.outlook.com
The following table lists the requirements for the TXT records for Exchange Online:
SRV. This record is used for SIP federation where an Office 365 domain shares instant messaging (IM)
features with external clients.
SRV. Skype for Business uses this record for coordinating the flow of communication between Skype for
Business clients.
CNAME. Skype for Business clients use this record to find the Skype for Business Online service in Office
365 and sign in.
CNAME. Skype for Business mobile clients use this record to find the Skype for Business Online service
in Office 365 and sign in.
The following table lists the requirements for the SRV records for Skype for Business Online:
The following table lists the requirements for the CNAME records for Skype for Business Online:
The DNS records for Mobile Device Management for Office 365 are:
CNAME manage.microsoft.com. When Office 365 users sign in on their mobile devices with an email
address, this setting is used to redirect them to enroll in MDM for Office 365.
CNAME enterpriseregistration.windows.net. This setting is used for workplace join for mobile devices.
The following table lists the requirements for the CNAME records for Mobile Device Management for
Office 365:
The DNS record for Microsoft Online Services Sign-In Assistant is:
CNAME. This record is used during the authentication process by client applications, such as Outlook,
Skype for Business Online, Windows PowerShell or Microsoft Azure Active Directory Sync tool. By using
this record, Office 365 connects clients to the appropriate authentication endpoint, depending on the
client location.
The following table lists the requirements for the CNAME record for Microsoft Online Services Sign-In
Assistant:
Additional Reading: For more information, refer to External Domain Name System records
for Office 365: http://aka.ms/d67qkh.
First release. The First release option enables organizations to get the latest updates first, and provide
early feedback to Microsoft. Administrators can choose to deploy updates only to selected individuals
in an organization, or to deploy updates to the entire organization.
To configure the first release settings for your organization, in the Office 365 admin center, select
Organization profile from the Settings menu. You can edit the release preferences for all users, or
configure specific users to receive the first release updates.
Question: What are the steps involved in the process of creating a tenant account for
Office 365?
Question: What factors should you consider when planning a custom domain?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-21
Lesson 3
Planning a pilot deployment
In this lesson, you will review the overall factors that can affect an Office 365 deployment. However, it is
important to realize that these are not necessarily complete deployment blockers, merely factors of which
you need to be aware. This is the strength of the FastTrack process—organizations can take it as far as they
want, and can reach a deployment position where they realize value from the Office 365 platform without
affecting their existing infrastructure, or compromising on the benefits of the cloud-based service.
Lesson Objectives
After completing this lesson, you will be able to:
List the activities within the pilot phase of the FastTrack approach, and their outcomes.
Gather customer requirements.
Describe the activities that happen in the production deployment after the pilot completes.
A key message is that cloud deployments are not like traditional on-premises deployments, and they need
a new methodology to accommodate that difference. With the Office 365 FastTrack deployment approach,
customers can:
Experience the value of Office 365 much earlier than with traditional deployment methodologies.
With the FastTrack approach, organizations can deliver a rich user experience and a high-productivity
solution with minimal on-premises requirements, particularly in the pilot phase. Continuing the
deployment path builds on the previous steps already performed in the pilot phase, so there is no
requirement to restart the effort from scratch. The organization also can extend and deliver new capabilities
to users as their needs change.
There are multiple data migration methods available, including user self-service and IT-driven approaches.
The organization can choose one of the following user identity models to suit its needs:
Cloud identities
Federated identities
Finally, there is an Office 365 Deployment Portal with prescriptive step-by-step guidance and video
instructions for the FastTrack process.
Additional Reading: For more information, refer to FastTrack for Office 365:
http://aka.ms/il5z8i.
The pilot phase consists of the following activities that you must perform in consecutive order:
1. Check prerequisites. Make sure you have assessed the organization's environment correctly for the
pilot.
2. Set up pilot domains. Determine the domain policy and identify customer domains for the pilot.
5. Set up collaboration sites. Establish use and requirements for SharePoint sites.
6. Prepare pilot users. Plan communications with pilot users.
7. Test the pilot. Identify success factors for testing the pilot.
9. Complete the pilot. Feed the results into Deploy phase planning.
You must record this information in real time during the pilot. Otherwise, you might miss important details
that might not be recordable after the fact. You will use this recorded information from the pilot for
checking planning decisions against actual outcomes, and it feeds into the Deploy phase.
MCT USE ONLY. STUDENT USE PROHIBITED
1-24 Planning and provisioning Office 365
Industry sector
With any Office 365 pilot deployment, it is important to identify the organization's industry sector, because
this information will provide insight into the method of working and anticipated behavior. Furthermore,
business requirements for Office 365 might be similar in organizations that belong to the same industry
sector.
Information workers. Users who work at desks or on the move, and primarily create or process data.
Kiosk workers. Users who do not need regular access to a computer or mobile device to carry out their
tasks.
User analysis
You also need to know how these users are distributed, and how they use their devices. Consider the
following aspects:
Are the users in a few large offices, such as an insurance company, or in many small ones, such as a car
dealership?
Do they work at home, either occasionally or permanently, and do they need to access data on the
move?
Does the organization have a Bring Your Own Device (BYOD) policy in place, or are there local
impromptu arrangements?
Company requirements
You must take into consideration the requirements and characteristics of the organization that is deploying
the pilot, and also its workloads, by assessing the following:
How does the company currently deliver IT? Do they have a centralized department or a distributed
arrangement?
How does the organization view IT services, and how is the department managed?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-25
What compliance and data retention requirements does the company need to consider? Some
organizations have strict compliance regulations in respect to data management, storage, recording,
and transmission.
What are the company’s security requirements? Are they likely to be targeted and what level of
protection should they adopt?
What workloads does the company have that do not need to be migrated to Office 365? Look at areas
such as custom applications, business information systems, and stock control environments, and
consider whether these applications will remain on premises.
Finally, what is the company management team's likely attitude toward moving to the cloud? Being
aware of this attitude and having a strategy and tactics to address it are essential for a smooth
deployment.
At this point, the information does not have to be completely accurate. For example, rounding user
numbers to the nearest thousand or hundred is acceptable. If there is an established relationship with the
organization or you already work within the company, much of this information should be available.
Lack of management support for Office 365 Clearly communicate the benefits.
Lack of IT department support for this change Fully brief the IT department on what is happening,
and how the change will affect IT department
processes.
Data storage requirements With companies that have specific data storage
requirements in terms of where their data is
geographically located, consider choosing hybrid
options and keeping sensitive data onsite.
MCT USE ONLY. STUDENT USE PROHIBITED
1-26 Planning and provisioning Office 365
Plan for pre-pilot users. With larger organizations, it may be necessary to deploy some pre-pilot users.
With these larger pilot engagements, it can be useful to initially roll out Office 365 to a small subset of
users, to help identify issues, before including a wider user community.
Select the pilot users. Pilot users typically meet the following criteria:
Create and implement a pilot user communication plan. Effective communication with the pilot users is
vital and needs to start up to three weeks before the pilot itself.
Train and support the pilot users. Microsoft does not support Office 365 pilot users, so planning user
and helpdesk training and support for the pilot phase is an important part of the experience.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-27
Continue user pilot. The most basic option is simply for the organization to continue with the user pilot.
Users would continue to use Office 365 on a regular basis. The organization can collect user feedback
about Office 365 and highlight the key benefits. This information also enables the organization to plan
future deployments appropriately for each workload. Importantly, the pilot provides data points to
best plan the organization’s migration and identity needs.
Expand the scope. The trial tenant used for the pilot service allows up to 250 users, so the organization
could add more pilot users to prove the service fit for various groups within the organization. Note that
users who are moved to the service during the pilot can be transitioned to production after a decision
for service use is reached.
Service options. The pilot has enabled users to begin using a broad range of Office 365 features. The
service provides solutions for mail, collaboration, sharing, and other scenarios. The scope of the pilot
was confined to the core service options. Therefore, the organization should determine the additional
scenarios in which Office 365 can be useful.
Identity planning. The pilot introduced the organization to the concept of identity management in the
Office 365 service. The pilot engagement provisions users in the service through cloud identities. The
trial tenant shows how this identity management approach works for administrators and users.
However, the organization also needs to start thinking about identity management. This planning
should consider future additional service scenarios and integration requirements for streamlined
management. Further planning considerations should determine the future implementation plans for
identity management and authentication. The cloud identity approach used in the pilot engagement
uses a stand-alone set of user credentials. The organization should map a plan for the desired
authentication plans including plans for single sign-in (SSO) options.
Mail migration planning. In the pilot, the organization has experienced mail using the Office 365
connected accounts feature. This feature enables users to access existing mail items, and continue to
send and receive mail with their existing email addresses. However, users will expect to bring existing
mail, calendar, and contacts to the new service. Office 365 provides a range of migration options to
help manage this migration. If customers begin planning early to reduce the content users currently
have in place, this migration process is considerably simplified.
Plan for transition. The pilot uses an Office 365 trial tenant that needs to be transitioned to a live
account before the trial expires.
Microsoft engineers from the FastTrack Center team contact organizations that purchase more than 150
Office 365 seats. FastTrack engineers assist customers through multiple project phases, such as assessing
customer environment, planning for remediation of any potential issues found during the assessment, and
helping with Office 365 deployment and migration.
Additional Reading: For more information, refer to FastTrack for Office 365:
http://aka.ms/il5z8i.
Additional Reading: For more information, refer to Office 365 for IT pros:
http://aka.ms/kl703e.
Office Blogs
Office Blogs is an online resource that contains the latest information about different Office products,
including Office 365. You can customize blog reading content by choosing:
The Office product you want to read about, such as Office 365, Office Online, Exchange, or Skype for
Business.
The type of information that you want to read about, such as customer stories, events, news, or
podcasts.
Additional Reading: For more information, refer to FastTrack for Office Blogs:
http://aka.ms/t1mgkg.
Additional Reading: For more information, refer to Office 365 Trust Center:
http://aka.ms/j0074t.
MCT USE ONLY. STUDENT USE PROHIBITED
1-30 Planning and provisioning Office 365
Additional Reading: For more information, refer to Office 365 Service Descriptions:
http://aka.ms/gxsbad.
Additional Reading: For more information, refer to Software Assurance Planning Services:
http://aka.ms/leudft.
Question: How does an Office 365 pilot compare to the traditional deployment process?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-31
Objectives
By the end of this lab, you will be able to:
Configure an Office 365 tenant.
Lab Setup
Estimated Time: 75 minutes
Password: Pa$$w0rd
This course uses the new Office 365 admin center for all labs. If you are connected to the previous Office
365 admin center when you connect to Office 365, click the banner at the top of the page to connect to the
new admin center.
In all tasks:
In references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with your unique Office 365
name displayed in the online lab portal.
This lab requires the following virtual machines: (use only the VMs required for your lab)
LON-DC1
LON-CL1
Note: For simplicity, this lab uses an ordinary Office 365 trial account, not a FastTrack pilot
extended tenant account. Also note that you need to create an account with a unique name in the
form: Adatumyyxxxxx.onmicrosoft.com. You can use the alphanumeric value for yyxxxxx provided
for you in the lab interface.
3. For Step 1, in the Welcome, let’s get to know you page, complete the following fields. Regardless of
your location, use the following information:
o Country: United Kingdom
o Business phone number: Your mobile phone number, including international code for your current
country
o Company name: A. Datum
4. For Step 2, you have to create a unique domain for the Company name to use in the course. Use the
Adatumyyxxxxx name provided in the lab interface. For the rest of the fields, use the following
information:
o Password: Pa$$w0rd
5. For Step 3, you have to confirm your identity by using your mobile phone. Under Send text message,
from the drop-down box, select the code for the country that you are now in.
6. In the Phone number box, enter your correct mobile phone number.
7. Ensure that the Send text message option is selected, and then click Text me.
8. When you receive the confirmation text on your mobile phone, enter the code provided in the Enter
your verification code box.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-33
10. Wait until the Office 365 tenant is provisioned, and then click You’re ready to go…
11. Click the Admin tile to go to the Office 365 admin center.
12. On the don’t lose access to your account! page, provide your phone number and Microsoft account
email address to verify your account.
Note: If you are connected to the previous Office 365 admin center when you connect to
Office 365, click the banner at the top of the page to connect to the new admin center.
2. Review any service interruption records or additional information in the status page.
Note: During Microsoft testing, on rare occasions Office 365 did not create the trial tenant
properly; as a result, the tenant did not have all the services available to it. If this happens to you,
you should create a new trial tenant using a different business email (Microsoft account).
Results: After completing this exercise, you should have successfully provisioned the Office 365 tenant
account for A. Datum Corporation.
3. Click Admin.
4. In the left-hand navigation, select Domains, select Add domain to start the domain setup wizard.
5. In the text box on the Which domain do you want to use? page, enter your domain name in the form
of Adatumyyxxxxx.hostdomain.com.
6. Click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
1-34 Planning and provisioning Office 365
8. Write down the TXT record shown in the TXT value column. This entry will be similar to
MS=msXXXXXXXX. Record this value below:
MS=_______________________
9. Switch to LON-DC1.
10. In DNS Manager, create a new forward lookup zone called Adatumyyxxxxx.hostdomain.com
12. Under Select a resource record type, scroll down to Text (TXT), and click Create Record.
13. In the New Resource Record box, leave the Record name field blank.
14. In the Text field, enter MS=msXXXXXXXX that you recorded in step 8.
17. Switch back to LON-CL1 and in the Office 365 admin center, click Verify.
2. Select the option to skip the configuration of DNS records now. You will configure these in later labs.
Results: After completing this exercise, you should have added a custom domain and verified domain
ownership.
2. On the left navigation menu, scroll down to explore all available items.
3. On the left navigation menu, click each of the items, and review the results displayed on the right pane.
2. On the left navigation menu, under Admin centers, click Skype for Business.
3. A new tab will open displaying Skype for Business admin center.
4. On the left navigation menu, click each of the items, and review the results displayed on the right pane.
4. On the left navigation menu, click each of the items, and review the results displayed in the right pane.
5. Close Microsoft Edge.
Results: After completing this exercise, you should have provided a high-level overview of administrative
portals of Office 365.
Best Practices
Best practices for this stage of the Office 365 deployment process are:
Ensure that you understand the organization’s need for Office 365.
Identify any in-house services that are not going to transition to Office 365.
Recruit the right people to be pilot users.
Check that you have suitable infrastructure to support a connection to Office 365.
Review Question
Question: If you are selected to lead the Pilot at A. Datum Corporation, what personal
qualities, skills, and experience would you need to demonstrate to maximize the probability of
the organization moving to Office 365?
MCT USE ONLY. STUDENT USE PROHIBITED
2-1
Module 2
Managing Office 365 users and groups
Contents:
Module Overview 2-1
Lesson 4: Managing Office 365 users and groups with Windows PowerShell 2-20
Module Overview
After provisioning and configuring the Microsoft Office 365 tenant, the tenant administrator should create
users and groups so that the organization’s employees can start working with Office 365. Furthermore, the
tenant administrator should assign administrative roles to the members of the IT team who will be
responsible for managing the Office 365 tenant for the organization.
In this module, you will learn about managing users, groups, and licenses and configuring administrative
access by using the Office 365 console and the Windows PowerShell command-line interface.
Objectives
After completing this module, you should be able to:
Manage user accounts and licenses by using the Office 365 admin center.
Manage security and distribution groups by using the Office 365 admin center.
Lesson 1
Managing user accounts and licenses
As the administrator of your organization’s Office 365 environment, you will be responsible for creating and
managing user accounts for all of its users. Administrative tasks for a user account includes creating and
managing user objects, creating and configuring password policies, configuring self-service password
management, and configuring multi-factor authentication.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how to create user accounts by using the Office 365 admin center.
Explain how to manage user licenses by using the Office 365 admin center.
Explain how to manage user accounts by using the Office 365 admin center.
Explain how to delete and restore user accounts by using the Office 365 admin center.
Federated identities by using Active Directory Federation Services (AD FS). When using federated
identities, administrators manage on-premises users and synchronize on-premises directory objects
with Office 365. The users’ passwords are the same password both locally and in the cloud, therefore,
users sign in only once to use on-premises and Office 365 applications. The process of users signing in
only once is referred to as single sign-on (SSO).
When designing an Office 365 solution, administrators should consider which identity model is best for
their organization. Some models such as AD FS federated identity might entail more complexity and cost.
Moreover, organizations might switch from one identity model to another if needed in the future.
Note: Subsequent modules will cover federated identities that use AD FS for SSO. This
method involves installing identity federation software to extend directory synchronization, such
as in the second method above, but a directory synchronization tool performs the user
management process.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-3
Directory synchronization. This option allows you to provision and manage users by synchronizing
Office 365 with an on-premises directory service. You can use the Azure Active Directory (Azure AD)
Connect tool to synchronize on-premises Active Directory objects with Azure AD objects in Office 365.
Module 4 covers directory synchronization in more detail.
Note: A later lesson in this module covers provisioning users with Windows PowerShell.
Provisioning users with directory synchronization is outside the scope of this module; Module 4 of
this course covers this.
2. On the Office 365 admin center Home page, click Users to display the Active users list. You also can
access the Active users list by pointing to the Users menu in the left pane, and then clicking Active
users.
Note: The password is sent as plaintext in the email. If this is a concern, you need to use
another method to inform the user of their temporary password, such as in person, or through a
phone call or instant message.
MCT USE ONLY. STUDENT USE PROHIBITED
2-4 Managing Office 365 users and groups
Note: At the time of writing this course, the bulk add functionality is only available in the
previous Office 365 admin center.
1. In the previous Office 365 admin center, click Users, click Active Users, and then click the bulk add
icon.
3. The verification result informs you if any errors are in your file; you can view the results in the linked
log file.
4. On the Settings page, set the new users’ sign-in status and location.
5. On the Assign Licenses page, specify which licenses the new users should have assigned to them.
6. Specify who should receive the email of the results. We recommend that you include your own email
address so that you can provide the temporary passwords to your new users.
2. Select the users that you want to assign or remove licenses, and in the More list, click Edit product
licenses.
3. On the Assign products page, you can change the user location, specify whether to replace or add to
existing licenses, and then select the services that you want to modify.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-5
Note: When you remove a license from one of your users, any service data that is associated
with that user is deleted. You then have a 30-day grace period in which you can recover that data,
but after the grace period, the data is not recoverable at all.
1. In the Office 365 admin center, on the left navigation pane, on the Billing menu, click Licenses.
2. Note how many licenses are valid and how many licenses have been assigned.
Editing users
You can use the Office 365 admin center to edit
single or multiple users. To edit multiple users:
2. Click the user account that you want to edit to open the user properties page.
3. In the Contact information section, you can make changes to the selected user’s name and to
organizational information such as department and organizational contact information.
4. In the Email address section, you can change the user email addresses.
5. In the Sign-in status section, you can specify the sign-in status of the selected users. You can set this to
Allowed or Blocked. If you set it to Blocked, the user cannot sign in to Office 365. The user is not
immediately blocked from accessing services, but they will be blocked at the next sign-in attempt.
Typical reasons for blocking a user might be that they are a contract worker or that they have left the
organization but you want to retain their email information.
6. In the Roles section, you can specify whether the selected users should have Administrator
permissions. The last lesson in this module discusses the different administrator roles.
MCT USE ONLY. STUDENT USE PROHIBITED
2-6 Managing Office 365 users and groups
7. In the Product licenses section, you can set the user location. Because certain countries do not allow
some services, Microsoft needs to know the location of each user who utilizes its Office 365 services so
that it only offers permitted services to that user. You also can leave assigned licenses as they are,
replace existing license assignments with new ones, or add new licenses to existing license assignments.
8. In the Mailbox permissions section, you can assign permissions to the user mailbox.
To ensure that you create and manage your Office 365 users correctly, follow these best practices:
If you decide to start using directory synchronization in the future, ensure that you look for potential
duplicate names and account details before you synchronize.
You can also use Windows PowerShell to delete user accounts by using the Remove-MsolUser command
with the –ObjectId Guid or the –UserPrincipalName string parameters.
When you delete a user account, the account becomes inactive and the user cannot sign in to access
Office 365 services. However, you might need to restore a user’s account after deletion. Office 365 retains
the account as a soft deleted inactive account for 30 days after deletion; this enables you to restore the
account in such situations.
To restore a user:
1. In the Office 365 admin center, on the Users menu click Deleted Users.
2. Select the user that you want to restore, and then click Restore.
3. Select how you want to assign the user password, and then click Restore.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-7
You can also use Windows PowerShell to restore deleted user accounts by using the Restore-MsolUser
cmdlet. A later lesson in this module covers this.
Additional Reading:
For more information, refer to How to troubleshoot deleted user accounts in Office 365,
Azure, and Intune: http://aka.ms/prede5.
For more information, refer to Manage inactive mailboxes in Exchange Online:
http://aka.ms/qlb3b1.
Lesson 2
Managing passwords and authentication
Organizations have to provide secure access to Office 365 for their employees and to protect data from
unauthorized access. One of the most important actions when securing access to Office 365 is to configure
secure password policies. Password policies require users to perform actions that increase password
protection, such as changing passwords at specified intervals, creating complex passwords, resetting their
own passwords, and signing in with multi-factor authentication.
Lesson Objectives
After completing this lesson, you will be able to:
You can use the Office 365 admin center to change this setting for your organization. To change the
password expiration policy, perform the following steps:
1. In the Office 365 admin center, on the Settings menu, click Security, and then click Edit.
3. Specify a number of days between 1 and 30 for the notification warning of password expiration.
Note: If you want to change the setting for a user or users so that their password never
expires, you need to use the Microsoft Azure AD module for Windows PowerShell. This module will
cover this later.
If a user does not change their password before the expiration time has elapsed, they can still change it by
using the Password Update page that appears the next time they sign in. Alternatively, you can reset their
password for them.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-9
Ask another administrator to reset it for you. In this case, the other administrator must be a global
admin, a user management admin, or a password admin. However, if your account is a global admin
account, you must get another administrator with a global admin account to reset it for you.
Reset the password yourself. In this case, as an administrator of the Office 365 cloud service, perform
the following steps to reset your password by using the Reset your password now option:
a. On the Office 365 sign-in page, click the Can’t access your account? link.
b. On the User verification page, provide your user ID and the required verification string.
c. Open your email inbox and look for an email message from Microsoft Online Services Team.
f. When the password resets, click the provided link to return to the sign-in page.
You must have already supplied an alternative email address in your account settings for this to work;
this must not be your Office 365 email address. Additionally, if you use a custom domain name or you
are using directory synchronization, you must have also supplied a phone number in your account
details that is capable of receiving text notifications. In this case, a code will generate automatically and
send as a text message to your mobile phone, and you will need to enter this code on the mobile
phone verification page.
Note: If resetting the password yourself, you must complete the entire admin password reset
process within 10 minutes; otherwise, you will need to start the process again.
Self-service password reset functionality is available for Office 365 users who have cloud-based identities
only. However, some organizations have on-premises managed users who require write back of an updated
password to an on-premises Active Directory server. Write-back functionality is available in Microsoft Azure
Active Directory Premium (Azure AD Premium) or in the Enterprise Mobility Suite (EMS) subscription. If an
organization does not have an Azure AD Premium or EMS subscription, users who forget their passwords
must contact the tenant administrator to reset them.
Multi-factor authentication
Multi-factor authentication in Office 365 helps
increase security by requesting users to provide a
user name and a password while signing in and to
use a second authentication method. The second
authentication method might be acknowledging a
phone call, text message, or an app notification on
their smartphone. If the user names, passwords,
and second authentication method are verified,
the users can sign in to Office 365. You can also
enable users who authenticate from a federated,
on-premises directory for multi-factor
authentication.
The tenant administrator enables multi-factor authentication in the Office 365 admin center by performing
the following steps: NOT Security!
1. In the Office 365 admin center, on the Settings menu, click Apps. Now services ans add-ins
2. On the Apps page, click Azure multi-factor authentication.
3. On the Azure multi-factor authentication page, click Manage Azure multi-factor authentication.
4. On the multi-factor authentication page, select the users that you need to enable for multi-factor
authentication, and then click Enable.
After the administrator enables users for multi-factor authentication, users have to configure their second
authentication factor at their next sign-in. You can use the following options as the second authentication
factor:
Call my mobile phone. Users receive a phone call with instructions for the users to press the pound
key. After they press the pound key, users are signed in.
Text code to my mobile phone. Users receive a text message containing a six-digit code that they
must enter into the Office 365 portal.
Call my office phone. This option is the same as the Call my mobile phone option, but it enables the
user to use their office phone.
Notify me through app. Users configure a smartphone app that receives a notification that users
need to confirm to sign in to Office 365. Smartphone apps are available for Windows phone, iPhone,
and Android devices.
Show one-time code in app. Users configure a smartphone app and enter the six-digit code from the
app into the portal.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-11
Document and standardize password policies. Password policies should be well documented and
standardized according to an organization’s security strategy.
Enforce the use of strong passwords. Strong passwords increase an organization’s security because
they are more difficult for an unauthorized user to guess.
Ensure that users are educated on organizational security policies. Educate users about organizational
security procedures, especially regarding creating complex passwords, securing their passwords
against potential security threats, and resetting their forgotten passwords.
Objectives
After completing this lab, you will be able to:
Manage Office 365 users and licenses by using the Office 365 admin center.
Lab Setup
Estimated Time: 35 minutes
Virtual machine: 20347A-LON-DC1, 20347A-LON-CL1
Password: Pa$$w0rd
In all tasks:
In references to Adatumyyxxxxx.onmicrosoft.com, replace yyxxxxx with your unique Office 365 name
that displays on the online lab portal.
LON-DC1:
LON-CL1:
o Sign in as Adatum\Holly with the password Pa$$w0rd
Exercise 1: Managing Office 365 users and licenses by using the Office 365
admin center
Scenario
The Office 365 tenant for A. Datum is now configured, and you need to start creating Office 365 users and
then managing the user licenses.
4. In the Office 365 admin center, create a new Lindsey Gates user account with user name Lindsey.
5. On the Create new user account results page, view the temporary password, and then note the
temporary password here: ____________
o Christie Thomas
o Amy Santiago
o Sallie McIntosh
o Francisco Chaves
6. In the Active Users list, select Lindsey Gates, and then delete the user.
9. In the Deleted Users list, select the Lindsey Gates check box.
10. On the toolbar, click Restore. Note the new temporary password for the user.
4. If prompted, enter your new password again, and then click Sign in.
5. If you were not prompted to change your password at sign in, access the Office 365 settings page and
reset Lindsey’s password to Pa$$w0rd.
6. Verify that you can access the Office 365 portal home page.
7. Close and reopen Microsoft Edge, and then browse to https://login.microsoftonline.com/.
9. Verify that you cannot sign in and that the message states that your account has been blocked.
13. In the Office 365 admin center, edit the user account for Francisco Chaves by configuring the Sign-in
status section to Allowed.
18. Verify that you can access the Office 365 portal.
Results: After completing this exercise, you should have created and managed user accounts and licenses
according to business needs.
3. In the Office 365 admin center, set the password expiration policy to 14 days before the passwords
expire.
Note: This setting does not correspond with a real-world scenario. Use it as a sample
scenario to verify the policy applied in the next exercise task.
4. In the Days before a user is notified about expiration box, leave the default value of 14.
5. Verify that the “Password policy has been updated” message appears at the top of the page.
2. On the upper-right side of the window, verify that the notification appears with the following
information: “Time to change your password. Your password will expire in 13 days.”
Note: You have now verified that your password policy is applied. In a real-world scenario,
after you verify that the password policy is applied, you would need to increase the number of
days before the password expires, according to your organizational policy.
Results: After completing this exercise, you should have configured and validated an Office 365 password
policy.
Lesson 3
Managing security groups in Office 365
After all users for the Office 365 tenant have been created, administrators should create the necessary
groups for distributing email to multiple users with Exchange Online. Administrators also configure security
permissions with SharePoint Online so that users can collaborate and share documents with each other by
having assigned rights and access to SharePoint sites and documents according to organization’s security
policies.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how to create and configure security groups by using the Office 365 admin center.
Explain how to delete security groups by using the Office 365 admin center.
Exchange Online groups. Use these groups to send email messages or assign permissions to a group of
users.
SharePoint Online groups. Use these groups to grant users permissions to access sites and site
resources.
Distribution groups. Use these groups only to distribute messages to a set of recipients.
Mail-enabled security groups. Use these groups to distribute messages and to provide access to
resources.
Dynamic distribution groups. These groups do not have a predefined member list, because they use
recipient filters and conditions that you define to determine membership dynamically at the time that
messages are sent.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-17
In the previous Office 365 admin center, you cannot edit groups that you create in Exchange admin center,
even though the groups appear in the Security Groups list of the GROUPS section. You can edit
distribution groups in the new Office 365 admin center.
Note: Only Exchange Online distribution groups and mail-enabled security groups appear in
the Office 365 admin center. Dynamic distribution groups do not appear in the Office 365 admin
center.
Several built-in groups are created when you create a site collection in SharePoint Online. These are
referred to as default SharePoint Online groups. Which default SharePoint Online groups are created
depends on the site template that is used to create the site. For example, the Team Site template contains
three different SharePoint Online groups: Visitors, Members, and Owners.
To ensure that you create and manage your Office 365 security groups correctly, we recommend the
following best practices:
Organize users into logical groups that have similar access needs.
Add users to security groups and then add those security groups to SharePoint Online default groups
rather than adding individual users to the groups.
2. Click Add a group, and on the Add a group page, select security group, provide a group name and
description for the group, and then click Add.
3. On the group property page, add the users that you want to add to the security group.
You can also use Windows PowerShell to create security groups for Office 365 by using the New-
MsolGroup cmdlet; a later lesson in this module covers this.
Note: Later modules in this course cover the management of Office 365 groups and
distribution groups.
Note: You cannot use the Office 365 admin center to edit security groups if they are
synchronized with your on-premises Active Directory; you must use local Active Directory
management tools for this purpose.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-19
Deleting groups
When you no longer need a security group, you
can delete it by using the Office 365 admin center
or Windows PowerShell. Unlike user accounts,
when you delete a security group, it is permanently
deleted and cannot be restored. User accounts that
were members of the deleted security group
remain intact.
Question: List the three types of mail-enabled groups in Exchange Online in Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Managing Office 365 users and groups
Lesson 4
Managing Office 365 users and groups with Windows
PowerShell
By using the Azure AD module for Windows PowerShell, you can connect to Office 365 to perform
administrative tasks that are not practical, or even possible, by using the Office 365 admin center. For
example, you can use the Azure AD module for Windows PowerShell to automate mundane, repetitive
tasks such as creating large numbers of user accounts, adding users to groups, and updating multiple user
properties.
In this lesson, you will learn how to use Windows PowerShell to configure multiple user settings, how to
carry out a bulk update of user properties, how to create users in bulk by using the Azure AD module for
Windows PowerShell cmdlets with bulk users’ license management, and how to delete users.
Lesson Objectives
After completing this lesson, you will be able to:
User management
License assignment
Password management
Domain management
You must install all software updates that the Microsoft cloud services to which you have subscribed
require.
You must install the appropriate version of the Microsoft Online Services Sign-in Assistant for your
operating system from the Microsoft Download Center.
Installing the Azure AD module for Windows PowerShell and connecting to Azure AD
To take advantage of Azure cmdlets for Windows PowerShell, you need to download and install the
relevant Windows PowerShell module for Azure for your operating system.
Note: You can download the 64-bit version of the Azure AD module for Windows
PowerShell from the Microsoft Download Center at http://aka.ms/siqtee, and you can download
the 32-bit version at http://aka.ms/fohrds.
After you install the Windows PowerShell module for Azure, you need to connect to your online service
through your subscription. To connect to your online service:
1. Open the new Azure AD module for Windows PowerShell console by using the desktop shortcut.
2. At the command prompt, type the following command, and then press Enter:
connect-msolservice
2. At the command prompt, type the following command, and then press Enter:
Get-Help cmdletname
For more detailed help on a specific cmdlet, at the command prompt, type one of the following commands,
and then press Enter:
For example:
To create a user and assign them a license, at the command prompt, type the following command, and
then press Enter:
For example:
Additionally, in the Office 365 admin center, you can view how many licenses your organization has
purchased and how many remain that you can use. However, in the Office 365 admin center, you cannot
easily ascertain which licenses are assigned to which users.
Instead, you can use Windows PowerShell to get a list of all of your Office 365 tenant users with the licenses
that are assigned to each of them, and you can save the results to a CSV file. To get a list of users and their
licenses, at the command prompt, type the following command, and then press Enter:
For example:
The Set-MsolUserLicense cmdlet enables you to add user licenses, remove user licenses, and update
licensing options. To add a license to a user, at the command prompt, type the following command, and
then press Enter:
For example:
To remove a license from a user, at the command prompt, type the following command, and then press
Enter:
For example:
If you want to replace one license with another, you can do this as a single operation so that the user does
not remain in an intermediate state. For example, you might want to change from a deskless license to an
enterprise license, or you might want to upgrade from a standard license (E1) to an enterprise license (E3).
To add and remove licenses in one operation, at the command prompt, type the following command, and
then press Enter:
For example:
To view the individual service plans, at the command prompt, type the following command, and then press
Enter:
The above command returns a list of the individual service plans; however, a number of the service plan
names are difficult to interpret. The following table provides a description of each abbreviated service plan
name.
YAMMER_ENTERPRISE Yammer
Now that you know what the service plans are called, you can use the Get-MsolUserLicense cmdlet with
the –LicenseOptions switch to assign a subset of service plans from the enterprise license pack. You must
specify the tenant account SKU ID and then disable the service plans that you do not want to include.
For example, to assign only the Office Professional Plus, Lync Online, and SharePoint Online licenses to a
user:
1. At the command prompt, type the following command, and then press Enter:
This saves the resulting license options to the $options variable, which you can then assign to the
–LicenseOptions switch when assigning licenses to the user.
2. At the command prompt, type the following command, and then press Enter:
For example:
Deleting users
When a user leaves the organization, you can use the Remove-MsolUser cmdlet to detach the user from
Office 365. This cmdlet deletes the user, the user’s licenses, and any other associated data. This type of
deletion is also known as a soft delete.
To delete a user without confirming the operation, at the command prompt, type the following command,
and then press Enter:
For example:
Note: The –Force switch performs the deletion without requiring you to confirm the
operation at the command prompt. While this speeds up the operation, it does create the
possibility of human error.
Similar to Office 365 admin center, when you delete a user, by default, his or her account remains in the
Deleted Users view (the recycle bin) for 30 days before it permanently deletes. This allows you some time to
retrieve accounts that perhaps have deleted in error. However, if you wish to remove an already deleted
account permanently from the recycle bin, you can use the –RemoveFromRecycleBin switch. This type of
deletion is also known as a hard delete.
To delete a user from the recycle bin permanently, at the command prompt, type the following command,
and then press Enter:
For example:
Restoring users
If you accidentally delete a user, you can use the Restore-MsolUser cmdlet to restore the user account
from the recycle bin back to its original state, as long as you do this within 30 days of the deletion.
1. At the command prompt, type the following command, and then press Enter:
Get-MsolUser -ReturnDeletedUsers
2. Note the UserPrincipalName of the user you want to restore, and at the command prompt, type the
following command, and then press Enter:
Additional Reading: For more information, refer to How to troubleshoot deleted user
accounts in Office 365, Azure, and Intune: http://aka.ms/g5rx76.
MCT USE ONLY. STUDENT USE PROHIBITED
2-26 Managing Office 365 users and groups
Group type
Description
2. At the command prompt, type the following command, and then press Enter:
For example:
For example:
Note: Rather than determining and using the –ObjectId parameter when deleting a group,
you can use a variable such as $groupId and the Get-MsolGroup cmdlet with the –searchString
parameter.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-27
To determine a user’s ObjectId, at the command prompt, type the following command, and then press
Enter:
This returns a list of all users with their UserPrincipalName and objectId, which you can use in the next
series of commands.
To add a user to a security group, at the command prompt, type the following command, and then press
Enter:
For example:
To remove a user from a security group, at the command prompt, type the following command, and then
press Enter:
For example:
FirstName
LastName
DisplayName
UserPrincipalName
The Import-Csv cmdlet will read the CSV file and then create and license an Office 365 user for each user in
the list.
MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Managing Office 365 users and groups
For example:
Note: This cmdlet will generate random passwords for each user; if you want to predefine
your own passwords, you could add an extra column to the CSV file with the passwords in it and
then update the script to include the -Password parameter.
If you need to provision multiple group objects in Office 365, similar to provisioning multiple user accounts,
you can use the Import-Csv cmdlet with a CSV file. The CSV file should contain a list of all the group
accounts that you want to create, in addition to a column for each of the group properties, such as:
DisplayName
Description
TenantID
For example:
$credential=get-credential
Import-Module MSOnline
Connect-MsolService –Credential $credential
If you want to administer Skype for Business Online in Office 365, you should add the following cmdlets to
the script:
Import-Module LyncOnlineConnector
$lyncSession = New-CsOnlineSession -Credential $credential
Import-PSSession $lyncSession
If you also want to administer Exchange Online in Office 365, you should add the following cmdlets to the
script:
If you also want to administer SharePoint Online in Office 365, you should add the following cmdlets to the
script:
Import-Module Microsoft.Online.Sharepoint.PowerShell
Connect-SPOService -url https://contoso-admin.sharepoint.com -Credential $credential
If you want to manage users and groups, you can add the cmdlets for Office 365 users and groups to the
script. For example, if you want to add user Amy to the Marketing distribution group, add the following
cmdlet to the script:
The earlier topics in this lesson include examples of Windows PowerShell cmdlets that you can include in a
script for managing users, groups, and licenses.
You can also reset a user password in the Office 365 admin center or by using a Windows PowerShell
cmdlet. To change a user’s password in Windows PowerShell, at the command prompt, type the following
command, and then press Enter:
Note: If you omit the –NewPassword switch, then it is considered a password reset rather
than a password change; in this case, the user will receive a random password, and they must
change it themselves at the next sign-in attempt.
To configure the password policy for a tenant in Windows PowerShell, at the command prompt, type the
following command, and then press Enter:
You can also view the current password policy settings by using the Get-MsolPasswordPolicy cmdlet.
To configure a password to never expire for a single user, at the command prompt, type the following
command, and then press Enter:
To configure passwords to never expire for all users, at the command prompt, type the following command,
and then press Enter:
To configure a password to expire for a single user, at the command prompt, type the following command,
and then press Enter:
To configure passwords to expire for all users, at the command prompt, type the following command, and
then press Enter:
To view if a single user password is set to never expire, at the command prompt, type the following
command, and then press Enter:
To view the Password Never Expires setting for all users, at the command prompt, type the following
command, and then press Enter:
Note: You can only set passwords to never expire on user accounts that have not been
synchronized with a directory service.
However, you can use Windows PowerShell to change that behavior on a per-user basis.
To remove strong password requirements for a single user, at the command prompt, type the following
command, and then press Enter:
Note: We do not recommend removing the strong password requirement, and you should
do so only if specific circumstances require it.
MCT USE ONLY. STUDENT USE PROHIBITED
2-32 Managing Office 365 users and groups
Lesson 5
Configuring administrative access
In this lesson, you will learn about the permission model in Office 365, and you will learn how to create,
assign, or revoke administrative roles. You will also learn how to determine and assign roles, such as the
global administrator, billing administrator, and user account administrator, and how to delegate
administration to different administrators in your organization.
Lesson Objectives
After completing this lesson, you will be able to:
Global administrator. This role has the same access as the initial administrator and can perform all
available administrative tasks in the Office 365 admin center, including assigning administrator roles to
other users. You can have more than one global administrator role.
Billing administrator. This role can make purchases, manage subscriptions, manage support tickets,
and monitor the health of the online service.
MCT USE ONLY. STUDENT USE PROHIBITED
2-34 Managing Office 365 users and groups
Note: If your organization did not purchase Office 365 directly from Microsoft, but instead
purchased it through a partner, then you cannot make billing changes, and therefore, you cannot
be assigned the billing administrator role.
Password administrator. This role can change and reset passwords, manage service requests, and
monitor the health of the online service. Password administrators can only change and reset passwords
for standard users and other password administrators—not other administrator roles.
Service administrator. This role can manage service requests and monitor the health of the online
service. You first need to assign administrative permission to a service such as Exchange Online before
you assign this role to a user.
User management administrator. This role can create and delete users and groups, and it can reset
passwords, manage service requests, and monitor the health of the online service. Although they can
create and delete users, user management administrators are restricted from the following:
o They cannot reset passwords for billing administrators, global administrators, or service
administrators.
Exchange administrator. This role manages the Exchange Online by using the Exchange admin center
in Office 365.
Skype for Business administrator. This role manages the Skype for Business Online by using the
Skype for Business admin center in Office 365.
SharePoint administrator. This role manages SharePoint Online by using the SharePoint admin
center in Office 365.
Note: In Office 365 for professionals and small businesses, there is only one administrator
role. An administrator can assign other users this same administrator role, but there are no other
subordinate roles to assign.
In Windows PowerShell, not all administrator roles have the same names as specified in the Office 365
admin center. The following table lists the equivalent role names.
Office 365 admin center role name Windows PowerShell equivalent role name
To view the available administrator roles in the Azure AD module for Windows PowerShell, at the command
prompt, type the following command, and then press Enter:
Get-MsolRole
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-35
Manage domains.
To assign an administrator role in Windows PowerShell, at the command prompt, type the following
cmdlet, and then press Enter:
For example:
To view a user’s assigned administrator role, at the command prompt, type the following cmdlet, and then
press Enter:
To view all users who are assigned to a specific administrator role, at the command prompt, type the
following cmdlets, pressing Enter after each:
To remove an administrator role in Windows PowerShell, at the command prompt, type the following
cmdlet, and then press Enter:
For example:
Global administrator Exchange Online SharePoint Online Skype for Business Online
administrator administrator administrator
Company
administrator
User management Not applicable Not applicable Skype for Business Online
administrator administrator
Skype for Business Not applicable Not applicable Skype for Business Online
Online administrator administrator
1. Open the email message from your partner and read the terms of the offer.
2. Click the link to authorize the agreement, which takes you to an authorization page in Office 365.
3. Under Delegated administration, click Yes to authorize the partner to be your delegated administrator.
4. If the delegated administration offer came with a trial subscription or a purchase offer, create the trial
or subscription tenant account.
To view the delegated administrators:
2. On the left navigation pane, click Users, in the list view, click the Select a view drop-down list and then
select any of the roles you have assigned.
Note: If you do not have a delegated administrator, the message on that page will state,
“There are no delegated administrators associated with your account.”
Limited administration. This role has the same privileges as the Password administrator role in
Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
2-38 Managing Office 365 users and groups
To ensure that you manage Office 365 administrator roles correctly, we recommend the following best
practices:
Carefully plan administrator roles by creating a matrix to distribute roles based on the organization’s
operational model.
Ensure that you keep administration roles up to date by changing or removing roles as necessary.
Ensure that you get approval and sign off for final administration role design.
Question: What are the administrator roles that you can assign in Office 365?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-39
Objectives
After completing this lab, you will be able to:
Manage Office 365 groups by using the Office 365 admin center.
Lab Setup
Estimated Time: 60 minutes
Password: Pa$$w0rd
In all tasks:
LON-DC1
LON-CL1
3. In the Office 365 admin center, create a new group named Sales, with a description of Sales
department users.
5. In the Office 365 admin center, create a new group named Accounts, with a description of Accounts
department users.
6. Add Francisco Chaves and Sallie McIntosh as group members.
o Sales
o Accounts
6. Confirm that Amy Santiago’s account still exists in the list of users.
Results: After completing this exercise, you should have created and managed security groups.
Task 1: Install Microsoft Azure Active Directory module for Windows PowerShell
1. On LON-CL1, open Microsoft Edge, and browse to http://aka.ms/t01i1o.
2. Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW.
4. Download and install the Microsoft Azure AD module for Windows PowerShell.
Task 2: Create new users and assign licenses by using Windows PowerShell
1. On LON-CL1, on the desktop, right-click the Windows Azure Active Directory Module for Windows
PowerShell shortcut, and then click Run as administrator.
3. At the command prompt, type the following command, and then press Enter:
Connect-msolservice
Get-MsolUser -UnlicensedUsersOnly
8. Use the following command to assign a license to Catherine Richard; replace Adatumyyxxxxx in the
–AddLicenses attribute with the onmicrosoft.com domain name provided by the hosting provider:
9. Use the following command to assign a license to Tameka Reed; replace Adatumyyxxxxx in the
–AddLicenses attribute with the onmicrosoft.com domain name provided by the hosting provider:
10. Use the following command to prevent a user from signing in to Office 365:
12. Use the following command to view the Deleted Users list:
Get-MsolUser –ReturnDeletedUsers
15. Use the following command to view the Deleted Users list:
Get-MsolUser –ReturnDeletedUsers
16. Verify that Catherine Richard is no longer in the Deleted Users list.
17. Use the following command to view the Active Users list:
Get-MsolUser
5. To bulk import several users from a CSV file, copy and paste this code into the Administrator: Windows
Azure Active Directory Module for Windows PowerShell window on LON-CL1, and then press Enter:
Get-MsolUser
7. In the Office 365 admin center, verify the new user accounts.
8. In the Exchange admin center, verify that the users have been assigned mailboxes.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-43
3. Use the following command to configure a variable for the first user account:
4. Use the following command to configure a variable for the second user account:
5. Use the following command to add Catherine Richard to the Marketing group:
6. Use the following command to add Tameka Reed to the Marketing group:
7. Use the following command to verify the members of the Marketing group:
3. At the command prompt, type the following command, and then press Enter:
Results: After completing this exercise, you should have created new users, assigned licenses, modified
existing users, and configured groups and user passwords by using the Windows PowerShell command-line
interface.
MCT USE ONLY. STUDENT USE PROHIBITED
2-44 Managing Office 365 users and groups
3. In the Office 365 admin center, configure Francisco Chaves as a Billing administrator using an
alternate email address of user@alt.none.
4. In the Office 365 admin center, configure Tameka Reed as a Password administrator from the list.
6. In the Office 365 admin center, configure Christie Thomas as User management administrator.
2. Use the following command to add Nona to the company administrator role:
3. Use the following command to input the service support administrator role to the $role variable:
5. Verify that Sallie McIntosh is in the list of users who have the Service Support Administrator role.
6. Use the following command to input the billing administrator role to the $role variable:
8. Verify that Francisco Chaves is in the list of users who have the billing administrator role.
9. Use the following command to input the company administrator role to the $role variable:
11. Verify that Nona Snider is in the list of users who have the Company Administrator role.
12. At the command prompt, type the following command, and then press Enter:
Exit
4. Verify that you cannot modify any settings for Jessica Jenning’s user account.
8. Verify that you can modify settings on the Jessica Jennings user account. Change her phone number to
555-1234 and then block her sign in access.
9. Verify that you can add a new user named Chris Breland.
10. Verify that you can also delete the user account that you created.
Results: After completing this exercise, you should have assigned delegated administrators in the Office
365 admin center, managed delegated administration with Windows PowerShell, and verified delegated
administration.
MCT USE ONLY. STUDENT USE PROHIBITED
2-46 Managing Office 365 users and groups
Question: How will you configure Office 365 password policies in your organization, and will
you use multi-factor authentication?
Question: Why is it more convenient to assign permissions to security groups than to users?
Question: In which management scenarios will you use Office 365 with Windows PowerShell
rather than the Office 365 admin center?
Best Practices
Always perform detailed planning for user and group management, and check the plan in a test Office
365 tenant before deploying in production.
Plan and test user administrative tasks to improve user management efficiency and to eliminate errors
in the production environment, especially when running Windows PowerShell scripts.
Plan for multi-factor authentication to help administrators choose the authentication method that suits
their organizational security requirements.
Plan administrative roles to distribute administrative tasks according to organizational security and
business requirements.
MCT USE ONLY. STUDENT USE PROHIBITED
3-1
Module 3
Configuring client connectivity to Microsoft Office 365
Contents:
Module Overview 3-1
Module Overview
Microsoft Office 365 supports different types of clients that run on various hardware platforms. In this
module, you will learn about the different types of client software that you can use to connect to Office 365.
You also will learn about the infrastructure requirements that the clients need to connect to Office 365, and
how to configure different types of Office 365 clients.
Objectives
After completing this module, you will be able to:
Plan for the deployment of Office 365 clients.
Lesson 1
Planning for Office 365 clients
You can use several clients to connect to Office 365, such as Office 2016 apps for Windows, Microsoft Office
Online, mobile devices, and Office 2016 for Mac. Based on your organization’s business requirements, you
should choose the appropriate clients and deploy them in your organization.
Lesson Objectives
After completing this lesson, you will be able to:
Identify the mobile clients that are available for Office 365.
Office Online
There also are Office Online versions of Word, Excel, PowerPoint, and OneNote. Office Online streams them
directly from the cloud, and you cannot use these applications offline.
To use Office Online, you need a subscription for an Office 365 plan that includes SharePoint Online.
The Skype integration feature enables users to collaborate from any device by using instant messaging,
audio, video, and screen sharing.
The multiplatform support feature in Word, PowerPoint, Excel, OneNote, and Outlook enables users to
work on different devices, including Windows, Android, and Apple devices.
The Clutter feature in Outlook makes decisions on prioritizing users’ emails, and moves lower priority
emails to a separate folder.
Courrier Pele-Mèle en Fr
Office Online
Office Online provides an alternative way to use
Office applications online. You cannot use Office
Online in an offline mode, and it is either streamed
from Office 365 or from on-premises servers.
Therefore, you need Internet access or network
access to use Office Online, and you also must
subscribe to an Office 365 plan that includes
SharePoint Online. Once you meet all of these
requirements, you can use the following Office
Online apps to view and edit documents online:
Office Online vs. Office 365 ProPlus and Office 2016 Professional Plus
Office Online provides a subset of the Office 365 ProPlus and Office 2016 Professional Plus features.
However, this subset includes all of the editing and formatting features that users utilize most commonly,
including:
Word Online. Includes features that allow you to perform basic document editing and formatting in a
web browser. However, to perform advanced editing, you must open the documents in Word by using
the Open in Word command. After you finish your edits, you can save them to the website from which
you opened Word Online.
Additional Reading: For more information, refer to Differences between using a document
in the browser and in Word: http://aka.ms/b2wwul.
OneNote Online. Enables you to take notes and organize note pages in a web browser. However, to
perform advanced editing, you must open the notebooks in OneNote by using the Open in OneNote
command. In OneNote Online, you cannot open notebooks that are created with versions prior to
OneNote 2010.
Additional Reading: For more information, refer to Differences between using a notebook
in the browser and in OneNote: http://aka.ms/js6f8w.
PowerPoint Online. Enables you to create and share basic presentations in your web browser. You can
work simultaneously with others, and present your slide show from anywhere. To perform advanced
editing, you must open the presentations in PowerPoint by using the Open in PowerPoint command.
Additional Reading: For more information, refer to How certain features behave in
PowerPoint Online: http://aka.ms/edhcwl.
Excel Online. Enables you to view a workbook in a browser window, and use basic editing and printing
features. However, to perform advanced editing, you must open the workbook in Excel by using the
Open in Excel command.
Additional Reading: For more information, refer to Differences between using a workbook
in the browser and in Excel: http://aka.ms/sc8n0n.
System requirements
Office Online supports the following browsers:
Microsoft Edge
Additional Reading: For more information on browser requirements, refer to Office Online
browser support: http://aka.ms/jv2cok.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-5
Product Feature
Office Provides improved integration capabilities with OneDrive, OneDrive for Business, and
SharePoint
Provides multitouch gesture support
Word Provides improved document sharing capabilities that enable users to share files and
invite other users to review or edit documents
Improves coauthoring, which enables multiple users to work simultaneously in the
same Word document
Provides relevant contextual Internet information that the Bing search provider displays
in the Insights pane
Excel Provides the PivotTable Slicers feature, which helps users discover patterns in large
volumes of data
Offers the Analysis Toolpak add-on feature, which enables users to perform complex
statistical or engineering analysis
PowerPoint Offers the Threaded comments feature, which allows users to have conversations about
the relevant text
Provides an improved presenter view
Provides improved coauthoring features, which allows multiple users to work
simultaneously in the same PowerPoint presentation
OneNote Provides sharing capability for OneNote notebooks with other users
Offers different formatting capabilities for notes, including the ability to insert files,
pictures, and tables
Lesson 2
Planning connectivity for Office 365 clients
Organizations should consider business requirements before implementing Office 365 clients, and
administrators should evaluate system requirements for Office 365 clients before deployment.
Furthermore, administrators should evaluate the network-bandwidth requirements and technologies that
will provide automatic client configuration, such as Autodiscover.
Lesson Objectives
After completing this lesson, you will be able to:
Describe Autodiscover.
Describe how Outlook and Skype for Business use Autodiscover.
Identify the Domain Name System (DNS) records that Autodiscover requires.
TCP 443 Office 365 portal (admin and user), Outlook, Outlook on the web,
SharePoint Online, the Skype for Business client, and Active
Directory Federation Services (AD FS) federation and proxy
TCP 80/443 Microsoft Azure Active Directory Sync tool, mail migration tools,
Exchange Management Console, and Exchange Management
Shell
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-9
STUN/TCP 443 Skype for Business Online: outbound audio, video, and application
sharing sessions
STUN/UDP 3478 Skype for Business Online: outbound audio and video sessions
RTC/UDP 50000-59000 Skype for Business: outbound audio and video sessions
Additional Reading: For more information on the list of ports, refer to Ports and protocols
used by Office 365: http://aka.ms/ifj2gl.
r3.res.outlook.com
r4.res.outlook.com
prod.msocdn.com
Additional Reading: For more information on IP-based filtering, refer to Office 365 URLs
and IP address ranges: http://aka.ms/rploze.
IPv6-capable devices
If the organization is connecting to Office 365 with network equipment that is capable of Internet Protocol
version 6 (IPv6), you must ensure that:
The network equipment can support Internet Protocol version 4 (IPv4) and IPv6.
The perimeter emulates any hardware solution that has been configured to allow IPv6 clients to
connect to the Microsoft Exchange Online services.
For example, if your organization uses a web proxy, you must configure it as an IPv6-capable web proxy.
MCT USE ONLY. STUDENT USE PROHIBITED
3-10 Configuring client connectivity to Microsoft Office 365
The Office 365 service offerings to which the organization has subscribed.
The number of client computers that will be in use at any given time.
The nature of the tasks that each client computer will perform.
The capacity of the network connections and network segments associated with each client computer.
The organization’s network topology and capacity of its network hardware.
The number of simultaneous Skype for Business conferencing and telephony connections.
It is important to test and validate download, upload, and latency constraints with respect to Internet
bandwidth, so that you can ensure that your end users have a satisfactory experience. Apart from the user’s
experience, the Internet bandwidth also affects the speed at which you can migrate on-premises mailbox
content to Exchange Online. If you have a slow or latent connectivity, you can migrate only a few mailboxes
during one migration window. Later modules in this course will provide more information on this topic.
Office 365 ProPlus installation uses significant bandwidth, and you must run the Office 365 ProPlus desktop
setup on each client computer. If you initiate the setup without installing any necessary operating system
service packs and updates, this can utilize a significant amount of download bandwidth, because each
computer connects separately to the Internet, downloads the service packs or updates, and installs them.
To prevent bandwidth saturation, you should deploy updates before you deploy the Office 365 ProPlus
setup. You also can use a package deployment tool, such as Microsoft System Center Configuration
Manager, so that updates download only once, and you then can distribute them as part of your planned
and scheduled deployment.
If you cannot deploy the updates prior to deploying the Office 365 ProPlus setup, you can use Active
Directory Group Policy to throttle the Office 365 ProPlus deployment by deploying the setup package to
one user subset at a time, such as by organizational unit or site/location. This allows all users to download
the updates, but the download’s length might vary from days to weeks. There are tools, such as the
Exchange Client Network Bandwidth Calculator and Skype for Business, Bandwidth Calculator, that you can
use to estimate network bandwidth.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-11
Additional Reading: For more information, refer to Exchange Client Network Bandwidth
Calculator: http://aka.ms/r7m054.
Additional Reading: For more information, refer to Skype for Business, Bandwidth
Calculator: http://aka.ms/i6jsff.
NAT limitations
While evaluating network-bandwidth requirements, you also must consider NAT limitations. Most users on
corporate networks access the Internet through a private (RFC1918) IP address space. Organizations then
use gateway technologies, such as firewalls and proxies that provide NAT, or port address-translation
services to translate from the internal private address space to an external IP address or address range. Each
outbound connection from an internal device translates to a different source Transmission Control Protocol
(TCP) port on the public IP address. Therefore, thousands of users on a corporate network can share a few
publicly routable IP addresses.
An Outlook client potentially can consume eight or more connections. The maximum number of available
ports on a Windows-based NAT device is 64,000, so there typically would be a maximum of 8,000 users
behind an IP address before the ports are exhausted. If customers are using NAT devices that are not
running a Windows operating system, the total available ports could be less than 64,000.
To determine the maximum number of devices behind a single public IP address, monitor the network
traffic to determine peak port consumption per client. Also, set a peak factor for the port usage (minimum
four). You then can use the following formula to calculate the maximum number of supported devices per
IP address:
Maximum supported devices behind a single public IP address = (64,000 – restricted ports)/(Peak port
consumption + peak factor).
For instance, if 4,000 ports were restricted so that they can be used by Windows devices and six ports were
needed per device, with a peak factor of four:
Maximum supported devices behind a single public IP address = (64,000 – 4,000)/(6 + 4) = 6,000.
To support more than 2,000 devices behind a single public IP address, follow these recommendations to
assess the maximum number of supported devices:
Monitor network traffic to determine peak port consumption per client, and collect this data from
multiple locations, from multiple devices, and at multiple times.
Use the formula listed above to calculate the maximum users per IP address that can be supported in
your environment.
MCT USE ONLY. STUDENT USE PROHIBITED
3-12 Configuring client connectivity to Microsoft Office 365
We recommend that you use Office 365 health, readiness, and connectivity checks in the following
scenarios:
When your organization has deployed Office 365, and plans to add new features.
Office 365 health, readiness, and connectivity checks perform tests in the following categories:
Office setup. They evaluate the configuration of a user’s Outlook and Office deployment.
Computer settings. They evaluate a computer to determine whether it has the latest updates, and what
Internet browsers and other configuration settings it utilizes.
Domains. They evaluate the Office 365 domains and determine whether the DNS settings are correct.
Users and Groups. If the organization uses Active Directory Domain Services (AD DS), it verifies the
security objects for directory synchronization and/or single sign-on (SSO). Organizations can ignore
errors if they are not planning to integrate their directory with Office 365.
Office 365 health, readiness, and connectivity checks display the results in following categories:
Passed. This displays when an organization’s settings are correct for Office 365.
Warning. This displays when an organization’s settings are not optimized for Office 365. You can fix the
settings, so that the results do not show warnings, or choose to ignore the warnings, and continue with
your deployment.
Error. This displays when an organization’s settings have issues that will block the Office 365
deployment. You should fix the settings before you continue with the Office 365 deployment.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-13
If you want to run Office 365 Best Practices Analyzer, you must download it from the previous Office 365
admin center. You need an Office 365 or Microsoft Azure Active Directory user ID to download the tool.
Office 365 Client Performance Analyzer performs the following networking tests:
Performs network performance analysis between client computers and Office 365
Checks the client computer information, including operating system, browser, and hardware
configurations
Performs route tracing and measures bandwidth
What is Autodiscover?
The Autodiscover service in Office 365 simplifies
client configuration in Microsoft Office Outlook
2007, Outlook 2010, Outlook 2013, and Outlook
2016. Autodiscover provides configuration
information that Outlook requires to create a
configuration profile for the client. The
Autodiscover service provides profile settings to
Outlook 2007, Outlook 2010, Outlook 2013, and
Outlook 2016 clients and the supported mobile
devices based on the user’s email address and
password. Additionally, it provides configuration
information for Skype for Business clients when
they connect to Skype for Business Online in Office 365. If you want to connect Outlook and Skype for
Business clients to the Office 365 service, you must create appropriate DNS records that will point to the
Autodiscover service in Office 365.
Note: The “DNS records required for Autodiscover” topic later in this lesson provides a
detailed description about the DNS records that are necessary for locating the Autodiscover
services for Outlook and Skype for Business clients.
MCT USE ONLY. STUDENT USE PROHIBITED
3-14 Configuring client connectivity to Microsoft Office 365
You can test whether Autodiscover is working correctly by pressing the Ctrl key, right-clicking the Outlook
icon in the notification area, and then clicking Test E-mail AutoConfiguration.
You can use the Microsoft Remote Connectivity Analyzer tool for testing the Autodiscover functionality.
You can use this official Microsoft testing tool to test Autodiscover for ActiveSync and Outlook connectivity,
and use it for an on-premises Exchange Server, and to test Office 365 service availability.
Note: The “Troubleshooting client connectivity” topic later in this lesson explains the
Microsoft Connectivity Analyzer Tool.
Additional Reading: You can find the Remote Connectivity Analyzer tool at the following
URL: http://aka.ms/ppl6h8.
3. The request that the client makes to Office 365 is actually the HTTP POSTS command to the
Autodiscover service endpoint, which requests configuration information for the SMTP address that
the client sends in the request.
5. Outlook downloads and applies the required configuration information from the Autodiscover service.
6. Outlook then uses the appropriate configuration settings to connect to Exchange Online in
Office 365.
The Skype for Business clients connect to Office 365 in the following manner:
1. When a Skype for Business client starts for the first time, you have to type your email address and
password in the appropriate fields.
2. Based on the email address that you enter, the client looks for specific records in DNS. For example, if
you sign in as Holly@Adatum.com, the Skype for Business client will search for the sip.adatum.com
record. The client redirects Skype for Business to the Autodiscover service in Office 365, where the
client performs a request to download the configuration information.
3. Office 365 provides the Autodiscover information to the Skype for Business client.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-15
4. The Skype for Business client downloads and applies the required configuration information from the
Autodiscover service.
5. The Skype for Business client then uses the appropriate configuration settings to connect to Skype for
Business Online in Office 365.
The following table lists the Autodiscover records that Outlook clients need to connect to Exchange Online
in Office 365.
The following table lists the Autodiscover records that Skype for Business clients need to connect to Skype
for Business Online in Office 365.
The Microsoft Connectivity Analyzer Tool is a companion to the Remote Connectivity Analyzer website.
Remote Connectivity Analyzer enables you to identify connectivity issues by simulating connectivity from
the Internet, while the Microsoft Connectivity Analyzer Tool allows both you and end users to run similar
tests from a client computer within the corporate network.
To install the Microsoft Connectivity Analyzer Tool, go to the Remote Connectivity Analyzer website at
http://testconnectivity.microsoft.com, click the Client tab, and then click Install Now.
The Microsoft Connectivity Analyzer Tool and the Remote Connectivity Analyzer both provide a log that
shows the test steps that were successful, and those that were unsuccessful. Additionally, the Microsoft
Connectivity Analyzer Tool provides a Tell me more about this issue and how to resolve it link that
provides suggestions about how to help fix reported issues. You can save the log as MCATestResults.html.
Additional Reading: For more information on the specific error conditions that are
identified by the Microsoft Connectivity Analyzer Tool, and for help on resolving the issue, refer to
the Microsoft Connectivity Analyzer Tool: http://aka.ms/aphk3s.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-17
The Office 365 Support and Recovery Assistant tool performs diagnostic tests to identify and fix potential
issues with Office setup, Outlook, Outlook for Mac, Mobile devices, and Outlook on the web.
Question: Which tools will you use for evaluating network connectivity for Office 365?
Question: Which tools will you use to troubleshoot client connectivity with Office 365?
MCT USE ONLY. STUDENT USE PROHIBITED
3-18 Configuring client connectivity to Microsoft Office 365
Lesson 3
Configuring connectivity for Office 365 clients
When an organization deploys different types of Office 365 clients, the organization’s administrators must
configure and support Office 365 clients. Some clients, such as Outlook and the Skype for Business client,
use the Autodiscover functionality to connect to Office 365 services automatically. Other clients, such as
Office Online, are web-based and only require users to connect to the Internet to access their
functionalities. Furthermore, you will need to configure and manage many users’ mobile devices so that
they can access Office 365 services.
Lesson Objectives
After completing this lesson, you will be able to:
Configuring Outlook
When Outlook users connect to Office 365, they
need to provide their Office 365 email address and
password when they start Outlook for the first
time. The Autodiscover functionality in Office 365
automatically configures Outlook for use with
Office 365. For Autodiscover to work properly, you
must configure appropriate DNS records during
the Office 365 tenant setup.
Connectivity protocols
Outlook can connect to Office 365 by using the
Messaging Application Programming Interface
(MAPI) over HTTP or Outlook Anywhere. Both
protocols use MAPI commands to communicate with Exchange Online in Office 365, but Outlook
Anywhere encapsulates remote procedure call (RPC) packets that contain the MAPI commands in HTTPS.
MAPI over HTTP places the MAPI commands directly in HTTPS packets, which is more efficient. MAPI over
HTTP is better designed for modern networks and connectivity over the Internet. MAPI over HTTP and
Outlook Anywhere both use TCP port 443. If a client, such as Outlook 2010, does not support MAPI over
HTTP, it always uses Outlook Anywhere.
However, in a hybrid deployment of Office 365, Outlook clients always need to connect to the Autodiscover
service that is running on the organization’s Exchange server. When a client is on an internal network,
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-19
Outlook locates the Exchange server by searching for the Autodiscover Service Connection Point located in
AD DS. After Outlook connects to the Exchange server, the Exchange server determines if the user’s mailbox
is in an on-premises environment or in Office 365. If the user’s mailbox is located in Office 365, the
Exchange server provides alternate SMTP domain information to Outlook. Outlook uses that alternate
SMTP domain to search for the Office 365 Autodiscover service’s record on the Internet, and then connects
to Exchange Online in Office 365. When a client is on the Internet, Outlook locates the Exchange server by
searching for the Autodiscover record that points to the Exchange client access services on the internal
network. After Outlook connects to the Exchange server, the Exchange server determines if the user’s
mailbox is in an on-premises environment or in Office 365. If the user’s mailbox is located in Office 365,
the Exchange server provides alternate SMTP domain information to Outlook, which uses it to search for
the Office 365 Autodiscover service’s record on the Internet, and then connects to Exchange Online in
Office 365.
Network configuration
Office 365 services contain multiple endpoints through which clients connect to services, such as Exchange
Online, Skype for Business Online, and SharePoint Online. Office 365 endpoints include fully qualified
domain names (FQDNs), ports, uniform resource locators (URLs), and IPv4 and IPv6 address ranges. Some
organizations restrict computers on their networks from accessing certain Internet resources. Therefore, it is
important that you know every endpoint that Office 365 uses, so that you can properly configure the
organization’s network devices, such as routers and firewalls. After you configure the network devices,
clients can connect successfully to Office 365 services.
Note: For more information on Office 365 endpoints, refer to Office 365 URLs and IP address
ranges: http://aka.ms/Cpq72y.
Users also can choose to configure a Skype for Business client manually. We do not recommend this
configuration method because it increases the probability that users will make a typing error. Furthermore,
non-IT users might find it difficult to configure the Skype for Business client, which might lead to increased
support calls to your organization’s IT department.
However, in some scenarios, users might have to configure the Skype for Business client manually. For
example, if the DNS configuration for the Autodiscover service is not configured properly, clients cannot
locate Autodiscover services in Office 365. In this case, users must configure the Skype for Business client
manually, and then test the Skype for Business Online functionality.
MCT USE ONLY. STUDENT USE PROHIBITED
3-20 Configuring client connectivity to Microsoft Office 365
To configure the Skype for Business client, users must perform the following steps:
1. In the upper-right corner of the Skype for Business client, click Options.
3. In the Skype for Business – Options window, in the navigation pane on the left, click Personal.
4. In the right pane of the window, under My Account, type their email address, and click Advanced.
6. Insert the following information for both Internal Server Name and External Server Name:
sipdir.online.lync.com:443.
Note: The Online Meeting add-in for Skype for Business, which supports meeting
management from the Microsoft Outlook messaging and collaboration client, installs
automatically with Skype for Business.
Word Online does not have advanced page layout tools or advanced printing capabilities.
Users cannot preview or author Office Online documents without an Internet connection.
Office Online documents do not have Office add-ins, and they cannot run Visual Basic for Applications
(VBA) and forms scripts.
The default locations for saving documents are different in Office Online and on-premises Office, including
in:
Word Online. Users must save documents manually, because there is no auto-save feature, and they
can save them locally.
Excel Online. Users must save the worksheets manually. They can use the download command to
download a copy to the local computer.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-21
OneNote Online. If a OneNote notebook is saved to a Microsoft SharePoint document library, the
OneNote notebook is available online. Users can share the notebook by sending a link in an email
message, rather than sending it as an email attachment. Recipients can click the link to read notes in
their web browser.
PowerPoint Online. It saves all changes automatically, and there is no Save command that the users
must utilize. To download a copy of a file, users must have the PowerPoint desktop app. If a
presentation is saved in a SharePoint document library, the presentation is available online. Users can
share the presentation by sending a link in an email message, rather than sending it as an email
attachment. Recipients with proper permissions can view the presentation in their web browser or
mobile device.
The differences in supported file types in Office Online and on-premises Office include:
Binary and template files in Excel are not available in Excel Online.
In SharePoint Online, you can configure the default behavior for opening documents, so that they open in
Office Online or in an Office client application.
Additional Reading: For more information on Office Online, refer to Office Online Service
Description: http://aka.ms/qla0s5.
The files that a user stores in OneDrive for Business are visible initially only to the user who stored them.
However, the user can share the files with everyone in the organization by simply placing them in the
Shared with Everyone folder. Alternatively, the user can share a file with specific coworkers by clicking the
SHARE option that appears when they click the ellipsis (…) menu for a file. After clicking the SHARE option,
the user can enter the names of coworkers to whom they want to send an invitation to share the file.
Note: OneDrive for Business is not the same as OneDrive, which is a cloud-based service that
is for personal storage, and which is provided with Microsoft and Outlook.com accounts. This can
be confusing because in the Office 365 portal, the OneDrive for Business feature actually displays
as OneDrive in the navigation bar.
MCT USE ONLY. STUDENT USE PROHIBITED
3-22 Configuring client connectivity to Microsoft Office 365
To synchronize OneDrive for Business with a local computer, users can perform the following steps:
1. In the Office 365 portal or in a SharePoint Online site page, click OneDrive in the navigation bar.
6. On the Ready to sync your OneDrive for Business documents? page, click Sync Now.
The synchronized files will be located in a OneDrive for Business subfolder under their username, and they
now can work on the files locally. Any changes that they make will synchronize automatically with the
OneDrive for Business library when they go back online.
Additional Reading: For more information, refer to What is OneDrive for Business?:
http://aka.ms/p9wzus.
2. Set up MDM for Office 365, by configuring domains for MDM and the Apple Push Notification Service
certificate for iOS devices.
3. Create MDM device security policies.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-23
4. Enroll users. After you deploy an MDM policy, each Office 365 user receives an enrollment message
when they sign in to Office 365 from their mobile device. They must complete the enrollment and
activation steps before they can access any Office 365 email and documents. Users who work on
Android or iOS devices have to install the Company Portal app as part of the enrollment process.
5. Manage mobile devices from the previous Office 365 admin center. Some common MDM tasks
include, viewing device properties, accessing reports, and wiping devices.
Question: What steps should you perform to enable MDM in Office 365?
MCT USE ONLY. STUDENT USE PROHIBITED
3-24 Configuring client connectivity to Microsoft Office 365
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Password: Pa$$w0rd
In all tasks:
LON-DC1
LON-CL1
LON-CL2
1. Review the recommended DNS records in the Office 365 admin center.
Task 1: Review the recommended DNS records in the Office 365 admin center
1. Switch to the LON-CL1 virtual machine.
4. In the Office 365 admin center, in the Domains window, review the domain names assigned to the
Adatum tenant.
5. In the Domains window, under the Adatum domain on the right, review the recommended DNS
records.
6. On the DNS errors page, review the records that need to be configured for your domain.
a. On the Service Location (SRV) tab, enter the following information, and then click OK:
Service: _sip
Protocol: _tls
Priority: 100
Weight: 1
Port number: 443
Host offering this service: sipdir.online.lync.com
Time to live: 1 hour (default)
b. On the Service Location (SRV) tab, enter the following information, and then click OK:
Service: _sipfederationtls
Protocol: _tcp
Priority: 100
Weight: 1
Port number: 5061
Host offering this service: sipfed.online.lync.com
Time to live: 1 hour (default)
MCT USE ONLY. STUDENT USE PROHIBITED
3-26 Configuring client connectivity to Microsoft Office 365
a. On the Alias (CNAME) tab, enter the following information, and then click OK:
Alias name: sip
Fully qualified domain name: sip.adatumyyxxxxx.hostdomain.com
Fully qualified domain name (FQDN) for target host: sipdir.online.lync.com
Time to live: 1 hour (default)
b. On the Alias (CNAME) tab, enter the following information, and then click OK:
Alias name: lyncdiscover
Fully qualified domain name: lyncdiscover. adatumyyxxxxx.hostdomain.com
Fully qualified domain name (FQDN) for target host: webdir.online.lync
Time to live: 1 hour (default)
3. Switch back to LON-CL1, and then in the Office 365 admin console, click Check DNS.
4. You should now see that most records are not listed anymore (you should see msoid,
enterpriseregistration, enterpriseenrollment, and SPF records). Click to close the page.
10. In the Office 365 portal, click Mail, and configure your time zone.
12. When the name resolves, note her instant message (IM) status. It might take a couple of minutes for
her status to update.
15. Reply to the IM. Note that you now can send IMs between the two users.
16. Close both IM windows, and then close the Microsoft Edge windows on both virtual machines.
Results: After completing this exercise, you should have reviewed the recommended DNS records in the
Office 365 admin center, configured the DNS records for external clients, and configured the DNS records
for internal clients.
3. On the Microsoft Remote Connectivity Analyzer page, on the Office 365 tab, perform an Office
365 Exchange Domain Name Server (DNS) Connectivity Test, and for Domain Name, type
adatumyyxxxxx.hostdomain.com.
4. Perform verification by entering the characters that you see in the Verification field.
Note: If you receive a message about having performed too many tests in 60 seconds, wait
for a minute, and then repeat the test.
5. When you see Connectivity Test Successful, review the checks that were made against the Exchange
Online domain.
Note: If you receive a message about having performed too many tests in 60 seconds, wait
for a minute, and then repeat the test.
8. When you see Connectivity Test Successful, review the checks that were made against the Skype for
Business Online domain.
10. Under Microsoft Office Outlook Connectivity Tests, perform the Outlook Connectivity test.
11. On the Outlook Connectivity page, in Email Address and Microsoft Account, enter
Francisco@adatumyyxxxxx.hostdomain.com.
14. Check I understand that I must use the credentials of a working account from my Exchange
domain to be able to test connectivity to it remotely. I also acknowledge that I am responsible
for the management and security of this account.
15. When you see Connectivity Test Successful with Warnings, under Test Details, review the checks
that have been made against Outlook Anywhere. Note in particular the message that contains
information about the Autodiscover steps that fail.
16. Under Run Test Again at the top right, note that you can copy this test to the clipboard, or save it as
XML or HTML.
MCT USE ONLY. STUDENT USE PROHIBITED
3-28 Configuring client connectivity to Microsoft Office 365
2. In the Office 365 Client Performance Analyzer window, download and install Office 365 Client
Performance Analyzer.
5. Wait until Office 365 Client Performance Analyzer generates the results.
6. Review the results, and then click Show Trace Route Details.
Results: After completing this exercise, you should have run the Microsoft Connectivity Analyzer tool, and
the Office 365 Client Performance Analyzer tool.
2. Start Outlook 2016, and then sign in by using the following details:
o Password: Pa$$w0rd
3. Verify that you are connected to Exchange Online. Close the First things first dialog box.
o Password: Pa$$w0rd
Task 2: Verify that Skype for Business can connect to Office 365
1. Switch to the LON-CL1 virtual machine.
2. Start Skype for Business, and on the Skype for Business sign in page, type
Holly@adatumyyxxxxx.onmicrosoft.com, and then click Sign in.
o Password: Pa$$w0rd
Results: After completing this exercise, you should have verified that Outlook 2016 can connect to Office
365, verified that Skype for Business can connect to Office 365, and verified OneDrive for Business
connectivity to Office 365.
Question: Why do you need to edit the DNS configuration, and add the canonical name
(CNAME), service (SRV), and MX records?
Question: How can you verify that the Autodiscover service in Office 365 is properly
configured?
MCT USE ONLY. STUDENT USE PROHIBITED
3-30 Configuring client connectivity to Microsoft Office 365
Analyzing Office 365 clients and deciding which clients meet the organization’s business requirements.
Performing a detailed review of all DNS record changes that are needed for Office 365 deployment
process. Without a proper DNS configuration, there might be issues when clients connect to Office 365
services.
Planning network connectivity. When you migrate your infrastructure to Office 365, all of your
organization’s resources are hosted in the cloud. Therefore, you need a reliable Internet connection to
support client connections to Office 365.
Planning changes that you need to configure in your organization’s network infrastructure, such as
firewalls and internal DNS servers that provide connectivity to Office 365.
Preparing a thorough support plan for users to help them transition to Office 365 services.
MCT USE ONLY. STUDENT USE PROHIBITED
4-1
Module 4
Planning and configuring directory synchronization
Contents:
Module Overview 4-1
Module Overview
In this module, you will learn how to plan, prepare, and implement directory synchronization as a
methodology for user and group management in a Microsoft Office 365 deployment. This module covers
the preparation of an on-premises environment; the installation and configuration of directory
synchronization, and how to manage Office 365 identities after you enable directory synchronization.
Objectives
After completing this module, you will be able to:
Implement directory synchronization by using Microsoft Azure Active Directory Connect (AD Connect).
Lesson 1
Planning and preparing for directory synchronization
In this lesson, students will learn about directory synchronization with Microsoft Azure Active Directory
Connect (Azure AD Connect). Included in this lesson is a review of the installation requirements, planning
for nonroutable domain names and multiple forests, cleaning up existing objects in Active Directory
Domain Services (AD DS), and enabling directory synchronization.
Lesson Objectives
After completing this lesson, you will be able to:
Account With AD DS, you can You have to create an Extend Active
Management and create a scalable, account for every user Directory
secure, and who will access a identities into the
Provisioning
manageable Microsoft cloud service. cloud through
infrastructure for user You can also change user synchronization
and resource accounts or delete them and Federation
management, and when you no longer need Service.
provide support for them. By default, users do
directory-enabled not have administrator
applications such as permissions, but you can
Microsoft Exchange optionally assign them.
Server.
Within Microsoft Azure
Provisioning groups Active Directory (Azure
in AD DS through a AD), one of the major
Microsoft Identity features is the ability to
Manager (MIM). manage access to
resources. These
Provisioning users in
resources can be part of
AD DS.
the directory, as in the
Administrators can case of permissions to
use access control to manage objects through
manage user access roles in the directory, or
to shared resources resources that are
for security purposes. external to the directory,
In Active Directory, such as software as a
access control is service (SaaS)
administered at the applications, Azure
object level by services, and Microsoft
setting different SharePoint sites or on-
levels of access, or premises resources. At
permissions, to the center of Azure AD
objects, such as Full access management
Control, Write, Read, solution is the security
or No Access. Access group. The resource
control in Active owner (or the
Directory defines administrator of the
how different users directory) can assign a
can use Active group to provide certain
Directory objects. By access rights to the
default, permissions resources they own. The
on objects in Active members of the group
Directory are set to will be provided access,
the most secure and the resource owner
setting. can delegate the rights to
manage the group’s
members list to someone
else—such as a
department manager or
a help-desk
administrator.
MCT USE ONLY. STUDENT USE PROHIBITED
4-4 Planning and configuring directory synchronization
Azure AD
Azure AD is an online instance of AD DS. Azure AD provides authentication and authorization for Office 365
and for other Microsoft cloud offerings, including Azure and Microsoft Intune. Authentication through
Azure AD can be on a cloud-only basis, through directory synchronization from on-premises AD DS, with
optional password synchronization, or you can enable user authentication with on-premises user accounts
through Active Directory Federation Services (AD FS) or other single sign-on (SSO) providers.
Authentication options in Office 365 falls into one of three main categories:
Cloud-only. Cloud-only identities are exactly as the name suggests; the user identity only exists in the
cloud, so all password management and policy control is done through Windows Azure AD. Each user
will have two entirely separate identities.
Directory synchronization with optional password synchronization. With directory synchronization, you
set up a directory synchronization server or appliance that provides either one or two-way
synchronization of users, groups, and attributes from on-premises AD DS to Azure AD. In the case of
Exchange hybrid environments, there is also synchronization of certain attributes from online to on-
premises. However, it is important to remember that even with password synchronization, there are still
two sets of security credentials; it is just that directory synchronization and password sync are keeping
them aligned. Users still authenticate to Azure AD to access Microsoft Exchange Online and other
online services.
SSO with AD FS. The SSO option hands over authentication control to your directory service. Therefore,
users no longer authenticate against Azure AD but against AD FS. Consequently, when a user types
user@adatum.com into the Office 365 sign-in page, the user receives a message telling them that they
have been redirected to their organization’s sign-in page. They now enter their on-premises identity
and authenticate to the Office 365 online services by using a delegated token that verifies to Office 365
that the user has been successfully authenticated by their on-premises directory service.
Note: The SSO authentication option is covered in more detail in later modules of this
course.
In the pilot phase of a deployment, you implement cloud-only identities as this option does not have any
on-premises infrastructure requirements. In this phase, you plan for directory synchronization with
password synchronization.
Password synchronized users can sign into Microsoft cloud services, such as Office 365, Microsoft Dynamics
CRM, and Intune, using the same password as they use when signing into their on-premises network. The
user's password is synchronized to Azure AD via a password hash and authentication occurs in the cloud.
See password synchronization for more information.
Federation with AD FS users will be able to sign into Microsoft cloud services, such as Office 365, Microsoft
Dynamics CRM, and Intune, using the same password as they use when signing into their on-premises
network. The users are redirected to their on-premises AD FS infrastructure for authentication.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-5
Integrating your on-premises directories with Azure AD makes your users more productive by providing a
common identity for accessing both cloud and on-premises resources. With this integration, users and
organizations can take advantage of the following:
Organizations can provide users with a common hybrid identity across on-premises or cloud-based
services, including consistent group membership, by leveraging AD DS and then connecting to
Azure AD.
Administrators can use policies set through AD DS to provide conditional access based on application
resource, device and user identity, network location and multi-factor authentication without having to
perform additional tasks in the cloud.
Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS
apps and non-Microsoft applications.
Support staff will experience fewer support calls because if users have fewer passwords to remember,
they are less likely to forget them.
Security will have confidence in knowing that user identities and information are protected because all
of the servers and services used in SSO are mastered and controlled on-premises.
Security will have greater confidence when they have the option to use strong authentication, also
called two-factor authentication, with the cloud service.
Developers can build applications that leverage the common identity model, integrating applications
into on-premises AD DS or Azure for cloud-based applications.
To take advantage of the integration between your on-premises directories with Azure AD, deployment of
a directory synchronization tool is required. Consequently, the directory synchronization tool provides for
the following features and functionality:
SSO
o A shared Global Address List (GAL) between your on-premises Exchange Server environment and
Exchange Online.
o The ability to add users to and remove users from Office 365 service offerings. This requires the
following:
Two-way synchronization from your on-premises AD DS environment to the Office 365
directory infrastructure
An on-premises Exchange Server hybrid deployment
o The ability to move some or all mailboxes to Office 365 from an on-premises Exchange Server, or
vice versa.
o Safe senders and blocked senders enabled on-premises synchronization to Exchange Online.
Two-way synchronization of photos, thumbnails, conference room mailboxes, and security and
distribution groups
When you synchronize user accounts with the directory synchronization tool for the first time, they are
marked as nonactivated. These users cannot access any of the services in Office 365 such as send/receive
email, access Skype for Business Online or Microsoft SharePoint Online, and they are not assigned Office
365 subscription licenses. When assigning Office 365 subscriptions to specific users, you must activate the
user accounts by assigning a valid Office 365 license.
Identify any domain controller placement issues that might affect synchronization performance and
reliability.
Perform capacity planning, such as preparation for large scale deployments requiring Microsoft SQL
Server databases, and Azure AD quota limits.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-7
Plan for nonroutable domain names, such as .LOCAL, by using additional user principal name (UPN)
suffixes.
Plan for Active Directory filtering to narrow the scope of which AD DS objects to synchronize to
Office 365.
Evaluate consolidating your forests. In general, more support is required to maintain multiple AD DS
forests. Unless you have security constraints that dictate the need for separate forests, consider
simplifying your on-premises AD DS environment prior to deploying the directory synchronization
tool.
Deploy directory synchronization to support your primary AD DS forest only. Consider planning to
deploy Office 365 only for your primary AD DS forest during the initial rollout of Office 365.
Two-way directory synchronization is required if your organization plans to take advantage of advanced
Office 365 features and functionality, such as Exchange Online archiving, safe and blocked senders, and
Exchange voice mail. In two-way directory synchronization, the directory synchronization tool will
writeback the following required AD DS object attributes from Office 365 to your on-premises AD DS.
SafeSendersHash
BlockedSendersHash
SafeRecipientsHash
msExchArchiveStatus
msExchUCVoiceMailSettings
msExchUserHoldPolicies
MCT USE ONLY. STUDENT USE PROHIBITED
4-8 Planning and configuring directory synchronization
Additional Reading: For more information, refer to the Azure Hybrid Identity Design
Considerations Guide: http://aka.ms/ibuqek.
Capacity planning
Directory synchronization is a critical tool for integration with your cloud service offerings; therefore, you
need to plan accordingly to properly implement directory synchronization. In most organizations, user
objects from AD DS make up the bulk of the directory synchronization payload and influence both
synchronization times and the sizing of your infrastructure.
The directory synchronization tool has a significant database dependency, so you will need to plan for
database capacity requirements. If your AD DS forest has fewer than 50,000 objects, then the default
Windows Internal Database (WID) should be sufficient. However, if your environment has more than 50,000
objects, then you might require a full version of SQL Server. Most directory synchronization tools scales to
forests of 600,000 or more objects.
Hardware requirements
Deployments with more than 50,000 objects in AD DS require a significant increase in memory
requirements (from 4 gigabytes [GB] random access memory [RAM] to 16 GB); therefore, it is important to
implement adequate hardware resources when transitioning from the pilot to production phase.
The Directory Synchronization batch run was completed on <date/time> for tenant <name>.
Synchronization has been stopped. The company has exceeded the number of objects that can be
synchronized. Contact Technical Support and ask for an increase in your company’s quota.
If you have a requirement to synchronize more than 300K objects, you will need to contact Microsoft
Technical Support to request a limit increase to the object quota. If you have a requirement to synchronize
more than 500K objects, you will need a license such as Office 365, Azure AD Basic, Azure AD Premium, or
Enterprise Mobility Suite. During the planning phase, it is important to plan appropriately for any quota
increase requests; otherwise, this could become a deployment blocker if left to the last minute.
Additional Reading: For more information, refer to You receive a "This company has
exceeded the number of objects that can be synchronized" error in a directory synchronization
report: http://aka.ms/r4x1q4.
Network ports
The network traffic for directory synchronization between the directory synchronization tool and Azure AD
is over a Secure Socket Layer (SSL). Most of the traffic is outbound, initiated by the directory
synchronization computer, and uses port 443. The writeback of passwords uses an Azure Service Bus relay
as an underlying communication channel, meaning that you do not have to open any new ports on your
firewall for this feature to work.
Network traffic between the directory synchronization computer and on-premises AD DS uses standard
Active Directory-related ports; for uninterrupted directory synchronization, the directory synchronization
computer must be able to contact all domain controllers in the forest.
Schema extensions
If your environment runs AD DS but not an Exchange Server, and you plan to enable the Exchange Server
2016 hybrid deployment feature, then you need to install the Exchange Server 2016, or Exchange Server
2013, schema extensions prior to installing directory synchronization.
Additional Reading: For more information, refer to Prepare Active Directory and domains:
http://aka.ms/xwdxic.
Additional Reading: For more information, refer to Prepare for directory synchronization:
http://aka.ms/esbu4f.
MCT USE ONLY. STUDENT USE PROHIBITED
4-10 Planning and configuring directory synchronization
You will use the Office 365 readiness checks to run automatic checks against your on-premises AD DS
environment and to assess its readiness to deploy Office 365.
You will use Office 365 IdFix to resolve any issues identified by the Office 365 readiness checks.
Consider activating directory synchronization a long-term commitment. After you have activated directory
synchronization, you can only edit synchronized objects by using your on-premises AD DS management
tools.
AD DS preparation
When preparing for deployment of directory synchronization, your project plan should include AD DS
preparation, and the requirements and functionality of the Azure AD. To prepare AD DS:
Clean up AD DS
Set up auditing
Source of authority
For directory synchronization, source of authority refers to the location where Active Directory service
objects, such as users and groups, are mastered (an original source that defines copies of an object) in a
cross-premises deployment. You can change the source of authority for an object by using one of these
scenarios—activate, deactivate, or reactivate directory synchronization from within Office 365 or with
Windows PowerShell. Source of authority transfers from Office 365 to your customer’s on-premises
directory service after you perform the first sync.
Additional Reading: For more information, refer to Directory synchronization and source of
authority: http://aka.ms/fvexdc.
Additional Reading: For more information, refer to Prepare for directory synchronization:
http://aka.ms/e1d0ft.
Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName,
displayName, mail, proxyAddresses, mailNickname, and userPrincipalName attributes.
AD DS auditing
You might want to use AD DS auditing to capture and evaluate the events that are associated with directory
synchronization, such as user creation, password reset, adding users to groups, and so on. By implementing
directory synchronization, auditing captures directory services logs from the AD DS domain controllers.
Note that security logging might be disabled by default, so you will need to enable it for events to appear
in the logs.
UPN suffixes
Before deploying directory synchronization, it is important to verify that on-premises user objects in AD DS
have a nonnull value for the UPN suffix, and that the value is correct for both the AD DS domain and Office
365. The UPN suffix is the part of a UPN to the right of the @ character. If a verified public routable domain
is used in Office 365, then this domain should be the UPN suffix, so that the users' principal names are of
the form user@verified domain. If the on-premises UPN suffix does not contain a public routable DNS
domain (such as contoso.local), the default routing domain (for example, contoso.onmicrosoft.com) is used
for the UPN suffix in Office 365.
If the UPN suffix must be changed, it is important to check for any applications that might be dependent on
a specific UPN. If planning SSO, you need know your AD DS UPN to register the domain for SSO (for
federated or nonfederated IDs).
After you deploy directory synchronization, modifying the user’s UPN suffix is not supported. If you need to
modify the UPN after you deploy directory synchronization, you will need to manually update the UPN in
Office 365; therefore, it is important that you plan the UPN suffix correctly from the start. To add a UPN
suffix to the on-premises AD DS:
1. In Active Directory Domains and Trusts, sign in to one of the organization’s Active Directory domain
controllers.
2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.
3. Select the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.
If directory synchronization has already been deployed, the user’s UPN for Office 365 might not match the
user’s on-premises UPN defined in AD DS; this can occur if the user was assigned an Office 365 subscription
license before the domain was verified. To resolve this issue, Windows PowerShell can be used to update
users’ UPNs in Office 365 to ensure that their Office 365 UPN matches their corporate user name and
domain in your on-premises AD DS.
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Planning and configuring directory synchronization
Depending on the type of Office 365 deployment required, the Office 365 readiness checks will validate:
Credentials. Determines whether there are valid credentials available in the local environment,
including necessary administrator rights in Exchange Server 2013 or later if migrating to Exchange
Online. It will also determine whether there are valid tenant administrator credentials for any existing
trial account with Office 365.
Network. Determines whether there is network connectivity to Office 365, and checks for availability of
required ports.
Domains. Determines the on-premises domain suffixes, and identifies whether any domains are already
verified with Office 365. Appropriate DNS records are also checked.
Users and groups. Determines whether the on-premises AD DS is ready for directory synchronization
and SSO. User and group objects are also checked to ensure that they meet the requirements for
successful synchronization with Office 365.
Email. Evaluates messaging integration with the on-premises environment, and the readiness for email
migration if required.
Sites. Determines whether the on-premises AD environment is able to support the deployment of
Microsoft SharePoint Online.
Skype for Business. Identifies any current integration with Skype for Business Server 2016 or Lync
Server.
User software. Determines whether domain-joined computers meet the service and identity
requirements for the required Office 365 deployment.
Note: At a minimum, an Office 365 trial tenant is required to complete all the readiness
checks.
You can access the Office 365 readiness checks from the previous Office 365 admin center. The computer
used to run the readiness checks must meet the following system requirements:
The Office 365 IdFix tool queries all the AD DS domains in the currently authenticated forest and displays
object attribute values that would be reported as errors by the directory synchronization tool. The Office
365 IdFix tool displays these object attribute values in a data grid. This data grid supports the ability to
scroll, sort, and edit the objects in a resulting table to produce compliant values. Depending on the method
of use, the Office 365 IdFix tool provides:
Confirmation of each change is enforced. Only the objects you have selected to update will be
changed.
Transaction rollback. You can undo confirmed updates to object attributes applied to the forest.
Well known exclusions. Not all AD DS objects should be made available for editing as some could cause
harm to the source environment, for example, critical system objects. These objects are excluded from
the Office 365 IdFix data grid.
Save to File. Data is exported into CSV or LDF format for offline editing or investigation.
Import of CSV. Data is imported from a CSV file. Because this function relies upon the
distinguishedName attribute to determine the value to update, the recommended method to use this
feature is to export from a query, such as the Save to File. Keep the other columns as they were and do
not introduce escape characters into the values.
Verbose logging. Because the Office 365 IdFix tool makes changes in your environment, verbose
logging is enabled by default.
Support for multi-tenant and dedicated Office 365 tenants. Depending on your environment, the
Office 365 IdFix tool supports validation of multiple or dedicated Office 365 tenants.
The computer used to run the Office 365 IdFix tool must meet the following system requirements:
Additional Reading: For more information, refer to IdFix DirSync Error Remediation Tool:
http://aka.ms/sr02nb.
MCT USE ONLY. STUDENT USE PROHIBITED
4-14 Planning and configuring directory synchronization
1. In the left navigation pane, click Users, and then click Active Users.
2. In the right navigation pane, under Active Directory synchronization, click Set up.
Note: At the time of this writing, the option to activate directory synchronization is not
available in the new Office 365 admin center.
To enable Active Directory synchronization by using the Microsoft Azure Active Directory Module for
Windows PowerShell, type the following command, and press Enter:
Lesson 2
Implementing directory synchronization by using Azure AD
Connect
In this lesson, students will learn how to deploy Azure AD Connect. Included in this lesson is a review of the
Azure AD Connect installation requirements, the options for installing and configuring the tool, and
students will review the monitoring of Azure AD Connect.
Lesson Objectives
After completing this lesson, you will be able to:
Attributes of existing user, group, or contact objects that are modified in on-premises AD DS are
modified in Office 365; however, not all on-premises AD DS attributes are synchronized to Office 365.
Existing user, group, and contact objects that are deleted from on-premises AD DS are deleted from
Office 365.
Existing user objects that are disabled on-premises are disabled in Office 365; however, licenses are not
automatically unassigned.
In a cloud-only Office 365 deployment, all Azure AD objects are originally created (mastered) in the cloud,
and must be edited using cloud-based tools (either using the Office 365 admin center, or by using
Windows PowerShell cmdlets). In this scenario, Azure AD is referred to as the source of authority for all
Active Directory objects.
MCT USE ONLY. STUDENT USE PROHIBITED
4-16 Planning and configuring directory synchronization
Azure AD requires a single source of authority for every object. It is important to understand, therefore, that
in the scenario you have deployed Azure AD Connect for Active Directory synchronization, you are
mastering objects from within your on-premises AD DS by—using tools such as Active Directory Users and
Computers or Windows PowerShell—the source of authority is the on-premises AD DS. After the first
synchronization cycle has completed, the source of authority is transferred from the cloud to the on-
premises AD DS. All subsequent changes to cloud objects (except for licensing) are mastered from the on-
premises AD DS tools. The corresponding cloud objects are read-only, and Office 365 administrators
cannot edit cloud objects if the source of authority is on-premises.
Email address matching is used to identify the on-premises AD DS user object that relates to an Office 365
user.
If a user exists in your on-premises AD DS and no matching user yet exists in Office 365, Azure AD
Connect will create a new Office 365 user with the same email address as the on-premises account.
If a user already exists in both your on-premises AD DS and in Office 365, and these objects have the
same email address, then during the first synchronization these objects will become joined, or linked.
By synchronizing user, contact, and group objects, Azure AD Connect provides a unified GAL experience
between an on-premises AD DS or Exchange environment, and Office 365. Using the filtering features in
Azure AD Connect, objects hidden from the GAL on-premises are also hidden from the GAL in Office 365.
We will cover filtering and scoping later in this module.
Where there are both on-premises and Exchange Online mailboxes in a hybrid deployment scenario.
In hybrid scenarios, Azure AD Connect allows mail routing between on-premises and Office 365 with a
shared domain namespace. This scenario allows on-premises/cloud coexistence for both Exchange Server
2013 or later, Skype for Business Server 2015, or Lync Server 2013.
Note: Azure AD Connect is not designed to be used as a single-use bulk upload tool for
Office 365, and does not automatically assign licenses to the Office 365 accounts.
Some Office 365 deployment models set up AD FS and SSO before Azure AD Connect, and then use the
tool to ensure that Office 365 accounts are present for all on-premises users after federation has been
enabled. However, this course follows the Office 365 FastTrack methodology, where Azure AD Connect is
used as an enabler for SSO through AD FS.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-17
Azure AD requirements
Before deploying Azure AD Connect in your
environment, there are a few requirements for
Azure AD:
An Azure subscription or an Azure trial subscription. This is only required for accessing the Azure portal
and not for using Azure AD Connect. If you are using Windows PowerShell or Office 365 you do not
need an Azure subscription to use Azure AD Connect. If you have an Office 365 license you can also use
the Office 365 portal. With a paid Office 365 license you can also get into the Azure portal from the
Office 365 portal.
Add and verify the domain you plan to use in Azure AD. For example, if you plan to use Adatum.com
for your users, then you will need to ensure the domain name has been verified in Office 365 and that
you are using more than the default domain, adatum.onmicrosoft.com.
An Azure AD directory will by default allow 50K objects. As discussed earlier in the module, when you
verify your domain the limit increases to 300K objects. If you need even more objects in Azure AD you
need to open a support case to have the limit increased even further. If you need more than 500K
objects, you will need a license such as Office 365, Azure AD Basic, Azure AD Premium, or Enterprise
Mobility Suite.
Note: Using Azure AD Connect for Forefront Identity Manager 2010 R2, using Azure AD
Connect with a non-Microsoft directory service, and installing Azure AD Connect on a non-
Windows computer are all out of scope for this course.
To integrate with Azure AD Connect, Active Directory domain controllers must run one of the following
operating systems:
Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1) or later.
If you plan to use the password writeback feature, the AD domain controllers must be on Windows
Server 2008 or later.
When you install Azure AD Connect with express settings, the directory synchronization computer must be
a member of a domain, and for single forest scenarios, this computer must be joined to a domain within the
same forest that will be synchronized. On the other hand, with customized settings, you can install Azure
AD Connect on a computer that is not joined to a domain. Azure AD Connect also supports installation on
domain controllers. However, for production scenarios, we recommend to use a member server for Azure
AD Connect.
MCT USE ONLY. STUDENT USE PROHIBITED
4-18 Planning and configuring directory synchronization
During installation of Azure AD Connect, you will be required to select an AD DS attribute for the source
anchor. This attribute, also called sourceAnchor, should be an attribute that is immutable during the
lifetime of a user object, as it is the link between on-premises AD DS and Azure AD. In most scenarios, this
might be the objectGUID. This attribute will not change unless the user account is moved between
forests/domains.
However, in a multi-forest scenario, where you move user accounts between forests, another attribute must
be used, such as an attribute with the employeeID.
Note: Attributes to avoid are those that would change if a person marries or change
assignments. Other attributes which cannot be used include attributes with an @-sign, therefore
email and userPrincipalName cannot be used.
Additional Reading: For more information, refer to Office 365 URLs and IP address ranges:
http://aka.ms/A4c1kq.
An Azure AD Global Administrator account for the Azure AD directory with which you want to
integrate.
An Enterprise Administrator account for your on-premises AD if you use express settings or upgrade
from the Microsoft Azure Active Directory Sync Tool (DirSync).
Azure AD Connect uses the Azure AD Global Administrator account to provision and update objects in the
Office 365 tenant when you initiate directory synchronization. If you create a dedicated service account in
Office 365 for directory synchronization in place of the Office 365 tenant administrator account, it is
important to disable the default 90-day password expiration; otherwise, the synchronization service will
stop working when the password expires for the Office 365 tenant administrator account. In this scenario,
you will need to reconfigure Azure AD Connect to update the password.
To disable password expiration for the service account in Office 365 by using the Azure Active Directory
Module for Windows PowerShell, type the following command, and then press Enter:
The account used to install and configure Azure AD Connect must have the following permissions:
Enterprise Administrator permission in your on-premises AD DS. This is required to create the directory
synchronization service account in AD DS.
Local administrator permission on the Azure AD Connect computer. This is required to install the Azure
AD Connect tool.
The account used to configure Azure AD Connect and run the configuration wizard must reside in the local
group ADSyncAdmins on the Azure AD Connect computer; by default, the account used to install Azure
AD Connect (the Enterprise Administrator account) is automatically added to this group during installation.
The Enterprise Administrator account is only required when installing and configuring Azure AD Connect,
and the Enterprise Administrator credential is not stored or saved by the configuration wizard.
Create the MSOL_<id> domain service account in the CN=Users container of the root domain.
Delegate the following permissions to MSOL_<id> on each domain partition in the forest
o Replication Synchronization
Note: Because it poses a security risk with the service account it uses, Azure AD Connect does
not support using a group Managed Service Account to connect to your on-premises AD DS
environments. By default, Azure AD Connect creates service accounts with minimal privileges but
with nonexpiring passwords on the computer that run Azure AD Connect, and in both the on-
premises AD DS and the Azure AD tenant.
During an Azure AD Connect configuration, you can enable the Exchange hybrid deployment feature.
Previously known as rich coexistence, this feature allows for the coexistence of Exchange mailboxes both
on-premises and in Azure by synchronizing a specific set of attributes from Azure AD back into your on-
premises AD DS. During deployment, the Enterprise Administrator account will create an MSOL_Active
Directory_Sync_RichCoexistence group in the CN=Users container of the root domain automatically. In
addition, the Enterprise Administrator account will delegate write permissions for particular AD DS
attributes that writeback from Azure AD to your on-premises AD DS. These attributes are covered earlier in
this module.
The following accounts are created in your on-premises AD DS during Azure AD Connect configuration:
MSOL_<id>. This account is created during installation of Azure AD Connect, and is configured to
synchronize to Azure AD. The account has directory replication permissions in your on-premises AD DS
and write permission on certain attributes to enable the Exchange Hybrid Deployment.
AAD_<id>. This is the service account for the synchronization engine, and is created with a randomly
generated complex password automatically configured to never expire. When the directory
synchronization service runs, it uses the service account credentials to read from your on-premises
AD DS and then to write the contents of the synchronization database to Azure AD by using the Office
365 tenant administrator credentials specified during configuration of Azure AD Connect.
Note: Do not change this service account after installing Azure AD Connect, as directory
synchronization will attempt to use the service account created during setup. If the account is
changed, directory synchronization will stop running and scheduled directory synchronizations will
no longer occur.
MCT USE ONLY. STUDENT USE PROHIBITED
4-20 Planning and configuring directory synchronization
Database requirements
Azure AD Connect requires an SQL Server database to store identity data. By default, a SQL Server 2012
Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is
created on the local machine. SQL Server Express has a 10 GB database limit, which allows you to manage
approximately 100,000 objects. In large deployments, you might need to manage a higher volume of
objects. In this scenario, you should configure Azure AD Connect to a full version of SQL Server. Azure AD
Connect supports all versions of SQL Server, from SQL Server 2014 to SQL Server 2008 (with SP4 or later).
When deploying to a different version of SQL Server, SQL Server rights are required to create the database
used by Azure AD Connect, and to enable the SQL service account with the role of db_owner. You can
achieve this by ensuring that the account used to install Azure AD Connect has sysadmin permission to the
SQL database, and that the service account used to run Azure AD Connect has public permission to the
database used by Azure AD Connect.
During installation of Azure AD Connect with Express Settings, the installer will:
Using the Express Settings will automatically start synchronization once the installation is complete (though
you can choose not to do this).
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-21
In addition to the required components that are installed as part of Express Settings, you might select the
following optional components during installation:
Specify a custom installation location. This optional component allows you to specify a different
location to install Azure AD Connect.
Use an existing server running SQL Server. This optional component allows you to select an existing
database server.
Use an existing service account. This optional component allows you to specify an existing service
account. By default, Azure AD Connect will create a local service account for the synchronization
services to use. The password is generated automatically and unknown to the person installing Azure
AD Connect. If you specify a remote server running SQL Server, then you will need a service account to
which you know the password.
Specify custom sync groups. This optional component allows you to specify existing management
groups for Azure AD Connect. By default, Azure AD Connect will create four groups on the server when
the synchronization services install. These groups include: Administrators group, Operators group,
Browse group, and the Password Reset group. Use this option if you prefer to specify your own groups.
The groups must be on the server and cannot be located in the domain.
During installation of Azure AD Connect with Customized Settings, the installer will allow you to enable the
following features:
Select the Single Sign-On Method. This feature allows you to specify the SSO method for users. The
SSO methods include password synchronization, federation with AD FS, or do not configure.
Connect multiple on-premises directories or forests. This feature allows you to connect to one or more
AD DS domains or forests.
Matching across forests. This feature allows you to define how Azure AD represents users from your
AD DS forests. A user might either be represented only once across all forests or have a combination of
enabled and disabled accounts.
Sync filtering based on organizational units. This feature allows you to run a small pilot where only a
small subset of objects should be created in Azure AD and Office 365. To use this feature, create an
organizational unit in your AD DS and add the users and groups which should synchronize with Azure
AD to the OU. You can later add and remove users to this group to maintain the list of objects which
should be present in Azure AD.
MCT USE ONLY. STUDENT USE PROHIBITED
4-22 Planning and configuring directory synchronization
Select the Source Anchor. This feature allows you to choose the primary key that will link the on-
premises user with the user in Azure AD.
Select the login attribute. This feature allows you to choose the attribute users will use when they login
to Azure AD and Office 365. Typically, this should be the userPrincipalName attribute. But if this
attribute is nonroutable and cannot be verified, then it is possible to select another attribute, for
example email, as the attribute holding the login ID, known as Alternate ID.
Additional Reading: For more information, refer to Configuring Alternate Login ID:
http://aka.ms/nqh5gc.
Exchange hybrid deployment. This optional feature enables for the coexistence of Exchange mailboxes
both on-premises and in Office 365 by synchronizing a specific set of attributes from Azure AD back to
your on-premises AD DS.
Azure AD app and attribute filtering. This optional feature enables you to tailor the set of synchronized
attributes to a specific set, based on Azure AD apps.
Password hash synchronization. You can enable this optional feature if you selected federation as the
SSO solution. You can then use password synchronization as a backup option.
Password writeback. With this optional feature, password changes that originate in Azure AD are
written back to your on-premises AD DS. You typically deploy this feature when you want to enable
users for self-service password reset of their Azure AD passwords.
Group writeback. With this optional feature, if you use the Groups in Office 365 feature, then you can
have these groups in your on-premises AD DS as a distribution group. This option is only available if
you have deployed Exchange Server on-premises.
Device writeback. With this optional feature, device objects in Azure AD are written back to your on-
premises AD DS for conditional access scenarios.
Directory extension attribute sync. Not available in previous directory synchronization versions, this
optional feature enables you to extend the schema in Azure AD with custom attributes added by your
organization or other attributes in your on-premises AD DS.
After selecting the optional features, the Azure AD Connect installer will provide you the option to deploy a
new Windows Server 2012 R2 AD FS farm or to select an existing Windows Server 2012 R2 AD FS farm. In
addition, the Azure AD Connect installer will provide you the option to set up the federation relationship
between AD FS and Azure AD. It configures AD FS to issue security tokens to Azure AD and configures
Azure AD to trust the tokens from this specific AD FS instance.
Note: The Azure AD Connect installer will only allow you to configure the trust for a single
domain during the first time. You can configure additional domains at any time by opening up
Azure AD Connect again and performing this task.
During the final stages of the Azure AD Connect installer, you will have the option to automatically start
synchronization once the installation is complete (though you can choose not to do this). You will also have
the option to enable staging mode. This process allows you to set up a new directory synchronization server
in parallel with an existing server.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-23
While Office 365 only supports one directory synchronization server connected to one Azure AD directory
in the cloud, if you want to move from another server, for example one running DirSync, then you can
enable Azure AD Connect in staging mode. When enabled, the sync engine will import and synchronize
data as normal, but it will not export anything to Azure AD and will turn off password sync and password
writeback.
While in staging mode, it is possible to make required changes to the sync engine and review what is about
to be exported. When the configuration looks good, run the installation wizard again and disable staging
mode. This will enable data to export to Azure AD.
Note: Ensure you disable the other directory synchronization server at the same time so only
one server is actively exporting to Azure AD.
Note: When you plan to upgrade from DirSync to Azure AD Connect, do not uninstall
DirSync yourself before the upgrade. Azure AD Connect will read and migrate the configuration
from DirSync and uninstall after inspecting the directory synchronization server.
In-place upgrade
The wizard displays the expected time to complete the upgrade. This estimate is based on the assumption it
will take 3 hours to complete an upgrade for a database with 50,000 objects (users, contacts, and groups).
Azure AD Connect will analyze your current DirSync settings and recommend an in-place upgrade if the
number of objects in your database is less than 50,000. If you decide to continue, your current settings will
apply automatically during the upgrade and your server will automatically resume active synchronization.
During inspection of the DirSync server, Azure AD Connect will assess the customizations of the directory
synchronization server. While Azure AD Connect supports most of the configuration changes for an
upgrade, there are a few scenarios that might prevent an in-place upgrade.
The following configuration changes are supported with DirSync and will be upgraded:
Alternate ID (UPN)
MCT USE ONLY. STUDENT USE PROHIBITED
4-24 Planning and configuring directory synchronization
The following are unsupported DirSync changes and will prevent an in-place upgrade:
Removed attributes
In the unsupported scenarios, the recommendation is to install a new Azure AD Connect server in staging
mode and verify the old DirSync and new Azure AD Connect configuration. Reapply any changes using a
custom configuration, as described earlier in the module.
Note: The passwords used by DirSync for the service accounts cannot be retrieved and will
not be migrated. These passwords are reset during the upgrade.
The high-level steps for upgrading from DirSync to Azure AD Connect include:
Collect credentials for an enterprise admin account (only used during the installation of Azure AD
Connect)
Installation of Azure AD Connect
o Uninstall DirSync
Parallel deployment
If you prefer to deploy Azure AD Connect in a parallel deployment you can use one of two options,
depending on your current environment:
Parallel deployment with more than 50,000 objects. During the upgrade from DirSync to Azure AD
Connect, the wizard will provide you the option to Export Settings if it determines there are more than
50,000 objects. This option will export the current configuration settings of the DirSync server. When
you install Azure AD Connect on a separate server, these settings will be imported to migrate any
settings from your current DirSync to your new Azure AD Connect installation.
Parallel deployment with less than 50,000 objects. If you have less than 50,000 objects but still prefer to
deploy Azure AD Connect in a parallel deployment, then you can override the in-place upgrade
recommendation. This option is common if you want to take the opportunity to refresh the hardware
and OS. In this scenario, you will need to do the following:
b. When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking
the "X" in the upper-right corner of the window.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-25
d. From the installation location of Azure AD Connect (default is C:\Program Files\Microsoft Azure
Active Directory Connect) execute the following command:
AzureADConnect.exe /ForceExport
e. Click the Export settings button. When you install Azure AD Connect on a separate server these
settings will be imported to migrate any settings from your current DirSync to your new Azure AD
Connect installation.
2. When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking the
"X" in the upper-right corner of the window.
AzureADConnect.exe /migrate
5. The Azure AD Connect installation wizard starts and allows you to select the settings file that exported
from your DirSync installation.
o A service account used to connect to SQL Server. If your SQL Server database is remote, then this
account must be a domain service account.
7. Click Next.
8. On the Ready to configure page, leave the Start the synchronization process as soon as the
configuration completes option selected. The server will be in staging mode so changes will not
export to Azure AD at this time.
9. Click Install.
To verify that Azure AD Connect is ready to take over directory synchronization from DirSync you will need
to open Synchronization Service Manager in the Azure AD Connect group on the Start menu.
MCT USE ONLY. STUDENT USE PROHIBITED
4-26 Planning and configuring directory synchronization
In Synchronization Service Manager, you will need to view the Operations tab. On this tab you are looking
to confirm that the following operations have been completed:
Review the result from these operations to ensure there are no errors and that you are satisfied with the
changes that are about to be exported.
Next, you will need to uninstall the Azure AD sync tool from the Programs and Features tool on the old
server.
With DirSync uninstalled, there is no active server exporting to Azure AD. You must complete the next step
before any changes in your on-premises AD DS will continue to synchronize to Azure AD.
After installation, reopening Azure AD Connect will allow you to make additional configuration changes.
Start Azure AD Connect on the Start menu or from the shortcut on the desktop and do the following:
Note: Make sure you do not try to run the installation MSI again.
While Azure AD Connect Health for AD FS monitors your on-premises AD FS environment, Azure AD
Connect Health for Sync monitors and provides information on the synchronizations that occur between
your on-premises AD DS and Azure AD. Azure AD Connect Health for Sync provides the following set of key
capabilities:
View and take action on alerts to ensure reliable synchronizations between your on-premises
infrastructure and Azure AD.
2. Access Azure AD Connect Health by going to the Marketplace and searching for it or by selecting
Marketplace, and then selecting Security + Identity.
3. In the introductory window, click Create. This will open another window with your directory
information.
4. In the directory window, click Create.
Note: You will need an Azure AD Premium License to use Azure AD Connect Health.
When you first access Azure AD Connect Health, you will be presented with the first window. In the first
window, you can access the following information:
Quick Start. This option will open the Quick Start window. Here you can download the Azure AD
Connect Health agent by selecting Get tools, access documentation, and provide feedback.
AD FS. This option represents all of the AD FS services that Azure AD Connect Health is currently
monitoring. By selecting one of the instances, a window will open with information about that services
instance. This information includes an overview, properties, alerts, monitoring, and usage analytics.
Configure. This option allows you to turn the following on or off:
o Auto update to automatically update the Azure AD Connect Health agent to the latest version.
This option will automatically update the agent on your server to the latest version of the Azure AD
Connect Health Agent when they become available. This is enabled by default.
o Allow Microsoft access to your Azure AD directory’s health data for troubleshooting purposes only.
When this option is enabled, Microsoft will be able to see the same data that you are seeing. This
can help with troubleshooting and assistance with issues. This is disabled by default.
Additional Reading: For more information, refer to Monitor your on-premises identity
infrastructure and synchronization services in the cloud: http://aka.ms/dqaaps.
MCT USE ONLY. STUDENT USE PROHIBITED
4-28 Planning and configuring directory synchronization
Lesson 3
Managing Office 365 identities with directory
synchronization
In this lesson, students will learn about managing Office 365 identities with Azure AD Connect. Included in
this lesson is managing users and groups in Office 365 with Azure AD Connect and how to maintain
directory synchronization.
Lesson Objectives
After completing this lesson, you will be able to:
Note: User writeback requires that the AD DS forest runs Windows Server 2012 R2 or later.
Note: $accountName is the account that will be used by Azure AD Connect to manage
objects in AD DS, this is usually an account in the form of an Azure AD number. $userOU is the OU
where these cloud users will be stored in on-premises AD DS.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-29
Once these cmdlets complete, the Azure AD Connect service account to on-premises AD DS will have
permission to write objects to this OU. You can view the permissions in Active Directory Users and
Computers for this OU if you enable Advanced mode in the program. There should be a permission entry
for this account that is not inherited from the parent OU’s.
After the synchronization completes, Office 365 users will appear in the on-premises container, which you
selected during the configuration.
Password writeback
Users can now change their passwords via the login page or user settings in Office 365 and have them
written back to on-premises AD DS.
To enable the password writeback feature for Azure AD Connect, you need to enable the password
writeback option during installation of Azure AD Connect—with customized settings—and then run the
You can rerun AD following Windows PowerShell cmdlets on the Azure AD Connect server:
Connect wizard
Note: Password writeback requires that the AD DS forest runs Windows Server 2012 R2 or
later. Setup OU by OU
Get-ADSyncConnector | fl name,AADPasswordResetConfiguration
Get-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com - AAD"
Set-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com - AAD" -Enable
$true
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Reset Password`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Change Password`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;lockoutTime;user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;pwdLastSet;user'"
Invoke-Expression $cmd | Out-Null
Note: Azure AD Connect uses the $accountName account to manage objects in AD DS, this
is usually an account in the form of Azure AD number. $passwordOU is the OU where these cloud
users will be stored in on-premises AD DS.
Device writeback
Devices that are enrolled with Office 365 MDM or Intune, which will allow login to AD FS controlled
resources based on the user and the device they are on. Device writeback is used to enable conditional
access based on devices to AD FS protected applications, or relying party trusts. This provides additional
security and assurance that access to applications is granted only to trusted devices.
To enable the device writeback feature for Azure AD Connect, you need to enable the device writeback
option during installation of Azure AD Connect—with customized settings—and then run the following
three Windows PowerShell cmdlets on the Azure AD Connect server:
If not present, they create and configure new containers and objects under CN=Device Registration
Configuration,CN=Services,CN=Configuration,[forest-dn], where forest-dn is the Distinguished
Name of your AD DS forest.
If not present, they create and configure new containers and objects under
CN=RegisteredDevices,[domain-dn], where forest-dn is the Distinguished Name of your AD DS
forest. Device objects are created in this container.
They set necessary permissions on the Azure AD Connector account to manage devices on your AD DS.
Note: If a primary SMTP address is not set for a user account, Office 365 will use an
@domain.onmicrosoft.com address as the user’s default SMTP address.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-31
If it is not possible to ensure that all synced users will have a valid primary SMTP address prior to
synchronization, you can use user attribute filtering to ensure that all accounts without a valid UPN are
excluded from synchronization scope.
If the above steps validate that directory synchronization is working correctly but the AD DS object deletion
has still not propagated to Azure AD, the orphaned object can be manually removed using one of the
following Microsoft Azure Active Directory Module for Windows PowerShell cmdlets:
Remove-MsolContact
Remove-MsolGroup
Remove-MsolUser
For example, to manually remove an orphaned user originally created using directory synchronization, run
the following cmdlet:
Additional Reading: For more information on how to troubleshoot deleted user accounts in
Office 365 is available at the following link, refer to: http://aka.ms/cmof9n.
MCT USE ONLY. STUDENT USE PROHIBITED
4-32 Planning and configuring directory synchronization
The isLicensed user attribute indicates whether a user has a license assigned (True) or not assigned (False).
Windows PowerShell can, therefore, report on licensed Office 365 user accounts. To show all users licensed
in Office 365, enter the following command at the Microsoft Azure Active Directory Module for Windows
PowerShell prompt:
Additional Reading: For more information, refer to Getting all Licensed Office 365 users
with PowerShell: http://aka.ms/me03qp.
Additional Reading: For more information, refer to How to Use PowerShell to Automatically
Assign Licenses to Your Office 365 Users: http://aka.ms/pwr39r.
Although you enable the group writeback feature during installation of Azure AD Connect by selecting the
group writeback feature after installing with customized settings, you also need to create the OU and
appropriate permissions required for group writeback in AD DS. For this, Azure AD Connect has a built-in
cmdlet, called Initialize-ADSyncGroupWriteBack that prepares AD DS automatically.
Note: Group writeback requires that the AD DS forest runs Windows Server 2012 R2 or later.
Note: Azure AD Connect uses the $accountName account to manage objects in AD DS—
this is usually an account in the form of Azure AD number. $groupOU is the OU where these cloud
groups will be stored in on-premises AD DS.
Once these cmdlets complete, the Azure AD Connect service account to on-premises AD DS will have
permission to write objects to this OU. You can view the permissions in Active Directory Users and
Computers for this OU if you enable Advanced mode in the program. There should be a permission entry
for this account that is not inherited from the parent OU’s.
After the synchronization completes, Office 365 Groups will show up in the on-premises container, which
you selected during the configuration. These groups will be represented as distribution groups in on-
premises AD DS.
Note: At this time, group writeback in Azure AD Connect only supports the writeback of
distribution groups.
Similar to user accounts synchronized from Azure AD to on-premises AD DS, the synchronized groups will
not show up in the on-premises GAL. As such, you will need to run the Update-Recipient cmdlet first as
illustrated in the following example:
Update-Recipient Group_af905347-5322-4183-a1aa-9522a85bfeb9ad
Once this cmdlet completes, the group will show up in the on-premises GAL.
Synchronized groups from Azure AD to on-premises AD DS also includes the membership. If you have
enabled user writeback in Azure AD Connect, the group memberships for user accounts created in Azure
AD are also included. However, if you have not enabled user writeback in Azure AD Connect, only group
memberships for user accounts created on-premises are included.
Note: If deployed, the Exchange Server hybrid writeback is the classic writeback from Azure
AD and is separate from group writeback. As such, it is the only one of the writebacks that does not
require an Azure AD Premium license. Otherwise, an Azure AD Premium license is required if you
enable group writeback without the Exchange Server hybrid writeback feature.
MCT USE ONLY. STUDENT USE PROHIBITED
4-34 Planning and configuring directory synchronization
Note: While you can enable multiple customizations of filtering in Azure AD Connect,
Microsoft does not support all modifications or operations of the Azure AD Connect
synchronization outside of the formally documented actions. Any of these actions might result in
an inconsistent or unsupported state of Azure AD Connect sync and as a result, Microsoft cannot
provide technical support for such deployments.
You might be asking yourself, “Why would I want to enable filtering if Azure AD Connect synchronizes
everything I need after implementation?” In most cases, your on-premises AD DS environment contains a
lot more objects (for example, user accounts, contacts and groups) than are required within Azure AD. For
instance, service accounts or administrative accounts that are only required on-premises might have no
purpose to synchronize for Office 365. Fortunately, you can filter objects so that only the objects you
require online synchronize. Filtering makes synchronization more secure, with no forgotten accounts in
online services, therefore providing a smaller attack surface. Filtering can also help you limit the number of
objects, which in turn can help you minimize the size of your Azure AD Connect database and might
prevent the need for full SQL Server deployment. Remember, if your environment has more than 50,000
objects, then you might require a full version of SQL Server. In many ways, enabling filtering in Azure AD
Connect will promote less complexity and increase the speed of directory synchronization.
Here are a few scenarios where filtering might be required to customize the default configuration:
You plan to use the multi-Azure AD-directory topology. Then you need to apply a filter to control
which object should be synchronized to a particular Azure AD directory.
You run a pilot for Azure or Office 365 and only want a subset of users in Azure AD. In the small pilot it
is not important to have a complete GAL to demonstrate the functionality.
You have many service accounts and other nonpersonal accounts or administrative accounts you do
not want in Azure AD.
For compliance reasons, your company does not delete any user accounts in on-premises AD DS; you
only disable them. But in Azure AD you only want active accounts to be present.
Note: With the exception of outbound attribute-based filtering, the configurations in Azure
AD Connect will be retained when you install or upgrade to a newer version of Azure AD Connect.
It is always a best practice to verify that the configuration was not inadvertently changed after an
upgrade to a newer version before running the first synchronization cycle.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-35
The following are three filtering configuration types that can be applied to Azure AD Connect (listed in
order of broad filtering to more detailed filtering):
Domain. This filtering configuration type enables you to select which AD DS domains are allowed to
synchronize to Azure AD. You would use the Synchronization Service Manager tool to manage the
properties of the Source AD Connector in Azure AD Connect. This tool is installed on the directory
synchronization server automatically during deployment of Azure AD Connect.
OU. This filtering configuration type enables you to select which OUs in AD DS are allowed to
synchronize to Azure AD. Most organizations already have an OU structure that separates objects that
are eligible for synchronization and those that are not, such as the Exchange Security Groups OU,
service/administrative accounts OU, or an OU for specific security groups. You can use Azure AD
Connect or the Synchronization Service Manager tool to manage the properties of the Source AD
Connector in Azure AD Connect. The Synchronization Service Manager tool is installed on the directory
synchronization server automatically during deployment of Azure AD Connect.
Attribute. This filtering configuration type enables you to control which objects in AD DS should
synchronize to the Azure AD based on criteria of the object’s attributes. Even with domain filtering and
OU filtering, it is possible that some objects in an OU should not synchronize. It might also be
impractical to change the OU design for the purpose of filtering objects that synchronize to Azure AD.
While significantly more complex than the Synchronization Service Manager tool, you would use the
Synchronization Rules Editor tool to manage the synchronization rules in Azure AD Connect. This tool
is installed on the directory synchronization server automatically during deployment of Azure AD
Connect.
Note: You use Source AD as the name for your AD DS Connector. If you have multiple
forests, you will have one Connector per forest and the configuration must repeat for each forest.
You can use all, two, or just one filtering configuration type. Which field(s) you choose is dependent on how
your on-premises AD DS domain(s) are structured, what objects need to be synchronized to Azure AD, and
the filtering criteria.
Because filtering in Azure AD Connect can remove many objects in a very short time, you should verify
changes to the filters before exporting to Azure AD. After you have completed the configuration steps, we
strongly recommend you follow the verification steps before you export and make changes to Azure AD.
To protect you from deleting multiple objects by accident, the feature that prevents accidental deletes is on
by default. If you delete many objects due to filtering (500 by default) you need to follow the steps in the
following article to allow the deletes to go through to Azure AD.
Additional Reading: For more information, refer to Azure AD Connect sync: Configure
Filtering: http://aka.ms/au8smo.
MCT USE ONLY. STUDENT USE PROHIBITED
4-36 Planning and configuring directory synchronization
1. In the left navigation pane, click USERS, and then click Active Users.
2. In the right navigation pane, under Active Directory synchronization, you will see the last synced time.
Another option is to install the Office 365 Support Central App on your mobile phone. With the mobile app
you can search for answers; view service health incidents, including planned maintenance events, and
message center notices; post questions and track your answers in the Office 365 for Business Support
Community.
Windows PowerShell
You can also use Windows PowerShell cmdlets and scripts to help manage Azure AD, report
synchronization state, and so on.
After connecting to Office 365 in Windows PowerShell, you can use the following cmdlet to verify the last
time directory synchronization was successful in Office 365.
Import-Module MSOnline
Connect-MsolService
Get-MsolCompanyInformation | fl LastDirSyncTime
Event logs
The directory synchronization tool writes entries to the directory synchronization computer's event log.
These entries indicate the start and end of a directory synchronization session. Directory synchronization
errors are also reported in the event log and sent via e-mail to your organization's designated technical
contact. When reviewing the event log, look for entries whose source is directory synchronization. An entry
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-37
designated Event 4 and with the description “The export has completed indicates that the directory
synchronization is complete.”
One key area that can lead to issues unless clearly understood is when you deactivate and then reactivate
synchronization in the Office 365 admin center. When directory synchronization is deactivated, the source
of authority is transferred from the on-premises AD DS to Office 365. Deactivation is needed when on-
premises AD DS is no longer being used to create and manage users, groups, contacts, and mailboxes, such
as after a staged Exchange migration to the cloud, where the organization no longer wants to manage
objects from on-premises. Problems can subsequently arise if directory synchronization is then reactivated,
with the source of authority transferred back from Office 365 to the on-premises AD DS.
For example, assume an organization activated directory synchronization in January, and then created new
users on-premises, which were synced to Office 365. In this case, the source of authority is the on-premises
AD DS. In July, the organization deactivated directory synchronization, resulting in transfer of the source of
authority to Office 365; from this point on, objects were edited in Office 365. In September, the company
decided to deploy AD FS and SSO. To meet this requirement, directory synchronization was reactivated,
transferring the source of authority back to the on-premises AD DS. In this example, when you reactivate
and run directory synchronization, any changes made to the Office 365 objects from July through to
September would be overwritten and lost.
Additional Reading: For more information, refer to Directory synchronization and source of
authority: http://aka.ms/cdm2kk.
Within the application, you will need to view the Operations tab. On this tab you are looking to confirm
that the following operations have been completed successfully:
Review the result from these operations to validate the directory synchronization status and to identify any
errors.
30 mins
By default, these operations are scheduled to run once every three hours. If you do not want to wait this
long to troubleshoot an issue, use the following procedure to force manual synchronization:
Provide the information requested on the wizard pages (you should be able to accept the default
settings if the tool has already been deployed).
On the Configure page, select the Start the synchronize process as soon as the initial
configuration completes option, and then click Finish.
Additional Reading: For more ore information, refer to How to troubleshoot Azure Active
Directory Sync tool installation and Configuration Wizard errors: http://aka.ms/bz5cjw.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-39
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 90 minutes
Password: Pa$$w0rd
In all tasks:
Note: When you connect to the Office 365 admin center, you may be prompted to provide
an authentication phone and authentication email address. If you see this window, click Cancel.
LON-DC1
LON-DS1
LON-CL1
LON-CL2
In this exercise, you will prepare the environment for directory synchronization.
1. Configure UPN.
2. This Windows PowerShell script will make the following changes in AD DS:
o Amr Zaki. Add the "@" character to the beginning of "adatum" for the UserPrincipalName
attribute.
o Brad Sutton. Replace the existing string with "brad@adatum.com" for the emailAddress
attribute.
o Don Funk. Replace the existing string with “brad@adatum.com” for the emailAddress attribute.
o Holly Dickson. Replace the existing string with “holly@adatum.com” for the EmailAddress
attribute.
o Kelly Rollins. Replace the existing string with “ “ for the emailAddress attribute.
2. Extract the files to C:\Deployment Tools\IdFix and then run IDFix as an administrator.
3. In the IdFix tool, click Query, and then sort the errors by the ERROR column.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-41
4. On the Actions menu, select Edit for each of these objects, and then click Apply:
o Amr Zaki
o Holly Dickson
o Kelly Rollins
5. Click Query.
6. Click to sort the errors by the UPDATE column, and for each of these objects, replace the mail attribute
with the appropriate string. On the Actions menu, select EDIT.
2. In Windows PowerShell, enable directory synchronization for Office 365 by using the following
command:
3. In the Office 365 admin center, verify that directory synchronization has been enabled.
Results: After completing this exercise, you will have resolved issues in AD DS identified by the IdFix tool
and you will have enabled Active Directory synchronization in Office 365.
o Password: Pa$$w0rd
2. Open Internet Explorer and connect to the Office 365 portal: https://portal.microsoftonline.com.
3. If you are connected to the previous Admin center, click the banner at the top of the window to
connect to the new Admin center.
o Password: Pa$$w0rd
6. Close Internet Explorer, open it again, and connect to the Office 365 admin center. Sign in as
Holly@adatumyyxxxxx.hostdomain.com using the password Pa$$w0rd.
7. From the previous Office 365 admin center, download and install Azure AD Connect with Customized
Settings. You will need to configure the security settings for the Internet zone to enable file downloads.
o Precedence: 50
o Scoping filter:
Attribute: MSDS-cloudExtensionAttribute15
Operator: EQUAL
Value: NoSync
o Transformation:
FlowType: Constant
Target Attribute: cloudFiltered
Source: True
o Use the Windows PowerShell to start the synchronization by executing the following command:
o Password: Pa$$w0rd
3. Download and install the Microsoft Azure Active Directory Module for Windows PowerShell.
o Windows PowerShell
Results: After completing this exercise, you will have installed Azure AD Connect with customized settings.
Upon completion of the installation, you will start directory synchronization to Office 365 and have verified
that synchronization was successful.
MCT USE ONLY. STUDENT USE PROHIBITED
4-44 Planning and configuring directory synchronization
5. Force synchronization.
o Password: Pa$$w0rd
4. E-mail: Perry@Adatumyyxxxxx.hostdomain.com
5. Use Active Directory Users and Computers to create the following group in the Research OU:
6. E-mail: projectteam@Adatumyyxxxxx.hostdomain.com
7. Members:
o Chris Sells
o Lukas Keller
o Sabine Royant
2. On LON-DC1, in Active Directory Users and Computers, move Josh Bailey from the Research OU to the
Sales OU.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-45
o Allie Bellew
o Anil Elison
o Aziz Hassouneh
Results: After completing this exercise, you will have identified how managing user and group accounts
has changed with directory synchronization.
In some environments, you might test all changes on a separate directory synchronization server in test that
is connected to a separate Office 365 tenant (trial). In addition, you should manually initiate run profiles for
each management agent in Synchronization Service Manager and observe the pending actions before
exporting to Office 365. In some cases, it might be a good idea to create a new run profile for exporting to
Azure AD that includes a maximum limit on the number of allowed deletions.
Tools
IdFix. The Office 365 IdFix tool provides you the ability to identify and remediate the majority of object
synchronization errors in your AD DS forests in preparation for deployment to Office 365.
Having completed this module, you can now prepare an on-premises environment ready for directory
synchronization, install and configure Azure AD Connect, and manage Active Directory users and groups
with directory synchronization to Office 365 enabled.
Best Practices
You must have a proper project plan.
If using filtering, it should be set up before synchronizing any objects.
You should add all SMTP domains as verified domains before synchronizing.
Module 5
Planning and deploying Office 365 ProPlus
Contents:
Module Overview 5-1
Lesson 2: Planning and managing user-driven Office 365 ProPlus deployments 5-9
Lesson 3: Planning and managing centralized deployments of Office 365 ProPlus 5-12
Module Overview
In this module, students will learn how to plan for a client deployment and ensure that users receive the
tools they need to interact with Microsoft Office 365 effectively. This module covers the planning process,
how to make Microsoft Office 365 ProPlus directly available to end users, and how to deploy it as a
managed package. Finally, this module covers how to set up Office telemetry so that administrators can
keep track of how users are interacting with Microsoft Office.
Objectives
After completing this module, you will be able to:
Lesson 1
Overview of Office 365 ProPlus
This lesson examines how to plan for an Office 365 client deployment of Office 365 ProPlus. This includes
planning for Microsoft Outlook, the Skype for Business client, and Office Online. This lesson also explains
the process of activation, revoking activation, and how activation relates to licensing. Finally, it covers the
differences between Click-to-Run and Microsoft installer applications.
Lesson Objectives
After completing this lesson, you will be able to:
Office 365 ProPlus supports streaming deployment by using Click-to-Run technology. This enables users to
click the application installation icon and start using the application, while the program installs in the
background. It is important to emphasize that, although deployment requires an Internet connection,
Office 365 ProPlus installs and runs locally on the user's computer. Office 365 ProPlus is not a web-based or
a light version of Office, and users do not have to connect to the Internet permanently to use it. However,
they must connect at least every 30 days.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-3
Office Professional 2016 is the desktop version of Office. You install Office Professional 2016 in the
traditional way, through Microsoft Windows Installer (MSI) from volume license media, which requires
a volume license product key.
Office 365 ProPlus is a full version of Office that you install through Click-to-Run technology, and it
includes Office Online in the license. Updates automatically push out to the users (we will discuss
controlling the frequency through update branches later in this lesson).
Office 365 ProPlus licensing also provides five copies of the full Office suite to use on multiple devices
per user.
Office Professional 2016 installations do not stream. They include a license for only one copy per user,
and updates do not automatically update the applications without some intervention.
Component Requirement
Computer and processor 1 gigahertz (GHz) or faster x86-bit or x64-bit processor with Streaming
Single Instruction Multiple Data (SIMD) Extensions 2 from Intel (SSE2) Intel
processor.
Operating system PC: Windows 10, Windows 8, Windows 7 Service Pack 1 (SP1), Windows
Server 2016 Windows Server 2012 R2, Windows Server 2012, or Windows
Server 2008 R2
Mac: Mac OS X 10.10
For the best experience, always use the latest operating system version.
Browser The use of the most current or immediately previous version of Internet
Explorer, or current versions of Microsoft Edge, Safari, Chrome, or Firefox.
Other browser versions might work, but there is no guarantee.
Internet requirements
Users must be able to connect to Office Licensing Service through the Internet at least once every 30 days.
The following list identifies the ports, protocols, and URLs that Click-to-Run for Office 365 uses for
downloads, installation, automatic updates, subscription maintenance, and activation:
Download and installation from the portal, automatic updates. TCP (80), target URL:
http://officecdn.microsoft.com
Note: Offices 365 ProPlus uses these URLs internally. They are not intended to be end user
accessible.
Note: Microsoft InfoPath 2013 and Microsoft SharePoint Designer 2013 have been part of
Office editions in the past, but are now available as a download from the Microsoft Download
Center. These products will not upgrade past the 2013 versions and might require removal and
reinstallation when you install Office 365 ProPlus 2016 applications.
reduced functionality mode until the next time a user can make a connection. To get Office fully functional
again, a user can simply connect to the Internet and let the Activation and Validation Service reactivate the
installation.
You can check the activation status within Office applications by clicking File (to go to the Backstage view),
and then clicking Account. If Product Activated appears on the page, you have successfully activated the
Office subscription license. If Office 365 Professional Plus is already running when activation occurs, the
Backstage view might not reflect the licensed status. In this case, you will need to restart the Office
application in order to see the updated license status.
Office 365 administrators cannot see on which computers a user has installed Office and cannot deactivate
an Office installation on a user's computer. However, administrators do control the assignment of Office
365 licenses to users. Therefore, when a user leaves an organization, an administrator can reassign that
user’s Office 365 license to a different user, and any of that user's Office installations will enter reduced
functionality mode.
In reduced functionality mode, Office 365 ProPlus remains installed on the computer, but users can only
view and print their documents. All features for editing or creating new documents are disabled, and the
user sees a message with the following options to reactivate:
As long as the Office 365 subscription is current and the user has a license, the user can then choose one of
the available options to reactivate Office 365 ProPlus on that computer.
If you cannot deploy updates prior to Office 365 ProPlus setup, you can use Active Directory Group Policy
to throttle the deployment of the Office 365 ProPlus. You do so by deploying the setup package to one
subset of users at a time, by using such categories as organizational unit (OU) or site/location. In this way,
although all users are downloading updates, the download activity extends across days or weeks.
Additional Reading: For more information, refer to Uninstall Office 2013, Office 2016, or
Office 365 from a Windows computer: http://aka.ms/imbv8i.
If you expect users to use some form of self-service to install Office 365 ProPlus, you will have to provide
additional information, such as:
Informing users of the download location to use for Office 365 ProPlus setup, as this location varies,
depending on the Office 365 subscription plan (for example, Office 365 ProPlus Enterprise E1 uses a
different location than Office 365 ProPlus Enterprise E3).
Using correct wording in all communications. For example, depending on subscription level, users
might be accessing the Office 365 portal or the Office 365 admin center.
Pointing out to advanced users that Office 365 ProPlus uses Click-to-Run, and that users should not use any
existing volume license media location that they might have used in the past to self-service install Office
Professional 2016 or previous versions. We will cover this information in greater detail in the next lesson.
Deployment methods
The two most common ways of deploying Office 365 ProPlus to users include:
User-driven (self-service) installation of Office 365 ProPlus directly from the Office 365 portal. We
describe this type of deployment in Lesson 2 of this module.
Managed deployments, by first downloading the Office 365 ProPlus software to the local network and
then push deploying it to users. We describe this type of deployment later in this module.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-7
Users can also deploy Office 365 ProPlus by starting an installation from media in a network share.
Additionally, users can deploy Office 365 ProPlus by using application virtualization, although this method
is beyond the scope of this course.
Office 365 ProPlus uses Click-to-Run technologies for deployment. Click-to-Run is now the default
installation technology for Office Professional 2016, except for volume-licensed editions. Volume-licensed
Office Professional 2016 and previous Office versions use MSI-based deployment and support the following
options:
Application virtualization.
Presentation virtualization (Office 365 ProPlus does not support this option, as such environments do
not support Click-to-Run installations).
Additional Reading: For more information, refer to Office 2016 Deployment Guides for
Admins: http://aka.ms/v9e5xl.
Current Channel (previously named Current Branch). This update branch is referred to as Current in the
Office Deployment Tool or Group Policy. It provides all the newest features, security updates, and non-
security updates for stability or performance as soon as they become available. This is a great option if
you do not have many add-ins or macros and would like to have users always updated with the newest
content.
Deferred Channel (previously named Current Branch for Business). This update branch is referred to as
Business in the Office Deployment Tool or Group Policy. It releases every four months. If you use this
update branch, you will continue to get security updates as they become available, but new features
will be available only every four months. You can choose whether to deploy a release, but only two
releases are supported, so if you choose to skip one, you will need to deploy the newest change or the
one right before the newest change when the next update is available. This will keep you within the
eight month supported window.
MCT USE ONLY. STUDENT USE PROHIBITED
5-8 Planning and deploying Office 365 ProPlus
First Release for Deferred Channel (previously named First Release for Current Branch for Business). This
update branch is referred to as Validation in the Office Deployment Tool or Group Policy. It is for those
who like to pilot the next release before it comes out. Users assigned to this update branch will receive
the upcoming features four months in advance. Because you can assign update branches per user
through deployment methods, you could have some test users set to this update branch for the sole
purpose of testing macros, add-ins, or preparing training materials for end users. This is also a chance
to give Microsoft feedback on items that do not work as expected.
Using the Office 365 admin center. On the Settings menu, access the Apps page, and then click
Software Download settings. You can configure whether updates will be installed every month or every
4 months. The default for Office 365 ProPlus is the Standard release for the whole organization, which
updates every four months. If at any time you switch from every month to every 4 months, all users will
lose any updates that are for a future release. There is no option for Deferred Channel within the Office
365 admin center.
Using the Office Deployment Tool (Office 2016 version). With this method, you can edit the
configuration.xml file to change the branch to one of the three settings mentioned above. Current,
Business, or Validation are the three available for Office 365 Enterprise subscriptions. If you are using a
business subscription, the key word of Validation is replaced with FirstReleaseCurrent in the
configuration.xml file. Different users could have different configuration.xml files to vary the release
schedules per user.
Lesson 2
Planning and managing user-driven Office 365 ProPlus
deployments
In this lesson, you will learn how to plan and manage user-initiated installations of Office 365 ProPlus. Each
user initiates these deployments from the initial start page in Office 365 and installs them by using the
Click-to-Run technology. The user’s options are limited to the location to install only.
Lesson Objectives
After completing this lesson, you should be able to:
Users must have an Office 365 account and be provisioned for Office 365 ProPlus.
Office 365 ProPlus installs Office 365 updates automatically in the background from the Internet. You
cannot change this behavior.
MCT USE ONLY. STUDENT USE PROHIBITED
5-10 Planning and deploying Office 365 ProPlus
Additional Reading: For more information, refer to 64-bit editions of Office 2013:
http://aka.ms/qovxa7.
“The administrator has disabled Office installations. Contact your administrator for information about
how to install Office.”
Office 365 ProPlus installs as one package and, from the portal, it is not possible to exclude specific
applications. If an administrator wants to control installations down to an application level, there are two
options:
You can use AppLocker policies to prevent a Click-to-Run application from running.
You can use App-V 5.0 to customize the Office 365 configuration to include only specific applications.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-11
Depending on the type of deployment you are conducting, you should prepare training all those whom the
deployment will affect. Decide to what extent you need to create training materials. Can you rely entirely
on online training? Can you offer classroom courses? Without training, users might overload the support
team with calls regarding the easiest of tasks, which might jeopardize deployment schedules. Training and
communicating can be good tools to improve the success of your deployment and get immediate returns
in productivity.
Mobile devices
You can use Office 365 on a wide range of mobile devices, including phones and tablets. Office Online is
available for Windows tablets, Windows Phone, iPhone, iPad, and Android devices. Light versions are
available for BlackBerry devices and Nokia (Symbian operating system). Users can use Office 365 on up to
five mobile devices and five PCs.
Additional Reading: For more information, refer to System requirements for Office:
http://aka.ms/ghq4zw.
Additional Reading: For more information, refer to Office 365 mobile setup – Help:
http://aka.ms/Ca6hpo.
MCT USE ONLY. STUDENT USE PROHIBITED
5-12 Planning and deploying Office 365 ProPlus
Lesson 3
Planning and managing centralized deployments of Office
365 ProPlus
In this lesson, students will learn how to manage an Office 365 ProPlus deployment, manage streaming
updates, use the Office deployment tool, and customize the Office 365 deployment.
Lesson Objectives
After completing this lesson, you will be able to:
Intune
Scripted installation
In the lab for this module, you will use Group Policy computer startup scripts to deploy Office 365 ProPlus.
However, similar command lines and scripts are part of an electronic software distribution. You can build
them into System Center or Microsoft Deployment Toolkit (MDT) task sequences.
With Group Policy and the Office Deployment Tool, it is important to remember that you must run Click-
to-Run installations as a local admin. For example, Group Policy startup scripts must run from the computer
context and not the user context. You can use Configuration Manager or Remote Desktop in cases where
users do not have admin rights.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-13
Configuration.xml. Office Deployment Tool uses this to customize the deployment experience by:
o Assigning which products to install (Office 365 ProPlus, Office 365 Business Premium, Visio, or
others).
Group Policy. You can use this to manage all other Office settings, including which applications to
block from certain users.
/packager to prepare Office source files so that you can use Click-to-Run in an App-V infrastructure.
The Office Deployment Tool process involves the following key steps:
1. Edit Configuration.xml to specify the Office 365 software to download, such as Office 365 ProPlus or
Visio, and the shared location to use.
2. Use Office Deployment Tool with the download option to place source files in a software distribution
infrastructure; for example, setup.exe /download \\LON-CL1\Office16\Configuration.xml.
MCT USE ONLY. STUDENT USE PROHIBITED
5-14 Planning and deploying Office 365 ProPlus
3. Use Office Deployment Tool with the configure option to deploy the Office Deployment Tool
and the configuration file to clients; for example, setup.exe /configure \\LON-CL1\Office16
\Configuration.xml.
4. When client computers execute the Office Deployment Tool, it reads the configuration file, and then
streams Click-to-Run from the specified location (for example, where the source files downloaded
internally).
Note: When you use this method, you deploy the Office Deployment Tool and not the Office
source files. The Office Deployment Tool is a 3-megabyte (MB) executable.
Additional Reading: For information, refer to Office Deployment Tool for Click-to-Run:
http://aka.ms/uic22i.
User Configuration\Administrative
Templates\Microsoft Office 2016\First Run
Additional Reading: For more information, refer to Office 2016 Administrative Template
files (ADMX/ADML) and Office Customization Tool: http://aka.ms/bengwp.
Additionally, this model does not affect users, even if they are using an Office application when an update is
happening. When they close and reopen the Office application, they will be using the newer build
automatically.
Update options
Updating options include:
Automatic from cloud. This is the default mode (typically used for home or small office installations)
where updates download from the cloud. A daily task checks for updates, and when a new build is
available, the client automatically receives the deltas.
Automatic from network. In managed deployments, administrators can specify (by using Group Policy
or the configuration.xml file during setup) to check for updated builds from an internal source.
Typically, small or medium organizations use this option.
Rerun setup.exe by using Electronic Software Delivery (ESD). In large organizations, using an ESD such
as Configuration Manager enables even more fine-grained control of update scheduling. You can use
scripts or task sequences in the ESD to re-execute setup.exe /configure. This will compare the current
version with the source (defined in the SourcePath attribute in the config.xml) and only install deltas.
By using an ESD, administrators can specify how many users receive a new build in a given time period.
The second and third options enable administrators to control when users receive updated builds. For these
two options, a best practice is to download the updated build to a test share initially, and to apply updates
to test or pilot computers only (as you configure these computers to receive updates from
\\Server\Testing$, for example). After the testing period, you move the updated build to a production
update share, and it begins to update production computers automatically (as they are configured to
receive updates from \\Server\Production$, for example).
Note: Although administrators can choose not to receive updates, it is important to note that
clients can be on an outdated build for only 12 months. After 12 months, clients will need to
download a newer build that Microsoft support will cover.
MCT USE ONLY. STUDENT USE PROHIBITED
5-16 Planning and deploying Office 365 ProPlus
Enabled. If set to TRUE (default), Click-to-Run will automatically detect, download, and install
updates.
UpdatePath. Specifies a network, local, or HTTP path for a Click-to-Run installation source to use for
updates. If not set, or set to default, the Click-to-Run source on the Internet is used.
TargetVersion. Sets a specific product build number (for example, 16.0.6366.2036) that the next
update cycle will update. If not set or set to default, Click-to-Run will update to the latest version
advertised at the Click-to-Run source.
Lack of information technology (IT) expertise in an enterprise software deployment. You need to
understand tools such as the Office Deployment Tool, Group Policy, and Configuration Manager
before you use them as part of enterprise Office 365 client rollouts.
Update branch
Lesson 4
Office Telemetry and reporting
In this lesson, students will learn how to set up the telemetry service, enable telemetry through Group
Policy, report user issues, and deploy the Office Telemetry Agent.
Lesson Objectives
After completing this lesson, you will be able to:
Office Telemetry agents are built into Office 2013 Professional, Office 2016 Professional, Office 365 ProPlus
2013, and Office 365 ProPlus 2016. If you enable data collection, information about installed add-ins, the
most recently used documents, and application event data will go to the Office Telemetry Logs and Office
Telemetry Database. However, for Office 2003, Office 2007, and Office 2010, you must first deploy an agent;
this agent collects information about add-ins and recently used documents, but does not provide
application event data.
Note: Another advantage of installing the 32-bit version of Office 365 ProPlus is the added
functionality of all the add-ins that you install and use with the Office applications. With the Office
Telemetry Dashboard, you can measure the use of these add-ins.
MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Planning and deploying Office 365 ProPlus
Collecting this data prior to an Office 365 ProPlus rollout provides the information needed to help with
capacity and license planning. Data collection also helps to ensure that ProPlus network and storage
performance will be within acceptable limits. You can also use Office Telemetry after an Office 365 ProPlus
rollout to monitor performance against targets, to monitor user adaption of new features, and to identify
errors and problems with Office solutions.
Telemetry operations
Before data collection can begin, you must enable Office Telemetry client functionality, whether built into
Office 365 ProPlus or deployed to previous versions of Office, through Group Policy or by editing the local
registry. Data collection runs as a scheduled task and requires domain membership.
Office client data is first sent to a shared folder on the network (cloud storage is not an option for this data).
This folder must be accessible to all clients and users. The Office Telemetry processing service, known as the
Office Telemetry Processor, runs on a domain-joined computer running Windows Server 2008 or newer.
This service then reads the data and sends it to the Office Telemetry database.
Note: The telemetry processor can run in test or small environments on Windows 10,
Windows 8, or Windows 7; it is also possible to run the processor on a workgroup computer by
using a workaround.
The Office Telemetry database requires Microsoft SQL Server 2005 and newer versions. You can also run it
on Microsoft SQL Express editions in test or small environments.
Note: You can use a single computer for all the Office Telemetry components: database,
share, and processor.
The Office Telemetry Dashboard is an Excel 2016 tool that installs automatically as part of Office
Professional Plus 2016 and Office 365 ProPlus installations. You will find the dashboard in the Tools folder
under the Microsoft Office 2016 Start Menu folder. The dashboard connects to the database to enable
consolidated views of telemetry data, and multiple users can use the dashboard to view the data.
The Office Telemetry Log is an additional tool for developers and experienced users to use when
diagnosing compatibility issues on a specific Office 2016 client. As with the dashboard, the Office Telemetry
Log is also in the Office 2016 Tools folder and requires Excel 2016. It automatically installs with Office
Professional Plus 2013, Office Professional 2016, and Office 365 ProPlus. However, unlike the dashboard, the
Office Telemetry Log connects to the local data store on the client, and not the central database.
Telemetry management
Telemetry data collection is managed separately for each client through Group Policy settings. Office 2016
administrative templates include these settings, as part of Office16.admx and Office16.adml. They are
located under the User Configuration\Administrative Templates\Microsoft Office 2016\Telemetry
Dashboard node. If you cannot use Group Policy, you can also configure these settings on the local
computer by editing the registry, or by deploying registry files. There are also several telemetry test settings
that update only through the registry editor.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-19
You must perform the following steps to install and configure Office Telemetry:
1. Prepare the database. The first step is to deploy SQL Server (Express or full version), or to connect to an
existing SQL Server installation. If a new database is necessary, the Getting Started worksheet provides
download links for SQL Server Express Edition.
Note: When configuring the database, you must not select Mixed Mode authentication,
because the Office Telemetry Dashboard does not support SQL Server authentication.
2. Set up the Office Telemetry Processor. The second step is to set up the Office Telemetry Processor,
which reads information that Office Telemetry Agents store in the shared folder. It then connects and
adds records to the Office Telemetry database. The Office Telemetry Processor setup wizard provides
guidance for installing the processor, setting up the share, and making the database connection.
3. Deploy Office Telemetry Agents. The third step is to deploy any required agents for versions that are
older than Office 2013. The dashboard Getting Started worksheet provides download links for x86 and
x64 Office Telemetry Agents. You can deploy agents by using scripts, Group Policy, electronic software
distribution, or application virtualization management features of Configuration Manager.
4. Configure Office Telemetry Agents. The fourth step is to configure Office Telemetry Agents and enable
data logging. The dashboard Getting Started worksheet provides a download link for the Office 2016
Administrative Template files. You should then import the office16.admx file and language-specific
office16.adml file into the Active Directory domain for use with Group Policy Management tools.
o The Office Telemetry Group Policy settings cover the following options:
o Location or Universal Naming Convention (UNC) path of the shared folder that the client will use
to store its data.
o Custom tags to use to help during data viewing. These tags can include user location, department,
and Active Directory security group. The next topic provides more information on tagging.
When you have deployed the Group Policy settings to Office clients, the telemetry configuration is
complete, and data collection will begin.
The dashboard Getting Started worksheet provides two additional post-configuration steps:
1. Connect the dashboard to the database. The fifth step on the dashboard Getting Started worksheet is
to connect the dashboard to the database to enable viewing of the data. This step creates and
populates additional worksheets. A later topic will describe this.
2. Configure any required privacy settings. The final configuration step is to optionally configure any
required privacy settings. By default, data collection includes full file names, file paths, and document
titles. Administrators should not always be able to view such detailed information. If you enable the
Turn on privacy settings in Telemetry Agent Group Policy setting, file names, file paths, and titles
will be obscured. For example, a document named Merger_Contoso.docx will be recorded as
Me********.docx in the shared folder, and the document's location and title will be <location>\********
and ********.
Additional Reading: For more information, refer to Manage the privacy of data monitored
by telemetry in Office: http://aka.ms/qhi35p.
Note: It is important to check the user permission role for the Office Telemetry Dashboard,
and ensure you have added the user to the td_readonly role.
Infrastructure issues. Various telemetry infrastructure issues can affect successful deployment. Examples
include a corrupt telemetry database, and connectivity issues between agent and shared folder,
between the telemetry processor and the database, or between the telemetry dashboard and the
database.
Unreported data. For various reasons, there might be Office data that never goes to the shared folder,
and is therefore never stored in the database. For example, offline machines or mobile machines that
cannot receive Group Policy might never be enabled for data logging or be able to report back their
data.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-21
If you overlook computers that are running versions older than Office 2013, you might assume that all
computers running Office are reporting data. However, if you have not deployed agents, data will never be
sent. Office 2013 and Office 2016 have agents automatically installed, but earlier Office packages do not.
Windows XP–based computers do not support the Office Telemetry Agent scheduled task; therefore, they
only report data at each user sign-in.
Missing data. It is important to remember that data reporting is a background activity, and that after
the random initial upload interval, Office Telemetry collects data only every eight hours. Therefore, it
might take some time before all computers are reporting data.
Performance and capacity planning. You can maximize telemetry performance by setting data
thresholds, so that only essential information is reported. You can set thresholds by using the
Telemetry Dashboard Administration Tool (Tdadm.exe).
When planning for capacity, note the following data collection upload sizes:
The project steering committee has not yet decided whether they will allow users to install Office 365
ProPlus, or whether they will use a centralized installation mechanism. As part of the pilot project, you need
to evaluate each option for deploying and managing Office 365 ProPlus.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
In all tasks:
LON-DC1
LON-DS1
LON-CL1
LON-CL3
LON-CL4
3. From the Office 365 admin center, use the User software page to download Office Deployment Tool
software (version 2016).
4. Review the settings and options of Office Deployment Tool before downloading it.
9. In File Explorer, click Local Disk (C:) in the left navigation pane.
10. In File Explorer, click the Home tab, and then click New Folder.
13. In the File Sharing dialog box, click the drop-down list box, select Everyone from the list, click Add,
and then click Share.
16. In the address bar, type https://portal.microsoftonline.com, and then press Enter.
18. On the Office 365 home page, click Admin. Click Switch back to the old admin center to switch to
previous Office365 admin center.
19. In the Office 365 admin center, in the left panel, click SERVICE SETTINGS, and then click User
software.
20. Under the Manually deploy user software area, click Learn how to download and deploy
software.
21. On the How admins can download Office 365 user software to deploy to users page, click
Manage user software in Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Planning and deploying Office 365 ProPlus
22. In the Manually download and install the Office apps by using the Office Deployment Tool
section, click the Office Deployment Tool (Office 2016 version) link to open the Office Deployment
Tool download page.
23. On the download page, expand Details, System Requirements, and Install Instructions.
24. Read and familiarize yourself with each section. You can mark this page as a favorite to refer to later.
25. Click Download and notice the information bar at the bottom of the browser.
30. Click OK. You should see that the files were extracted successfully. Click OK.
31. Navigate to the Office16 folder with File Explorer. You should see two files in the newly created Office
Deployment Tool folder named configuration and setup.
2. By using Notepad, open the configuration.xml file and edit the first Add line after <Configuration> to
read <Add SourcePath=\\LON-CL1\Office16\OfficeClientEdition=”32” Branch=”Current”>.
4. Comment out the VisioProRetail from the code and save the file.
Results: You will have downloaded a copy of the Microsoft Office 365 ProPlus install for managed
deployment to a shared folder. You will also download and install the Office Deployment Tool on the same
machine.
2. Edit user Brad Sutton by adding Office 365 Enterprise E3 license using a location of United Kingdom,
but removing the Office 365 ProPlus option.
3. Edit user Maira Wenzel and assign an Office 365 Enterprise E3 license using the location of the United
Kingdom.
5. In the Office 365 admin center, on the Settings menu, access the Apps page.
6. On the Software download settings page, disable downloads for both Office 2013 and Office 2016.
7. Sign out, and then sign in as Brad Sutton with the user name
brad@Adatumyyxxxxx.hostdomain.com and the password Pa$$w0rd.
8. Access Brad’s Office 365 settings and verify that he does not have the option to install the Office 365
apps.
9. Sign out as Brad Sutton, and then sign in as Roman Miler with the user name
roman@Adatumyyxxxxx.hostdomain.com with the password of Pa$$w0rd.
10. Navigate to the Office 365 settings page, and then click Install software.
11. Note that the users looked similar, but Brad is not assigned a license. Roman has a license, but Holly
deactivated version 2016 for all users.
12. Before signing out, verify that Phone & tablet apps are available.
14. Open a new browser, and then sign in to the Office 365 environment with the administrator Holly’s
credentials and password.
15. Go back to the Office 365 admin center and enable downloads for Office 2016.
22. Notice how to change from 32-bit to 64-bit options on the Office 365 ProPlus advanced menu.
23. You will install the software in the next lab.
MCT USE ONLY. STUDENT USE PROHIBITED
5-26 Planning and deploying Office 365 ProPlus
Task 2: Install Office 365 ProPlus from the Office 365 portal
1. On LON-CL3, on the Office365 portal, select the appropriate language and version, and then install on
the local computer.
4. When installed, open Word 2016 from the Windows start menu.
5. In Word, in the upper-right corner, switch accounts by signing out as Roman and adding the account
for Holly.
6. Create a document with some content and save to an Adatum Publishing Team Site folder in the
Documents folder with the file name Meeting Agenda.
8. Notice the new option of Manage installs on the Install software page.
2. From the Office 365 admin center, disable Roman Miler’s license to Office 365 ProPlus.
3. Sign out of Office 365 as Holly and sign in as Roman.
4. Navigate to the Install software page to confirm that Office is no longer available for download. What
will happen to the Office software that is already installed?
Results: When completed, you should be able to activate Office 365 ProPlus for self-service installations.
You should also be able to set licensing options correctly for end users so that deployment and installation
is possible.
Task 1: Configure a Group Policy Object (GPO) to distribute the custom installation
1. Using an administrative sign in on the LON-DC1 server, use Server Manager tools to create a new
organizational unit (OU) named Adatum_Computers.
4. Create a Group Policy Object (GPO) linked to the newly created Adatum_Computers.
5. Name the GPO DeployO365.
6. By using the Group Policy Management Editor, expand Policies, expand Windows Settings, and then
open Scripts (Startup/Shutdown).
7. Create a new text document with the following line: \\LON-CL1\Office16\setup.exe /configure
\\LON-CL1\Office16\AdatumConfiguration.xml.
10. In Group Policy Management Editor, in the Startup Properties dialog box, add a script.
Note: Where and how do you think this might start up?
4. Wait five minutes after the restart to allow the Group Policy settings to take effect.
7. Open Word 2016 and activate with Maira’s Office 365 credentials.
8. In the First things first dialog box, click No thanks, click Accept, and then close the dialog box.
9. Open a blank document, type some text, and then save it.
10. In Task Manager, check the processes, details, and services for Click-to-Run.
Results: You will have enabled centralized managed deployment of Office 365 ProPlus and implemented a
standardized Microsoft Office configuration by using one version of Office.
Question: Why do you need to edit the configuration.xml file when preparing to use
managed deployments of Office 365 ProPlus?
Question: How can you verify that the Click-to-Run service is running?
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
6-1
Module 6
Planning and managing Exchange Online recipients and
permissions
Contents:
Module Overview 6-1
Module Overview
Microsoft Exchange Online in Microsoft Office 365 provides users with a messaging and collaboration
platform, giving them a single location for composing, reading, and storing email, calendar, contact, and
task information. Users can access their personal information from many different device types, including
those running Windows 10, iOS, Android, and Windows Phone. This module describes Exchange Online and
explains how to create and manage recipient objects and how to manage and delegate Exchange security.
Objectives
After completing this module, you will be able to:
Describe Exchange Online.
Lesson 1
Overview of Exchange Online
Microsoft Exchange Online is a hosted messaging solution that delivers the capabilities of Microsoft
Exchange Server as a cloud-based service. It gives users single sign-on (SSO) access to email, calendar,
contacts, and tasks from PCs, the web, and many types of mobile device. In addition, Exchange Online
integrates fully with Microsoft Azure Active Directory (Azure AD), enabling administrators to use group
policies and other administration tools to manage Exchange Online features across their environment. You
can also integrate Exchange Online with existing Exchange on-premises installations, either by using simple
coexistence or as a long-term hybrid deployment.
Lesson Objectives
After completing this lesson, you will be able to:
Clients and mobile devices Microsoft Outlook, Outlook for Mac, and Outlook Web App
Exchange ActiveSync
Point of presence, IMAP, and Simple Mail Transfer Protocol (SMTP)
Exchange Web Services application support
Interoperability, connectivity, Skype for Business presence in Outlook Web App and Outlook
and compatibility Microsoft SharePoint interoperability
EWS connectivity support
SMTP relay support
The particular functions and features in Exchange Online vary according to the Office 365 subscription plan
or Exchange Online subscription that you have, which the next topic will cover.
Latest features
Similar to Office 365, Exchange Online is constantly evolving to meet the needs of its users. You can find the
latest features of Exchange Online on the Microsoft TechNet website.
Additional Reading: For more information on the new features in the latest version of
Exchange Online, refer to What's new in Exchange Online: http://aka.ms/S44j3g.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-5
Office 365
Office 365 Office 365 Office 365
Business
Enterprise E1 Enterprise E3 Enterprise K1
Exchange Essentials Office 365
Office 365
Online Enterprise
Education Office 365 Office 365 Office 365
feature Office 365 E5
Government Government Government
Business
E1 E3 K1
Premium
Note: Microsoft plans to retire the Office 365 Enterprise E4 and Office 365 Government E4
plans in the summer of 2016 and replace them with the Office 365 Enterprise E5 and Office 365
Government E5 plans.
You also can obtain Exchange Online as a stand-alone subscription plan. The following Exchange Online
plans are available:
Exchange Online Plan 2. The same as Plan 1, but also includes hosted voicemail integration.
Exchange Online Protection. Helps protect against spam and malware, and helps to provide a clean
and reliable message stream.
Exchange Online Advanced Threat Protection. Helps to protect your email system from online attacks
from malicious persons.
Exchange Online Archiving. Enables archiving, compliance, and eDiscovery within your messaging
system.
Exchange Online Kiosk. Provides a 2-GB mailbox per user and provides support for Exchange
ActiveSync clients. Does not support role-based administration.
MCT USE ONLY. STUDENT USE PROHIBITED
6-6 Planning and managing Exchange Online recipients and permissions
Manageability. Administration, ease of access, policy enforcement, and user and group management.
Regardless of the migration or coexistence option that you identify after analyzing your organization’s
environment, you should plan for several common factors. These include:
Diapo 8 Mailbox sizes. Create and implement a plan to reduce the size of users’ mailboxes. Mailbox sizes have a
major impact on the time it will take to migrate to Exchange Online. You should discuss options within
your organization on how to reduce mailbox sizes, including clearing out old emails, archiving
messages to Personal Folders (PST) files, deleting sent files (particularly larger ones), and using rules.
Review the organization’s tools that will assist you in identifying the largest mailboxes.
Bandwidth. Internet bandwidth, especially the uplink speed, is the second limiting factor that controls
how long it takes to migrate to Exchange Online. Talk to the information technology (IT) department
about their link speed, the link’s quality, and whether this is a good time to upgrade to a faster link or
to a symmetric technology.
Directory health. It is vital that you plan for a clean directory service before starting the Deploy phase.
This is also the time to remove duplicate accounts, old groups, unnecessary organizational units (OUs),
retired servers, and old client computers, and generally perform housekeeping on the directory service.
You should also check for errors in the log files and ensure that replication is functioning correctly.
Mail delivery. If you are implementing coexistence, you must plan where to deliver incoming mail.
Delivery will initially be to the on-premises server, but you will need to determine if this is the best
long-term arrangement in a coexistence scenario. You must also identify the point at which you will
switch over in a cutover or staged migration.
Domain Name Services (DNS) settings. You will need to plan for DNS configuration changes during the
migration process, such as mail exchange records (MX records), canonical name records (CNAME
records), and Autodiscover settings. Remember that DNS settings can take time to propagate globally
and that changing the Time to Live (TTL) setting can help speed up this process.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-7
Communications. It is essential that you communicate relevant and timely information about the
migration plan to users. The pilot users can help assure people that the migration will go smoothly, but
you must not overlook this factor in your planning.
Training. If your organization’s users are moving from one mail client to Outlook 2013, they will require
a significant amount of training on this new client. If they are updating from an earlier version of
Outlook, they will not require as much training, but you must still include training as a consideration in
your plan.
File types. SharePoint Online blocks some file types. Ensure that your users appreciate the implications
of these blocked file types.
b. Then, install the Azure Active Directory Module for Windows PowerShell (64-bit version), and click
Run to run the installer package.
Additional Reading: You can obtain the Microsoft Online Services Sign-In Assistant for IT
Professionals RTW from the Microsoft Download Center: http://aka.ms/vl42dg.
Additional Reading: You can download the Azure Active Directory Module for Windows
PowerShell (64-bit version) here: http://aka.ms/Pwx3a9.
Now you must connect to the Exchange Online environment. Complete the following procedure each
time you want to connect to Exchange Online:
2. Run Windows Azure Active Directory Module for Windows PowerShell as an administrator, and in
the Windows PowerShell window, run the following cmdlets in the same sequence as shown:
$credential = Get-Credential
MCT USE ONLY. STUDENT USE PROHIBITED
6-8 Planning and managing Exchange Online recipients and permissions
Note: When prompted, enter the global admin account credentials for your subscription.
Import-Module MsOnline
connect-msolservice –credential $credential
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
"https://outlook.office365.com/powershell-liveid/" -Credential $credential
-Authentication "Basic" –AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking
Note: We recommend that you add these commands to a Windows PowerShell script for
convenience.
3. Finally, in the Windows PowerShell window, type the following command, and then press Enter:
Get-AcceptedDomain
Note: This command returns the list of accepted domains and verifies that you can connect
to your Office 365 subscription.
Lesson 2
Managing Exchange Online recipients
An important part of managing your Exchange Online tenant involves creating and managing recipient
objects, including mailboxes, groups, resources, shared mailboxes, contacts, and mail users. You also must
know how to perform bulk management of these objects. In addition, you should know how to use both
the Exchange admin center and Windows PowerShell to manage these objects.
Lesson Objectives
After completing this lesson, you will be able to:
You might encounter this prompt when you attempt to perform the following tasks:
Creating a new role assignment policy or modifying a built-in role assignment policy.
Creating a new Outlook on the web mailbox policy or modifying a built-in Outlook on the web mailbox
policy.
Creating a new sharing policy or modifying a built-in sharing policy.
General. Configure the mailbox’s names, display name, and the option to hide the mailbox from the
address list.
Mailbox usage. Provides information on the last sign-in and mailbox space usage.
Contact information. Enables you to configure the postal address and telephone contact details.
Organization. Configure the mailbox user’s title, department, company, manager, and employees who
report to the user.
Email address. Configure additional email addresses for the mailbox (the next topic will discuss this in
detail).
Mailbox features. Configure settings such as sharing policy, role assignment policy, retention policy,
address book policy. In addition, enable and configure phone and voice features, mobile device types,
and email access protocols (such as POP and IMAP).
Member of. Manage the mailbox group memberships. You can also do this from the group objects in
the Exchange admin center.
Info that shows in Outlook when typing a recipient address
MailTip. Configure a MailTip of up to 175 characters for the mailbox. Users corresponding with the
mailbox see the MailTip.
Mailbox delegation. Configure delegate access for the mailbox. You can configure Send As, Send on
Behalf, and Full Access permissions.
When you add a new user account to a simple Office 365 account that does not have any external domains
configured, the mailbox for that user is automatically assigned an SMTP email address that uses this default
domain. This email address is in the form SMTP:username@domainname.
For example, assume the default domain is adatum.hostdomain.com. The default email address policy will
assign a user named Remi Desforges an email address with an @adatum.hostdomain.com address, such as
rdesforges@adatum.hostdomain.com. Typically, this email address will match his user sign-in to Office 365.
If you then register an external domain with Office 365, you can create email addresses that use that
domain. New users will get a primary address of @companyname.hostdomain.com and a secondary email
address of @externaldomain. You can then allocate the second address at the primary or reply-to address
for a user, either manually through the Exchange admin center, or in bulk by using Windows PowerShell.
Note: The primary (or reply-to) SMTP address for a mailbox always contains the acronym
SMTP: in upper case. Secondary and subsequent addresses contain smtp in lower case. For
example, SMTP:user@domain.microsoftonline.com is the primary address, and
smtp:user@domain.com is the secondary address.
2. Under mailboxes, click the mailbox you want to change, and then click Edit.
5. Under email address type, ensure that SMTP is selected, and then in Email address, enter the address
by using a registered domain name.
6. Optionally, click Make this the reply address to make this address the primary address.
7. Click OK.
Messages sent to this new address will now be delivered to this mailbox. If you selected Make this the
reply address, then this is the address that will receive reply messages.
MCT USE ONLY. STUDENT USE PROHIBITED
6-12 Planning and managing Exchange Online recipients and permissions
$users = Get-Mailbox
foreach ($a in $users) {$a.emailaddresses.Add("smtp:$($a.alias)@thenewdomainname")}
$users | %{Set-Mailbox $_.Identity -EmailAddresses $_.EmailAddresses}
Note: You must connect to the Exchange Online service before running these commands.
It important to note that the UPNs and the verified domain names in Office 365 must match. For the sake of
this discussion, let us assume that you are trying to synchronize the ADATUM on-premises domain with
Office 365. In this scenario, the best approach is to set up a UPN suffix of adatum.com in Active Directory
Domains and Trusts, and ensure that all users have that UPN suffix applied. The users then have primary
on-premises SMTP addresses that match their UPNs. In Office 365, you register the adatum.com domain to
Office 365 and set it up for use with Exchange Online.
When you run the first directory synchronization, Office 365 creates the mailboxes in Office 365 and assigns
a primary SMTP address of user@adatum.com. It also creates a secondary address of
user@adatum.hostdomain.com. Users can now sign in to Office 365 and access their mailboxes.
If you then either set up password synchronization or implement SSO, typically by using Active Directory
Federation Services (AD FS), users can sign in to Office 365 by using the same credentials that they use for
on-premises sign -ns.
Note: In the case of password sync, there are still two separate accounts, one online and one
in the cloud, but they have the same user name (user@adatum.com) and the password is
synchronized between the two environments.
Exchange Online provides additional group features, which enable the creation of the following group
types:
Note: If you create a mail-enabled security group in Exchange Online, it appears in the Office
365 Admin center under security groups. However, Office 365 security groups do not appear in
Exchange Online.
3. In the Display Name box, enter the name of the group that you want to appear in the Address Book.
4. In the Alias box, enter a unique alias for the group. This value autopopulates the first part of the Email
Address field.
5. Select the domain for the email address from the drop-down list.
6. In the Notes field, give the group a description so that other administrators know what the purpose of
the group is.
7. Under Owners, note that by default, the group creator is an owner. However, you can remove yourself
as an owner and assign ownership to someone else, including to security groups.
8. To add an owner, click the + icon, select users or security groups, click add, and then click OK.
9. Under Members, note that by default, the group owner is a member. However, you can clear the Add
group owners as members check box, and add other members to the group. Alternatively, you can
let the group owner select members.
10. To add a member, click the + icon, select users or security groups, click add, and then click OK.
11. Select the option for Owner approval is required if you want the group owners to receive requests to
join the group. If you do select this option, only group owners can remove members (not the
administrator).
After creating the mail-enabled security group, you can change the following settings:
General. Change the display name, alias, email address, description, and the option to hide the group
from address lists.
Delivery management. Specify whether external addressees can email this group or only internal
users, and other settings.
Message approval. Configure moderation, specifying who can moderate the group and who can send
messages to the group without moderation.
MailTip. Add a MailTip to specify what displays when users send messages to the group.
Group delegation. Specify Send As and Send on Behalf Of permission for users or groups.
To show information about this new security group, run the following cmdlet:
4. In the Alias box, enter a unique alias for the group. This value autopopulates the first part of the Email
address field.
5. Select the domain for the email address from the drop-down list.
6. Give the group a description in the Notes field so that other administrators know what the purpose of
the group is.
7. Under Owners, note that by default, the group creator is an owner. However, you can remove yourself
as an owner and assign ownership to someone else, including to distribution groups.
8. To add an owner, click the + icon, select users or distribution groups, click add, and then click OK.
9. Under Members, note that by default, the group owner is a member. However, you can clear the Add
group owners as members check box, and add other members to the group. Alternatively, you can
let the group owner select members.
10. To add a member, click the + icon, select users or distribution groups, click add, and then click OK.
11. Under Choose whether owner approval is required to join the group, you now have the following
options:
o Open. Anyone can join this group without the approval of the group owners.
o Closed. Only the group owners can add members. All requests to join will be rejected
automatically.
12. In addition, under Choose whether the group is open to leave, you can specify the following options
for leaving the group:
o Open. Anyone can leave this group without the approval of the group owners.
o Closed. Only the group owners can remove members. All requests to leave will be rejected
automatically.
After creating the mail-enabled distribution group, you can change the following settings:
General. Change the display name, alias, email address, description, and the option to hide the group
from address lists.
Membership approval. Specify the options for joining or leaving the group.
Delivery management. Specify whether external addressees or only internal users can email this group.
Message approval. Configure moderation, specifying who can moderate the group and who can send
messages to the group without moderation.
MailTip. Add a MailTip to specify what displays when users send messages to the group.
Group delegation. Specify Send As and Send on Behalf Of permission for users or groups.
Resource mailboxes
Mail-enabled groups
MCT USE ONLY. STUDENT USE PROHIBITED
6-16 Planning and managing Exchange Online recipients and permissions
You can then add further criteria to refine the number of accounts that will appear in the results. The
following table lists the additional options.
Variable Condition
Custom attribute N (where N is a number from 1 to 15) A match on the recipient’s CustomAttributeN
property.
Note: Filtering based on organizational unit or domain is not available in Exchange Online.
To view information about a dynamic distribution list, enter the following cmdlet:
Configuring resources
Resource mailboxes in Office 365 enable you to
assign a mailbox to a room or an item of
equipment and then book that item by sending it
a meeting request. These mailboxes are similar to
those in on-premises Exchange Server and come in
two different types:
Room mailboxes. These mailboxes are for booking immovable objects, such as conference rooms,
meeting rooms, cinemas, sports halls, and swimming pools. In fact, you can create any physical space as
a room and then book it through Exchange Online. If a room has fixed equipment, such as a ceiling-
mounted projector, then that equipment is part of that room. We recommend that you set up a
movable room, such as a portable cabin or a caravan, as a room mailbox.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-17
Note: We recommend that you have a structured and consistent way to label room or
equipment mailboxes so that it is immediately apparent where a room is located or what the piece
of equipment is.
2. Under resources, click the + (add) icon, and then select Room mailbox.
3. In the Room name field, enter a descriptive name for the room. For example, type Conference Room
11 306 if the room is in building 11 and identified on the door as room 306.
4. Under Email address, enter the room’s email address and select the domain from the list of registered
domain names. Again, make the email address consistent and easy to identify, such as conf-room-11-
306@Adatum.com.
5. Add a Location for the room, such as Building 11, Third Floor.
6. If there is a phone in the room, such as a conference phone, enter that number in the Phone field.
7. Enter a Capacity for the room, such as 25.
Note: When you create a room mailbox, the option to Accept or decline booking requests
automatically is enabled.
After creating the room mailbox, you can configure the following settings:
General. Specify the name, capacity, department, company, address book policy, custom attributes,
and the option to hide from address lists.
Booking delegates. Accept booking requests automatically, select delegates, or customize acceptance
policy for this mailbox.
Booking options. Allow repeated meetings, only schedule during working hours, maximum booking
lead time, maximum meeting duration, and a customized reply to the meeting organizer.
Contact information. Add street, ZIP code, city, and other information, if required.
MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.
Mailbox delegation. Configure Send As, Send on Behalf Of, and Full Access permission for this
mailbox, as with shared mailboxes.
To configure the room mailbox to process booking requests automatically, run this cmdlet:
2. Under resources, click the + (add) icon, and then select Equipment mailbox.
3. In the Equipment name field, enter a descriptive name for the equipment. For example, type Portable
Projector S/N 32011044 if the equipment is a projector with that serial number. Alternatively, provide
a tag number if there is one.
4. Under Email address, enter the equipment’s email address and select the domain from the list of
registered domain names. Again, make the email address consistent and easy to identify, such as
projector-32011044@adatum.com.
Note: When you create an equipment mailbox, the option to Accept or decline booking
requests automatically is enabled.
After creating the room mailbox, you can configure the following settings:
General. Specify the name, capacity, department, company, address book policy, custom attributes,
and the option to hide from address lists.
Booking delegates. Accept booking requests automatically, select delegates, or customize acceptance
policy for this mailbox.
Booking options. Allow repeated meetings, only schedule during working hours, maximum booking
lead time, maximum meeting duration, and a customized reply to the meeting organizer.
Contact information. Add street, Zip/post code, city, and other information, if required.
Mailbox delegation. Configure Send As, Send on Behalf Of, and Full Access permission for this
mailbox, as with shared mailboxes.
To configure the equipment mailbox to process booking requests automatically, run this command:
Support for multiple users to monitor and reply to external or internal email addresses.
When a user replies to a message sent to a shared mailbox, the reply appears to come from the shared
mailbox address. In addition, all users who have access to that shared mailbox can see the messages that
have been sent to that account. Shared mailboxes can have the following delegate permissions:
Full Access. Users with Full Access permission can sign in and carry out actions consistent with a
mailbox owner. However, to send mail, users with Full Access permission must also have Send As or
Send on Behalf Of permission. You can configure Full Access permission through Exchange admin
center or by using Windows PowerShell.
Send As. Users with Send As permission can impersonate the mailbox when sending mail. Messages
received are from the mailbox, so they appear to come directly from marketing@adatum.com, for
example. You can configure Send As permission through Exchange admin center or through Windows
PowerShell.
Send on Behalf Of. Send on Behalf Of permission grants the right to send messages, but those
messages are stamped as from Remi Desforges on behalf of Marketing. You can configure Send on
Behalf Of permission from Windows PowerShell only.
Note: Typically, you use shared mailboxes with security groups. You create a security group,
add users to that group, and then grant the security group Full Access and Send As control on the
mail. To change access rights, you then simply add or remove users from the security group.
Shared mailboxes do not require user licenses, so you can grant both mailbox users and mail users Send As
and Full Access permission. However, you should be aware that, with mail users, you could potentially be
granting someone outside the organization the right to send mail on behalf of the organization.
To create a shared mailbox in Exchange admin center, perform the following procedure:
3. In the Display name field, enter the name for the mailbox that you want recipients to see. For example,
Marketing if the shared mailbox is to send out mailings from the marketing department.
4. Under Email address, enter the shared mailbox’s email address and select the domain from the list of
registered domain names; for example, marketing@adatum.com.
MCT USE ONLY. STUDENT USE PROHIBITED
6-20 Planning and managing Exchange Online recipients and permissions
5. Under Users, add the users or groups that you want to have the right to send mail as
marketing@adatum.com. Click the + icon, and from the list of names, click add, and then click OK.
Users whom you have set up with Send permission can now enter that address in the From field when they
send emails. The reply comes back to the Marketing mailbox.
After creating the shared mailbox, you can edit the details to add or change further information in the
following tabs:
General. Hide from the address list, and add custom attributes.
Mailbox delegation. Configure Full Access and Send As permissions.
Note: Users that you added when creating the mailbox have both Full Access and Send As
permissions.
Contact information. Add street, Zip/post code, city, and more information, if required.
Organization. Add manager and department information.
Mailbox features. Apply policies, enable and disable protocols, apply litigation hold, set up archiving,
control message delivery, and set message sizes.
MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.
To edit the mailbox, use the Set-Mailbox cmdlet, just as with a user mailbox:
Configuring contacts
Mail contacts are similar to contacts in AD DS.
When you create mail contacts, they consist of
name fields, an alias, and an external email
address.
You can also use contacts within your own hierarchy and assign them a manager. This approach is useful if
your organization engages external contractors or associates.
After creating a contact, you can add some optional fields, such as contact information, phone numbers,
notes, title, department, company, manager, and direct reports. Finally, you can configure a MailTip that
appears when someone sends a message to that person.
To create a contact, perform the following procedure:
4. The Display name is autogenerated based on those first three fields in the form of First name, Middle
initial, Last name, but you can change that format.
5. In the Alias box, enter a unique value.
6. In the External email address box, enter the address to which you want to send mail for that user.
7. Click Save.
Note: Typically, it can take a minute or two for the item to update in Office 365. As a result,
you might see an error message stating that the object does not exist the first time you attempt to
edit the new contact.
The new mail contact now appears in the GAL. After creating the new mail contact, you can edit the details
to add or change further information in the following tabs:
Contact information. Add street, Zip/post code, city, and other information, if required.
MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.
Deleting a contact is as simple as selecting the contact and clicking the Delete icon. You can also export
contact information to a .csv file and display additional columns in the Exchange admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
6-22 Planning and managing Exchange Online recipients and permissions
The Office 365 community site provides a sample .csv file that you can use as a starting point.
Additional Reading: To download the sample .csv file, refer to Sample CSV file to bulk-
create external contacts in Exchange Online: http://aka.ms/t6ip2e.
In the .csv file, do not delete the header row, but you can delete the sample data. You can then populate
the spreadsheet with your own information. At a minimum, you must provide values for the following
fields:
FirstName
LastName
Name
ExternalEmailAddress
You can connect to Exchange Online by using Windows PowerShell and run the following command to
create the contacts:
The contacts will now appear in the GAL. Next, you can add further information about each contact by
running the import-CSV cmdlet again. This time, it is a two-stage process, beginning with this cmdlet:
This command imports all the entries in the .csv file into a variable called $Contacts. Next, the following
script replaces each value in the contact record with the new value in the .csv file:
Note: If you are not adding the Manager variable for the contacts, then delete the $_.Office
-Manager $_.Manager element from the command.
Note: Administrators use mail users extensively in hybrid Exchange environments. They
configure users with on-premises mailboxes as mail users in Office 365, and configure their email
address as their on-premises mailbox. These users then appear in the online GAL as contacts.
They can sign in to Office 365 and access resources such as Microsoft OneDrive for Business or
SharePoint Online.
They have email addresses that are external to Office 365, registered against the
ExternalEmailAddress attribute.
They can have secondary email addresses for the default companyname.hostdomain.com domain.
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Planning and managing Exchange Online recipients and permissions
3. In the New mail user page, enter a First name, Initials, and Last name.
4. The Display name is autogenerated based on those first three fields in the form of First name, middle
initial, Last name, but you can change that format.
6. In the External email address box, enter the address to which you want to send mail for that user.
7. In the User ID box, enter the sign-in information for that user and from the drop-down box, select his
or her domain from the list of registered domains.
8. In the New password and the Confirm password boxes, enter the user’s sign-in password.
9. Click Save.
After creating the new mail user, you can edit the details to add or change further information in the
following tabs:
General. Hide from the address list, and add custom attributes.
Contact information. Add street, Zip/post code, city, and other information, if required.
Mail flow settings. Restrict who can and cannot send email to this account.
MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.
You can then use the Set-MailUser cmdlet to change attributes. The following example changes the
external email address:
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Lesson 3
Planning and configuring Exchange Online permissions
Planning for Exchange Online administration is an important part of the overall planning process. To deliver
the efficiencies that Exchange Online can provide, you must identify how you want to administer Exchange
Online. If you do not define your Exchange Online administration processes properly, you might fail to
meet your requirements for security, feature take-up, and data protection.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the concept of role-based access control (RBAC) and describe the Exchange Online admin
roles.
3. Set up a change log system to record changes and record any changes to the environment in the
documentation system.
Help Desk. Members can manage the configuration for individual recipients and view recipients in an
Exchange organization. Members can only manage the configuration that each user can manage on
his or her own mailbox.
Hygiene Management. Members can manage Exchange anti-spam features and grant permissions for
antivirus products to integrate with Exchange Online.
Organization Management. Members have permissions to manage Exchange objects in the Exchange
organization and can also delegate role groups and management roles in the organization.
Recipient Management. Members have rights to create, manage, and delete recipient objects.
Records Management. Members can configure compliance features, including retention policy tags,
message classifications, and transport rules.
Tenant Admins (TenantAdmins <unique value>). Membership in this role group is synchronized across
services and managed centrally. You cannot manage this role group through Microsoft Exchange.
UM Management. Members can manage Unified Messaging organization, server, and recipient
configuration.
View-Only Organization Management. Members can view recipient and configuration objects and
their properties in the Exchange organization.
There are also the admin roles as defined in Office 365, such as Billing Admin, Global Admin, and other
roles. In Exchange Online, these administrator types have the following mapping and equivalent rights.
To assign a user or group to these predefined roles, select the role in Exchange admin center and click Edit.
Then under Members, click the + icon, and add the appropriate members. Click OK and then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Planning and managing Exchange Online recipients and permissions
You can also create your own admin roles. In Exchange admin center:
1. Click permissions, and then on the admin roles tab, click add.
2. In the new role group window, in the Name and Description fields, type a meaningful name and
description that will help identify the function of the role group.
6. In the Select Members window, select the mailboxes and groups that you want to assign to the role,
click add for each, and then click OK.
7. Click Save.
Configures a management role scope limited to the BranchOffice OU in the Adatum.com domain.
You can create and customize your own role assignment policies to achieve your organizational
requirements. To do this, from the Exchange admin center:
3. In the role assignment policy window, in the Name and Description fields, type a meaningful name
and description that will help identify the function of the role assignment policy.
4. Select the various check boxes beneath the following headings to configure the necessary permissions:
a. Contact information
b. Profile information
c. Distribution groups
5. Click Save.
Once you have created the policy, you can assign it to specific users or groups of users. To do this, in the
Exchange admin center:
Note: You can assign the policy to multiple mailboxes by selecting multiple mailboxes in the
Exchange admin center and then, in the action pane, beneath Role Assignment Policy, clicking
Update.
Question: What requirements does your organization have for assigning Exchange Online
permissions? Does your organization use a centralized or decentralized administration model?
What special permissions will you need to configure?
MCT USE ONLY. STUDENT USE PROHIBITED
6-30 Planning and managing Exchange Online recipients and permissions
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
In all tasks:
LON-DC1
LON-CL1
o Sign in as Adatum\Holly using the password Pa$$w0rd
o Martina Blair
o Matt Villagomez (since Matt@adatumyyxxxxx.hostdomain.com is in use, use the username MattV)
o Olivia Emerson
o Kendra Sexton
b. Make this person change their password the next time they sign in: Not selected
c. Select licenses for this user: Office 365 Enterprise E3
Note: It might take a few minutes for the mailboxes to appear. Click the refresh icon
periodically until they do.
Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.
$credential = Get-Credential
MCT USE ONLY. STUDENT USE PROHIBITED
6-32 Planning and managing Exchange Online recipients and permissions
Get-AcceptedDomain
Note: This command returns the list of accepted domains and verifies that you can connect
to your Office 365 subscription.
Note: If you receive an error when you run the set-calendarprocessing cmdlet for either of
these objects, wait a few moments and repeat.
6. In the Exchange Admin center, click Refresh. You should be able to see both resources.
8. In Exchange Admin center, click Refresh. You should be able to see the changes you made in the
details pane on the right.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-33
CD C:\Labfiles
Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.
7. In the Exchange Admin center, click Refresh. You can see the newly created objects.
Results: After completing this exercise, you will have created and configured Microsoft Exchange Online
recipients.
Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.
Enable-OrganizationCustomization
New-RoleGroup –Name BranchOfficeAdmins –roles “Mail Recipients”, “Distribution
Groups”, “Move Mailboxes”, “Mail Recipient Creation”
Get-RoleGroupMember "BranchOfficeAdmins"
5. In the Exchange admin center, click Refresh. Ensure that you can see the new BranchOffice Admins
role group.
Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.
4. To change the default role assignment policy for new mailboxes, in the Windows PowerShell window,
run the following command:
Results: After completing this exercise, you will have configured delegated administration of your
Exchange Online organization.
Module 7
Planning and configuring Exchange Online services
Contents:
Module Overview 7-1
Module Overview
The Exchange Online functionality in Office 365 is a complete replacement for an on-premises email
solution. However, you should consider several factors when configuring an on-premises solution, much as
you would when configuring Exchange Online. You need to configure email flow to allow reception and
delivery of Internet messages, and messages from applications and partners. You also need to configure
anti-malware and anti-spam settings to meet your organization’s needs. To manage Outlook on the web
and mobile devices, you can create policies that you can apply to individual users. Finally, your organization
likely is using an email solution, so you must plan how to migrate from that existing solution to Exchange
Online.
Objectives
After completing this module, you will be able to:
Lesson 1
Planning and configuring email flow in Office 365
When you create your Office 365 tenant or subscriber (typically an organization) that utilizes your cloud
services, it can send and receive Internet messages automatically. However, to configure the reception of
Internet messages, you need to add the email domains that you own to Office 365 and configure the
necessary Domain Name System (DNS) records to support it. Adding your email domains configures the
reception of Internet messages.
You can modify the default mail flow by using connectors, transport rules, and journal rules. Connectors
define settings for sending and receiving messages. Typically, you need to create additional connectors
only to support specialized communication that requires enhanced security, such as Transport Layer
Security (TLS). You can use transport rules to modify messages based on matching conditions, such as
adding a disclaimer to all outbound messages. Journal rules send a copy of selected messages to a journal
mailbox for archiving. You typically would use journaling to meet compliance requirements.
If there are problems with message delivery, you can use message traces to identify the issue. Message
traces allow you to search logs, find specific messages, and display information about the message’s
delivery, including if there were errors during delivery.
Lesson Objectives
After completing this lesson, you will be able to:
Describe email flow with Office 365.
Receiving email
Email servers on the Internet use mail exchanger
(MX) records to identify the server to which email
should be delivered. Each domain name that
receives email needs to have at least one MX
record. You can provide redundancy by using multiple MX records to identify multiple email servers that
can receive a specific domain’s messages.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-3
For Office 365, you create only one MX record for each domain, and this MX record identifies a host record
that is unique to your domain, and which uses the following format:
domain.mail.protection.outlook.com
When an email is addressed to an address in your domain, the email server delivers the message to this host
record. This host record resolves to multiple IP addresses to provide redundancy. Office 365 creates and
manages the host record automatically when you add the domain.
Office 365 includes antivirus and anti-spam functionality in the Exchange Online Protection (EOP) feature,
which scans all incoming email automatically.
Sending email
Office 365 requires no configuration to send outbound email to the Internet. A mailbox in Office 365 can
send email to the Internet automatically. However, to minimize the chance that a server classifies your
outbound messages as spam, you should configure a sender policy framework (SPF) record.
An SPF record is a text record that you create in DNS for your email domain, and it identifies the sources
that can send messages for your domain. You need to create an SPF record that identifies Office 365 as an
allowed source for your domain’s email messages.
You can create different types of SPF records, and you should verify the SPF record that Microsoft
recommends when you add your domain. In most cases, the text value will be similar to the following:
v=spf1 includes:spf.protection.outlook.com –all
The preceding text record indicates that email recipients should query spf.protection.outlook.com for an
SPF record that identifies the acceptable email sources from your domain and prohibits all other sources.
Additional Reading: For information about customizing SPF records, refer to Customize an
SPF record to validate outbound email send from your domain: http://aka.ms/Bg0478.
Accepted domains
When you add a domain to Office 365, and prove
ownership of it, Office 365 adds it automatically as
an accepted domain in Exchange Online. After you
assign email addresses in that domain to
mailboxes, the mailboxes can receive messages
immediately.
Authoritative. An authoritative domain is one for which Exchange Online is completely responsible.
Exchange Online hosts all recipients for that domain. This is the most common configuration for an
accepted domain.
MCT USE ONLY. STUDENT USE PROHIBITED
7-4 Planning and configuring Exchange Online services
Internal relay. An internal relay domain is used when some mailboxes are in Exchange Online and some
mailboxes are in an external organization. Messages received for an internal relay domain are first
evaluated to identify whether there is a matching recipient in Exchange Online. If there is a matching
recipient, Exchange Online delivers the message to that recipient. If no matching recipient is found,
Exchange Online forwards the message through a send connector that is defined for the internal relay
domain. The send connector for the internal relay domain defines how to deliver the messages to
another organization.
You can use the Windows PowerShell Set-AcceptedDomain cmdlet to manage accepted domains.
Note: On-premises Exchange Server organizations can have external relay domains.
However, external relay domains are not available in Exchange Online.
Remote domains
Remote domains define settings for message delivery to SMTP domains that are external to your tenant in
Exchange Online. When you create a remote domain, you control the types of messages that are sent to
that domain. You also can apply message-format policies and acceptable character sets for messages that
your organization’s users send to the remote domain.
There is one remote domain named Default that exists after you enable Exchange Online for your tenant.
This remote domain is defined for the domain name *, which applies to all messages. You can create
remote domains for additional domains, as necessary, and often will create them for partner domains
where you want to allow automated messages that you typically do not allow. For example, a remote
domain for a partner organization may allow users to forward messages automatically that the Default
remote domain blocks.
Some of the settings that you can configure for a remote domain include:
AllowedOOFType. Defines whether external or internal out-of-office messages are delivered to the
remote domain. The default is External.
AutoReplyEnabled. Defines whether automatic replies are sent to the remote domain. The default is
$false.
DeliveryReportEnabled. Defines whether delivery reports that clients request are sent to the remote
domain. The default is $true.
NDREnabled. Defines whether nondelivery reports are sent to the remote domain. The default is
$true.
ContentType. Defines the format for messages that are sent to the remote domain. The default is
MimeHtmlText, which formats all messages as HTML unless they are text-formatted.
You can use the Windows PowerShell New-RemoteDomain and Set-RemoteDomain cmdlets to create
and manage remote domains.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-5
Inbound connectors
Your Exchange Online organization already accepts all incoming messages from the Internet anonymously.
However, you must create additional inbound connectors if you want different security settings, and some
available options for inbound connectors include:
SenderDomains. Use to define specific sender domains to which a connector applies without knowing
specific IP addresses of the senders’ servers.
You can use the Windows PowerShell New-InboundConnector and Set-InboundConnector cmdlets to
manage inbound connectors.
Outbound connectors
Your Exchange Online organization already sends outbound messages to the Internet anonymously.
However, you must create additional outbound connectors if you want different security settings, and some
available options for outbound connectors include:
IsTransportRuleScoped. Use to define that Exchange Online directs messages to this outbound
connector, if a transport rule selects it.
RecipientDomains. Use to define a list of recipient domains that use this outbound connector.
UseMXRecord. Use to specify that messages that this outbound connector delivers use MX records to
determine the delivery destination.
SmartHosts. Use to specify a list of IP addresses that are the destination for messages that this
outbound connector delivers.
TlsSettings. Use to specify how the send connector uses TLS. The options are for encryption only, for
certificate validation, and for domain validation.
You can use the Windows PowerShell New-OutboundConnector and Set-OutboundConnector cmdlets
to manage outbound connectors.
MCT USE ONLY. STUDENT USE PROHIBITED
7-6 Planning and configuring Exchange Online services
Apply restrictions, based on message classifications, that restrict the flow of confidential organizational
information.
Redirect incoming and outgoing messages for inspection before delivery.
Transport rules include conditions, actions, and exceptions, and the combination of these parts defines
what messages Exchange Online selects for processing and what action is taken on those messages.
Conditions. These indicate the email message attributes, headers, recipients, senders, or other message
parts that Exchange Online uses to identify the email messages to which it applies a transport rule
action. If the email message data that the condition is inspecting matches the condition’s value,
Exchange Online applies the rule, as long as the condition does not match an exception. You can
configure multiple transport rule conditions to narrow a rule’s scope to very specific criteria. However,
you do not need to apply any conditions, which means that the transport rule applies to all messages.
Note: If you configure multiple conditions on the same transport rule, it will not apply to an
email message unless that message applies to all of its conditions. When you specify multiple
values on a single condition, the messages satisfy the condition if it meets at least one of the
values.
Actions. Exchange Online applies actions to email messages that match conditions you specify and for
which no exceptions are present. Each action affects email messages in a different way, such as
redirecting an email message to another address, or dropping the message.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-7
Exceptions. Exceptions determine which email messages to exclude from an action. You base transport
rule exceptions on the same predicates that you use to create transport rule conditions. Transport rule
exceptions override conditions, and they prevent Exchange Online from applying a transport rule
action to an email message, even if the message matches all transport rule conditions that you
configure. You can configure multiple exceptions on a transport rule to expand the criteria for which
Exchange Online should not apply a transport rule action.
Note: If you configure multiple exceptions on the same transport rule, only one exception
must match for Exchange Online to cancel the transport rule action. When you specify multiple
values on a single exception, it a message meets at least one of the values, Exchange Online
considers the exception satisfied.
Journal reports
Exchange Online performs envelope journaling,
which means that it does not simply copy
journaled messages to the journaling mailbox.
Instead, it creates a journal report that it sends to
the journaling mailbox, with the original message
as an attachment. The journal report has
information about the message, such as the
subject, sender, recipient, and message-id, which is a unique Internet-message identifier However, it does
not modify the original message.
Journal rules
You create journal rules to identify messages for journaling, on the basis of journal recipient and scope.
The journal recipients available for journal rules are:
All messages
Journaling mailbox
When you apply journaling rules, you need to define a mailbox to which Exchange Online delivers journal
reports. You can send all journal reports to the same mailbox, or you can have multiple mailboxes. A journal
mailbox must be a mailbox that is hosted in an external email system, and it cannot be a mailbox in
Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
7-8 Planning and configuring Exchange Online services
Create dedicated journaling mailboxes. Journal reports should not be sent to a mailbox that your
organization uses for other purposes, such as a user’s mailbox.
Identify how to perform data removal from journaling mailboxes that meets your compliance goals.
Journaling mailboxes gather large amounts of data quickly, so this is important. Alternatively, if you
have an unlimited archive, you can store messages from a journaling archive indefinitely.
Limit and monitor access to journaling mailboxes. A journaling mailbox typically contains sensitive
information that should not be viewed except for compliance reasons. If you use multiple journal rules
for different purposes, it might be appropriate to have multiple journaling mailboxes so that you can
control access.
You can configure an alternate journaling mailbox, so that you avoid undeliverable messages in queues
when your journaling mailboxes are unavailable. You can configure only one alternate journaling mailbox,
and Exchange Online uses it when any journaling mailbox is unavailable. This is most likely to be used when
a mailbox on an external system is used as the journaling mailbox and the alternative is a mailbox in
Exchange Online.
On-premises applications
Many organizations have on-premises applications
that deliver email messages, such as:
If an application sends messages only to users in your Exchange Online tenant, the default configuration
might be sufficient. You only need to point the application at Office 365 for message delivery. This allows
anonymous message delivery in your organization. However, consider the following scenarios:
The application might need to send messages to external users. The simplest solution for this problem
is to have the application authenticate to Exchange Online to send these messages. If you cannot
configure the application to authenticate, you can configure an inbound connector that allows relaying
to external addresses that a source IP address secures. However, you should avoid unauthenticated
relaying whenever possible.
The application messages need to be secured. To enforce message security, you can require TLS on an
inbound connector.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-9
Partner organizations
You may have unique requirements when dealing with partner organizations. You can use inbound and
outbound connectors to enforce specific security requirements. You also can use outbound connectors to
deliver messages to email servers that do not have MX records configured. For example, you might:
Require TLS for communication. Typically, financial organizations require TLS because they deal with
confidential information, such as payroll or insurance claims.
Date range
Delivery status
Message ID
Sender
Recipient
Note: When you add a sender or recipient, it might appear that you are unable to add email
addresses that are not part of your organization. However, you can add any email address by
typing it in the box next to the Check names button.
Some of the parameters that you can use with the Get-MessageTrace cmdlet include:
StartDate
EndDate
MessageID
SenderAddress
RecipientAddress
FromIP
Note: There often is a delay of 5 to 30 minutes before message trace information is available
after a message is sent. This applies to both Exchange admin center and Windows PowerShell.
You have a trouble ticket to resolve that indicates that automatic replies and
automatically forwarded messages are being delivered outside of your Exchange
organization. Furthermore, the ticket indicates that this behavior needs to stop, and
that you should not allow rule generated messages outside your organization. What is
the best way to implement these changes?
Modify the default remote domain to block automatic replies and automatic
X
forwarding.
Create a new remote domain that blocks automatic replies and automatic
forwarding.
Use a script to block automatic replies and automatic forwarding for all users.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 35 minutes
Password: Pa$$w0rd
In all tasks:
LON-DC1
LON-DS1
o Sign in as Adatum\Administrator using the password Pa$$w0rd
LON-CL1
A custom send and receive connector that will enforce TLS when sending email messages to, or
receiving them from, a partner organization.
A transport rule that will apply a disclaimer to all messages sent to external users
MCT USE ONLY. STUDENT USE PROHIBITED
7-12 Planning and configuring Exchange Online services
A transport rule that requires moderator approval for all messages sent to the manager distribution list.
A journal rule that will retain a copy of all messages sent to and from members of the Development
department.
You also need to verify that you can track messages sent between users on Office 365 and sent to external
users.
Note: You might have a Windows PowerShell connection to Office 365 open from a previous
lab. If so, you can use the existing connection and skip this step.
2. Run the following command, and then sign in as Holly@adatumyyxxxxx.hostdomain.com with the
password Pa$$w0rd.
$cred=Get-Credential
Import-PSSession $Session
Note: Validation of mail flow will fail because the connector is to a fictitious organization.
This is expected behavior for this lab.
o Apply the rule if: The recipient is located Outside the organization
o Disclaimer text: <HR> If you are not the intended recipient of this message, you must delete
it
2. Create a new rule that sends messages to a moderator, with the following settings:
4. Send a message to alias@outlook.com, where alias@outlook.com is the Microsoft account that you
configured at the beginning of this course, and then verify that the disclaimer was added.
6. On LON-CL1, open Outlook 2016, read the approval request, and then approve it.
3. Review the most recent message sent from Francisco to alias@outlook.com, and then verify that the
disclaimer was applied.
4. Review the most recent message sent from Francisco to Martina, and then verify that the message was
sent for moderation.
Results: After completing the exercise, you will have configured message-transport settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-15
Lesson 2
Planning and configuring email protection in Office 365
An unprotected mailbox can become filled with spam and malware quickly, so email protection is an
important component of Office 365, which provides it through the EOP feature.
In EOP, you can configure filters to meet your organization’s needs, including the malware filter, the
connection filter, and the spam filter. The malware filter specifies how Exchange Online handles messages
that include malware and whether it sends notifications about the malware. The connection filter allows
you to block or allow connections from specific IP addresses. The spam filter has various settings that you
can configure so that you can specify how Exchange Online handles potential spam. You can use reports to
monitor email protection and identify patterns that require further action.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the EOP feature.
Overview of EOP
EOP is a cloud service in Exchange Online that
provides both anti-spam and antivirus protection.
However, you also can subscribe to EOP as a
standalone product for use with on-premises
Exchange organizations.
The service level agreement for EOP is:
Uptime 99.999%
EOP scans inbound and outbound messages. Scanning inbound messages helps protect your organization,
as infected inbound messages are a common malware delivery mechanism. Scanning outbound messages
helps prevent a computer in your organization that may be infected with malware from sending messages
to your colleagues or clients.
MCT USE ONLY. STUDENT USE PROHIBITED
7-16 Planning and configuring Exchange Online services
The spam filter moves spam messages to the Junk Email folder.
Note: To help improve the spam detection process, you can submit spam that was not
detected to junk@office365.microsoft.com. Examples of phishing scams can be sent to
phish@office365.microsoft.com
Scans suspicious attachments by using real-time behavioral malware analysis to identify previously
unidentified threats.
Detection response
The detection response defines the action that EOP performs when it detects malware in a message. You
can select:
Delete the entire message. EOP deletes the message, and the recipient receives no notification that the
message was blocked.
Delete all attachments and use default alert text. EOP deletes all attachments, but the message is sent
to the user with alert text that notifies them that the attachments were deleted.
Delete all attachments and use custom alert text. This option allows you to customize the alert text sent
when malware is detected. You can use this to provide contact information for your help desk, in case
the user has additional questions, or you can provide instructions for further actions that the user
should perform.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-17
Sender notifications
By default, senders are not notified when the malware filter blocks their messages. You can enable
notifications for internal senders and external senders separately. Notifying senders alerts them that there is
a problem. However, there is a high likelihood that malware from external senders has a spoofed email
address, so when you send the notification, it is sent to an email address that had nothing to do with
sending the infected message.
Administrator notifications
By default, administrators are not notified when the malware filter blocks a message. You can enable
notifications for messages from internal and external senders separately, and you also can specify separate
administrators to notify for internal and external senders.
You might want to be notified when the malware filter blocks internal senders because someone in your
organization should be informed that an internal computer is sending malware. Notifications about
incoming malware are less likely to be useful.
Customizing notifications
You can customize the notifications that are sent for sender and administrator notifications, and you also
can customize the From name and From address, but EOP uses the same name and address for all
notifications.
The notification messages sent to senders and administrators are the same. However, you can configure a
separate subject and message for messages from internal and external senders.
Enable safe list. When you enable this option, EOP uses a list of trusted senders that Microsoft
maintains to minimize the risk of a false-positive detection of spam. We recommend enabling this
option.
MCT USE ONLY. STUDENT USE PROHIBITED
7-18 Planning and configuring Exchange Online services
CIDR ranges
In the IP Allow and IP Block lists, you can enter individual IP addresses or Classless Interdomain Routing
(CIDR) ranges such as 23.103.191.0/24. However, you cannot enter a CIDR range larger than /24 in the
connection filter. If you need to enter a larger address space, you need to enter multiple /24 ranges or use a
transport rule to the set the spam confidence level (SCL) setting to Bypass spam filtering.
New-HostedContentFilterPolicy
Set-HostedContentFilterPolicy
SCL of 5 or 6 is spam, which indicates it likely is spam, but could include false positives.
SCL of 7 or more is high-confidence spam, which means it definitively is spam.
You can set different actions for spam and high confidence spam. By default, Exchange Online moves both
categories to the user’s Junk Email folder, but you could decide to delete all high-confidence spam instead
of putting it in the Junk Email folder.
The actions that you can perform on spam and high-confidence spam are:
Move message to the Junk Email folder. Keeps spam messages from cluttering user inboxes, but still
allows users to access false positive messages.
Add X-header. Adds a header to the message with text of your choosing. You can create transport rules
that perform further processing on these messages.
Prepend subject line with text. Adds text to the beginning of the message subject. You can use this
setting when you want users to know about spam messages, so they can evaluate them, and ensure
users do not ignore them or inadvertently not receive important messages that have been sent to the
Junk Email folder.
Redirect message to an email address. Redirects the message to an email address that you define. You
can use this to have a shared mailbox where spam is stored for later evaluation if required.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-19
Delete message. Deletes the spam message without delivering it to the user or an alternate location.
You can use this to delete messages that have a high likelihood of being spam with a low risk of being a
false positive.
Quarantine message. Places the message in quarantine, from which either the user or an administrator
can release it. This keeps spam out of user mailboxes, and it provides an easy way to release false
positives.
Bulk email is not necessarily spam. EOP maintains a list of bulk email senders and rates them with a Bulk
Complaint Level (BCL) value based on the number of complaints that are received. A BCL of 0 indicates that
a message is not from a bulk sender, while a BCL of 8 or 9 indicates a high number of complaints, and
indicates that the message likely is spam.
You have the option to mark messages with a specific BCL value as spam. By default, EOP marks messages
from senders with a BCL of 7 as spam, but you can raise or lower this value.
International spam
If your organization has known patterns of messaging that uses only specific languages or receives
messages only from specific regions, you can use international spam settings, which allow you to:
Advanced options
The advanced options allow you to enable and disable additional scanning criteria that can be used to
identify spam more accurately. By default, all of the options are disabled
Empty messages
NDR backscatter
To monitor advanced options rather than block messages, you can enable test mode. You can add an X-
header to the message, which indicates which advanced option was matched, or you can include a bcc line
to a specific email address.
Note: You can test spam filtering by inserting the following text in a message without any
spaces or line breaks: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-
EMAIL*C.34X.
Send a copy of all suspicious outbound email messages to the following email address or addresses.
Send a notification to the following email address or addresses when a sender is blocked for sending
outbound spam.
Expiration
If you do nothing with messages in quarantine, by default, messages expire and are removed by EOP after
15 days. However, you can configure your spam filter to define how long you want to keep messages in
quarantine before they expire. Each message has an expiry time based on the spam filter that identified the
message as spam.
Analyzing messages
To determine what you should do with a message, you can view the message header or preview the
message. Message headers show information such as the servers through which the message was
transferred. When viewing a message header, there is a link to the Microsoft Message Header Analyzer,
which takes the content from the message header and displays it in a more readable format. If you preview
the message, it displays in text instead of HTML, to ensure that any bad code embedded in the message is
not processed.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-21
If you determine that a message is not spam, you can do the following with messages in quarantine:
Message ID
Subject
Received time
Expires time
End-user spam notification is disabled by default, but you can enable them for each spam-filter policy.
When you enable them, you can select how often notifications are sent. The default value is every three
days.
Note: End users can access their quarantine and release messages by going to
https://admin.protection.outlook.com/quarantine.
Spam detections. Shows the number of spam messages that EOP has detected.
Sent and received mail. Shows the number of messages sent and received, categorized as good mail,
malware, spam, and rules.
When you view these reports, you can specify a date selection for the data that you want to display. You
can select 7 days, 14 days, and 30 days, but you also can define a custom time range.
Some reports also have data selections from which you can choose. For example, in the Top senders and
recipients report, you can select to report on:
For greater convenience, you can configure EOP to send reports to a central mailbox from which you can
review or archive the messages, and you can schedule EOP to generate reports weekly or monthly. Each
report also has options that you can modify. For example, you can filter the mail traffic report by sender,
recipient, or mail flow direction.
When you create a connector to your on-premises organization, EOP will send all messages for all accepted
domains to your on-premises mail server. This means that the messages for all domains you add in Office
365 are directed to your on-premises mail server. You can specify your email server in the connector by IP
address or fully qualified domain name (FQDN).
Securing connectivity
The connector for connectivity to the on-premises mail server requires TLS by default. To support this, your
on-premises mail server must have a certificate installed. You can allow TLS to use any certificate, but by
default, it also requires a certificate from a trusted certification authority (CA). You also have the option to
enforce a specific subject in the certificate.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-23
The firewall in front of your on-premises mail server must forward port 25 to the mail server. To enhance
security, you can restrict connectivity to the mail server, thereby allowing only messages from EOP email
addresses. You also can use a Simple Mail Transfer Protocol (SMTP) relay in your perimeter network, such as
an Exchange Edge server.
Additional Reading: For a list of IP addresses that EOP uses, refer to Exchange Online
Protection IP addresses: http://aka.ms/Jbnjfg.
To enable Directory Based Edge Blocking, you need to create users in Office 365. You can do this by
implementing directory synchronization with Office 365. Once you create users in Office 365, you can use
transport rules based on recipient, and access messages in end-user spam quarantine.
Note: It is possible to use the New-EOPMailUser cmdlet to create user accounts manually.
However, we recommend directory synchronization for all but the smallest environments. You also
can create new mail users in the Exchange admin center.
To secure mail flow from your on-premises Exchange organization to Office 365, you can specify the source
IP address for the messages, or you can use a certificate. When you use a certificate, you specify a subject
name in the certificate installed on your on-premises mail server.
Delete or quarantine high-confidence spam. It is unlikely that EOP is detecting high-confidence spam
as a false positive. To avoid cluttering your Junk Email folders, delete or quarantine messages that EOP
detects as high-confidence spam.
Enable international spam options. If you know that you are unlikely to receive legitimate messages in
certain languages or from certain regions, configuring this option can reduce spam.
Use the test mode when you first implement advanced options for spam. Using the test mode enables
you to monitor the messages that the advanced option identifies, and ensure that it is not generating
false positives.
Identify groups of users with different protection needs. You can apply malware and spam filter policies
for specific user groups. This allows you to fine-tune the policies to your users’ needs, such as having
less spam filtering on a mailbox that receives job applications from the public.
Create a transport rule to block specific file extensions. If you want to block specific file types, you can
create a transport rule that blocks that file type’s file extension, so that you can help guard against
users opening high-risk file types.
Run scheduled reports to monitor protection activity. Monitoring protection activity may provide you
with insight about how to improve email protection. For example, if you see that one particular sender
or domain is the source of significant spam, you can investigate why.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Selecting the Enable safe list option in the connection filter reduces the risk of
T
false positives.
Lesson 3
Planning and configuring client access policies
You can use client access policies to control settings for Outlook on the web and mobile devices. You can
assign Outlook Web App policies to users, which control the features that are available, access to
attachments, and offline access. For mobile devices, you can create rules that determine the types of mobile
devices that are allowed to connect by using Exchange ActiveSync. You also have the option to quarantine
devices until they are approved. Mailbox policies for mobile devices enforce security settings on those
devices.
Lesson Objectives
After completing this lesson, you will be able to:
Features
The OWAMailboxPolicy-Default policy enables all Outlook on the web features. Your organization may
decide to simplify Outlook on the web, and disable features that your organization has decided not to
support. Some of the features that are used less often are:
Instant messaging
Text messaging
Unified messaging
Journaling
MCT USE ONLY. STUDENT USE PROHIBITED
7-26 Planning and configuring Exchange Online services
File access
Direct file access allows users to access documents that are attached to email messages. If you do not
enable direct file access, users can see that a message has an attachment, but they cannot open or save it.
Direct file access is enabled by default, but you can disable it.
When you enable direct file access, you can allow, block, or force a save for specific file types. You can
specify file types based on file extension or Multipurpose Internet Mail Extensions (MIME) type. By default,
Outlook blocks file types that are likely to contain malicious code that is executable in a web browser, but it
allows unknown file types by default.
You cannot modify the specific file types in the Exchange admin center. You need to use the Set-
OwaMailboxPolicy cmdlet to modify the following properties:
AllowedFileTypes
AllowedMimeTypes
ForceSaveFileTypes
ForceSaveMimeTypes
BlockedFileTypes
BlockedMimeTypes
Offline access
Outlook on the web can work in offline mode, which means that users can sign in to Outlook on the web
and access mailbox content even when they are not connected to Exchange Online. Everything that the
user does in the mailbox synchronizes with Exchange Online when Outlook on the web reestablishes a
connection to Exchange Online, which means that users have a seamless, faster experience when they are
working on a slow network or one that connects intermittently.
Offline access for Outlook on the web is enabled on a computer-by-computer basis. This means that users
need to enable it on each computer where they want to use this feature. Due to security concerns, we
recommend that you enable offline access for Outlook on the web only on private computers.
Offline access for Outlook on the web has limitations. For example, you cannot access your online archive,
team folders, or tasks. You also cannot perform full-text search in your mailbox. To use Outlook on the web
offline, you should use Internet Explorer 10 or newer, Google Chrome 24 or newer, or Safari 5 or newer.
You can control the ability to enable offline access for Outlook on the web on the Outlook Web App virtual
directory or in the Outlook Web App policies. You can enable offline access:
Always. This is the default option that allows users to enable offline access from any computer.
Unlike an on-premises implementation of Exchange Server, users do not get to define whether a computer
is public or private for Exchange Online. For Exchange Online, authentication to Active Directory Federation
Services (AD FS) defines whether a computer is public or private. This is based on the location of the
computer that is initiating authentication rather than the device. If your organization does not use AD FS
for single sign-on with Exchange Online, it is not possible to use public computer detection.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-27
Blocked. If the device access rule specifies that a device that should be blocked, that device cannot
connect to Exchange Online, and receives an HTTP 403 forbidden error. You can block a device based
on the device family, or you can block a specific device model. The user receives an email message
from Exchange Online that indicates that the mobile device was blocked from accessing their mailbox.
Exchange Online also might block a device because it fails to apply the mobile device mailbox policies.
If this is the case, users cannot receive an email message that indicates that the mobile device was blocked
from accessing their mailbox. However, the mobile device information that displays in Outlook on the web
indicates that it is blocked because of the device’s failure to apply the mobile device mailbox policies.
If you are placing devices into quarantine, it is important to notify an administrator, who then can evaluate
whether to allow the device to connect. In Windows PowerShell, you can specify who is notified about
quarantined devices, and set the default state for new devices with the following command:
You can create and manage mobile device access rules by using the Exchange admin center or the New-
ActiveSyncDeviceAccessRule cmdlet. The Exchange admin center provides limited options for rules based
on device family and model. By using the New-ActiveSyncDeviceAccessRule cmdlet, you can create rules
based on the device model, device type, device operating system, user agent, and XMSWL header. The
following example creates a new mobile device access rule:
Note: When you create mobile device access rules in the Exchange admin center, the families
and models from which you can select populate the list based on the device families and models
that have contacted your Exchange Online tenant. Until Exchange ActiveSync devices connect, the
only value listed is All families.
Mobile clients also are difficult to manage by using centralized policies because the devices might rarely, or
never, connect to the internal network. The devices also do not require Active Directory accounts, so you
cannot use GPOs to manage client settings.
You apply mobile device mailbox polices on a user-by-user basis, which means that you can create different
policies for different users. You can modify the default mobile device mailbox policy to meet your
organization’s security standards. You then can create additional mobile device mailbox policies that are
exceptions to that baseline.
You can apply mobile device mailbox policies only to the level that the mobile device supports. Policy
settings that the mobile platform does not support on the client side are ignored. Each user is assigned a
default policy that does not enforce any security settings. To ensure that mobile devices are as secure as
possible, you should configure mobile device mailbox policies that require device passwords, and encrypt
the data that users store on their mobile devices.
When implementing a mobile device mailbox policy, you can configure the following options:
This is the default policy. Sets a default policy, and applies it to all users that are not assigned another
policy.
Allow mobile devices that do not fully support these policies to synchronize. Allows devices that do not
support all policy options to synchronize.
Allow simple passwords. Allows users to use passwords, such as 1111 or 1234.
Require an alphanumeric password. Requires a password that includes both numbers and letters, such
as A1B2.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-29
Number of sign-in failures before device is wiped. Specifies the number of times users can enter a
device’s password incorrectly before your device removes all local data, or performs a wipe. Local
device wipe is the mechanism by which a mobile phone wipes itself, without the request coming from
the server. The result of a local device wipe is the same as that of a remote device wipe. The wipe resets
the device to its factory default settings. When a mobile phone performs a local device wipe, no
confirmation is sent to the Exchange Online.
Require sign in after device has been inactive for (minutes). Specifies the time, in minutes, of device
inactivity after which the password is required.
Enforce password lifetime (days). Specifies the maximum time a user can use a password on a device.
Password recycle count. Specifies how many different passwords a user must use before repeating one
of the earlier used passwords.
Question: How does Office 365 differentiate between public and private computers that
attempt to connect to it?
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
The default configuration for mobile devices quarantines all devices until an F
administrator approves them.
MCT USE ONLY. STUDENT USE PROHIBITED
7-30 Planning and configuring Exchange Online services
Lesson 4
Migrating to Exchange Online
If you have an existing email deployment, you need to plan how to migrate to Exchange Online. Depending
on your existing mail deployment, you have various migration options. For Exchange organizations, you
can perform a cutover Exchange migration, a staged Exchange migration, or a hybrid migration. Exchange
organizations also might need to migrate public folders. For non-Microsoft email systems, you can perform
an Internet Message Access Protocol (IMAP) migration or a PST import.
Lesson Objectives
After completing this lesson, you will be able to:
Cutover Exchange migration. In this type of migration, you move all mailboxes, in a single step, to
Exchange Online from an on-premises Exchange organization.
Staged Exchange migration. In this type of migration, you move mailboxes, in batches, to Exchange
Online from an on-premises Exchange organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-31
IMAP migration. In this type of migration, you can migrate data from any IMAP-enabled email system.
PST migration. In this type of migration, you export mailbox data to PST files, and import the PST files
in Exchange Online.
Hybrid mode. In this type of migration, you use hybrid mode to enable coexistence between Exchange
Online and an on-premises Exchange organization. After you enable hybrid mode, you can move the
mailboxes individually or in groups.
In Office 365, you need to add the email domain that you are migrating, and you need to create the
necessary DNS records to prove domain ownership.
An account with the necessary privileges to access mailboxes and migrate the mailboxes in the on-
premises Exchange organization.
Exchange server. If Autodiscover did not discover the FQDN for Outlook Anywhere properly, you can
enter it.
RPC proxy server. If Autodiscover did not discover the FQDN of the remote procedure call (RPC) proxy
server properly, you can enter it.
MCT USE ONLY. STUDENT USE PROHIBITED
7-32 Planning and configuring Exchange Online services
Maximum concurrent migrations. Defines the number of mailbox migrations that occur
simultaneously. If you leave this blank, default values are used.
Maximum concurrent incremental syncs. Defines the number of incremental mailbox synchronizations
that can occur simultaneously after mailbox migration occurs. If you leave this blank, default values are
used.
When you create a new cutover migration batch, you are prompted to confirm the migration endpoint-
connectivity information. Verify that this is correct, and then you can start the cutover migration batch at
the end of the new migration batch wizard or manually at a specific time. You can run a cutover migration
batch during business hours, but ensure that the Internet connection has sufficient capacity.
To verify that the initial data migration is complete, you can verify that the user accounts have been created
in Office 365 and that the status of the cutover migration batch is Synced. If there are errors, you can view
the log to determine the cause of the errors, and then restart the cutover migration batch.
Typically, hosts and other DNS servers cache the DNS records on the Internet. It is critical that you verify
email is being delivered directly to Office 365 before you delete the cutover migration batch. At minimum,
you should wait for the time defined in the Time to Live (TTL) of the MX record.
Note: To speed up the cutover process, consider shortening the TTL of your MX record
several days before the migration. A TTL of 30 or 60 minutes is significantly better than 24 hours.
Additional tasks
After you remove the cutover migration batch, you should perform the following tasks:
Assign licenses to the user accounts. If you have not assigned any licenses to user accounts, users
cannot access their mailboxes.
Update Autodiscover. You need to update the Autodiscover DNS record to point to Office 365 for
external users. For internal users, you should configure the AutoDiscoverInternalURI value on the
service connection object to $null.
Decommission on-premises Exchange Server. After the migration is complete, you can remove
Exchange Server from your on-premises organization. Remember to do a proper removal rather than
just turning off the Exchange server.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-33
When Exchange Online accesses the mailboxes in your on-premises Exchange organization, it uses Outlook
Anywhere. You need to enable Outlook Anywhere for your on-premises Exchange organization if Outlook
Anywhere is not already enabled.
In Office 365, you need to add the email domain that you are migrating. As part of this, you need to create
the necessary DNS records to prove domain ownership.
Before you create a staged migration batch, you need to create a migration endpoint that defines how to
connect to the on-premises Exchange organization. This process is the same for a staged migration batch
and for a cutover migration batch.
MCT USE ONLY. STUDENT USE PROHIBITED
7-34 Planning and configuring Exchange Online services
Additional Reading: For more detailed information, refer to Convert Exchange 2007
mailboxes to mail-enabled users after a staged Exchange migration: http://aka.ms/nncsic. This link
also has scripts to simplify the conversion process. X - Gone
All guides downloaded to my XPS1
Additional tasks
After you remove the cutover migration batch, you should perform the following tasks:
Assign licenses to the user accounts. If you have not assigned licenses to user accounts, the users
cannot access their mailboxes.
Update Autodiscover. You need to update the Autodiscover DNS record to point to Office 365 for
external users. For internal users, you should configure the AutoDiscoverInternalURI value on the
service connection object to $null.
Decommission on-premises Exchange Server. After the migration is complete, you can remove
Exchange Server from your on-premises organization. Remember to do a proper removal rather than
just turning off the Exchange server.
Once you create the accounts, you then create a .csv file with IMAP user information. The .csv file must
contain the EmailAddress, UserName, and Password columns. The migration batch uses this information to
sign in to the IMAP accounts and move the messages. The .csv file can contain up to 50,000 rows.
When you are ready to perform a migration, you create a migration endpoint that specifies connectivity
information for the source IMAP server. You then create a new IMAP migration batch, and you provide the
.csv file with IMAP user information. When you create the IMAP migration batch, you have the option to
specify folders, such as Deleted Items, that you do not want to migrate.
After the migration is complete, the migration batch continues to perform incremental synchronization
until you delete the IMAP migration batch. Do not delete the IMAP migration batch until your mail routing
points directly to Office 365.
Use test batches to optimize network settings. If you have the option to modify the number of
connections allowed to your IMAP server, use test batches with varying settings to identify how to
obtain the best throughput.
MCT USE ONLY. STUDENT USE PROHIBITED
7-36 Planning and configuring Exchange Online services
Migrate data by using an administrator account. If your IMAP server supports the using an
administrator account to access multiple mailboxes, then use an administrator account for credentials
in the CSV file. This avoids the need to collect or reset user passwords on the IMAP server.
Prevent users from changing passwords during the migration. If you use individual user accounts in the
.csv file, this prevent users from changing their passwords during the migration process. If passwords
are changed during the migration process, the migration for the mailbox fails.
Ask users to delete unnecessary messages. This reduces the amount of data to be migrated and can
significantly speed up the overall migration process.
Additional Reading: For additional information about IMAP migration, refer to What you
need to know about migrating your IMAP mailboxes to Office 365: http://aka.ms/crn236.
Created .pst files for mailboxes on your previous email system. You can create the .pst files by exporting
directly from the previous email system, if supported. Conversely, you can create the .pst files by using
Outlook to perform an export of each mailbox.
Created the user accounts in Office 365. You must create user accounts in Office 365, and you must
assign licenses to allow users to sign in and access their new mailbox.
These preparations ensure that users have a new empty mailbox that they can use to send and receive new
messages. Historical data is in the .pst files, and you need to import it into the new mailboxes.
This process is simple, but can be very slow. It also is decentralized, because you must perform it on each
user desktop.
Assign the Mailbox Import Export role to a user. This role provides the permissions to perform a .pst
import for mailboxes in Office 365. No users are assigned to this role by default.
Create a PST to user mapping file. This file identifies the mailbox into which each .pst file should be
imported.
Before you import .pst files into Office 365, you need to move the .pst files to Microsoft Azure in one of two
ways. You can:
In Office 365
Ship data on a physical hard drive. Use the Microsoft Azure Import/Export Tool to copy and encrypt the
PST files on an external hard drive. You then can ship the external hard drive to Microsoft. Microsoft
imports the data into Windows Azure, and you then can import it.
Upload data over the network. Use the Microsoft Azure AZCopy Tool to copy the .pst files to Windows
Azure. Files are encrypted while in transit.
Your choice depends on the volume of data that you have and the speed of your network connection. If
you have a large amount of data or a slow network connection, shipping the data on a physical hard drive
may be faster.
Additional Reading: For detailed information about Importing PST files into Office 365,
refer to Import PST files to Office 365: http://aka.ms/G2n2p7.
Migration process
The migration process for public folders requires that you run several scripts to generate configuration files
and data that the migration process requires. In general, you need to:
1. Download the migration scripts. These are the scripts that you run to complete the steps in the
migration process.
2. Prepare for the migration. This involves verifying that proper message routing is in place, verifying that
public folder names are valid, and ensuring that a previous migration attempt is not in progress.
MCT USE ONLY. STUDENT USE PROHIBITED
7-38 Planning and configuring Exchange Online services
3. Generate a .csv file for folder mapping. In the legacy Exchange organizations, you run Export-
PublicFolderStatistics.ps1 and PublicFolderToMailboxMapGenerator.ps1 to generate a .csv file
that the migration requires.
4. Create a public folder mailbox in Exchange Online. In Office 365, to create the public folder mailbox,
run Create-PublicFolderMailboxesForMigration.ps1, and then specify the .csv file.
5. Start the public-folder migration. In the legacy Exchange organization, you run Sync-
MailPublicFolders.ps1 to synchronize mail-enabled public folders with Exchange Online, create a new
migration batch for public folders, and then start it. You can view the migration’s details in the
Exchange admin center.
6. Lock down legacy public folders. After the initial synchronization is complete, in the legacy Exchange
organization, you run Set-Organization –PublicFoldersLockedForMigration $true. This prevents
users from accessing the legacy public folders while a final synchronization occurs.
7. Finalize the public-folder migration. In Office 365, run Complete-MigrationBatch to perform a final
synchronization.
8. Test the public folder migration. Configure an Office 365 mailbox to use the migrated public folders to
verify that the data is present and that they are functional. If there are any problems, you can roll back
the migration.
9. Complete the migration. In the legacy Exchange organization, run Set-OrganizationConfig
–PublicFolderMigrationComplete $true. In Office 365, run Set-OrganizationConfig
–PublicFoldersEnabled Local.
Additional Reading: For detailed information about migrating public folders to Office 365,
refer to Use batch migration to migrate legacy public folders to Office 365 and Exchange Online:
http://aka.ms/F6ncbt.
Users can perform Free/busy searches for meeting requests between Exchange Online mailboxes and
on-premises mailboxes.
Distribution groups can contain a combination of Exchange Online mailboxes and on-premises
mailboxes.
Both Exchange Online and on-premises mailboxes can access public folders.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-39
The global address list (GAL) synchronizes for Exchange Online mailboxes and on-premises mailboxes.
You can move mailboxes between Exchange Online and on-premises Exchange servers.
Note: Permissions for sharing mailboxes or mailbox folders is not supported between
Exchange Online mailboxes and on-premises mailboxes.
Directory synchronization
Hybrid mode requires directory synchronization between your on-premises AD DS and Office 365. To
implement directory synchronization, download and install Azure AD Connect. The synchronization process
creates users and groups in Office 365 that correspond with the users and groups in your on-premises AD
DS.
When you implement directory synchronization, AD DS becomes the authoritative source for information
about your users in Office 365. Many user properties are not editable in Office 365 for synchronized users.
Instead, you edit the user properties in the on-premises AD DS and allow synchronization to update the
objects in Office 365.
When you implement directory synchronization, you have the option to enable password synchronization,
which allows users to have the same password for their on-premises user account and Office 365. When the
password is changed in on-premises AD DS, it is synchronized to Office 365 within about 2 minutes. It also
is possible to allow password resets from Office 365 to synchronize to the on-premises AD DS.
Note: You also can use AD FS to provide single sign-on for Office 365 accounts, but this adds
significant complexity.
1. Enable federation for the selected domains. To enable federation, you need to create a DNS TXT record
for each domain to provide ownership. This is different from the TXT record created to provide
ownership when adding the domain to Office 365.
2. Select on-premises servers for mail flow. You must select the Exchange servers that will be responsible
for mail flow between Office 365 and your on-premises Exchange organization. Connectors are created
automatically to secure inbound and outbound mail flow.
3. Identifies URLs for web services. The hybrid configuration wizard uses Autodiscover to determine the
URLs required for web services connectivity used by free/busy sharing.
4. Creates an organizational sharing policy. This policy contains the configuration information required to
allow free/busy sharing between the on-premises Exchange organization and Office 365.
If you remove all Exchange servers from the on-premises environment, you lose access to the Exchange
management tools that allow you to modify Exchange attributes. If you continue to use directory
synchronization to perform password synchronization and automatically create Office 365 users, then you
need access to a local copy of the Exchange management tools because the local AD DS is authoritative.
You cannot directly modify many attributes, such as email addresses, in the Office 365 Exchange admin
center.
Note: You may find blog postings about how to manage synchronized user attributes in the
local AD DS by editing the user object in ADSI Edit or Active Directory Users and Computers.
However, direct editing of user objects is not supported.
Your organization currently is using Gmail and Google Docs, and has decided to migrate
to Office 365 for email and file sharing. Which migration type should you use so your end
users experience the least amount of downtime?
x IMAP migration
PST migration
Your organization has an on-premises Exchange Server 2010 deployment, and wants to
migrate to Office 365. Your organization has 3,000 mailboxes, with an average mailbox
size of 1 GB. Which migration type should you use?
IMAP migration
PST migration
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Sequencing Activity
Put the following steps for a staged Exchange migration in order, numbering each to indicate the correct
order from 1 through 9.
Steps
Objectives
After completing this lab, you will have:
Lab Setup
Estimated Time: 35 minutes
In all tasks:
LON-DC1
LON-CL1
o Sign in as Adatum\Holly using the password Pa$$w0rd
LON-CL2
Configure a policy to ensure that an administrator account is notified when Exchange Online receives a
message that contains malware.
Ensure that internal users are notified when their messages are not delivered.
Ensure that you can block all email from IP addresses that you specify.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-43
Ensure that Sales users receive all messages, even if there is a high likelihood that the message is spam.
Ensure that Exchange Online quarantines all messages for other users if there is a high probability that
the message is spam.
o Block 192.168.0.0/24
7. Verify that the message sent to Francisco is in quarantine, but the message sent to Kendra is not.
9. On LON-CL2, in Outlook on the web, verify that the message was delivered to Francisco.
Results: After completing this exercise, you should have configured anti-spam and antivirus settings.
2. Create a new Outlook Web App policy named Limited features with the following features disabled:
o Instant messaging
o Text messaging
o Unified messaging
o Journaling
3. Associate the Limited features Outlook Web App policy with Kendra Sexton. In User's account
4. In Outlook, create a new message for Kendra Sexton, and the attach the See lab details
C:\Windows\Logs\DISM\dism.log file.
5. On LON-CL2, sign out of Outlook on the web, and then sign in again as
Kendra@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.
6. Verify that Kendra is unable to access the attachment in the new message.
2. Edit the Exchange ActiveSync Access settings to quarantine new mobile devices and notify Holly
Dickson.
o Require a password
3. Your device will be placed into quarantine, and you must approve the device before you can send and
receive messages.
4. After you configure the Exchange ActiveSync account, the security settings from the mobile device
mailbox policy will apply, and you may be prompted to create a password on your device.
5. When you are done testing, you can delete the account from your mobile device.
Results: After completing this exercise, you should have configured client access policies.
MCT USE ONLY. STUDENT USE PROHIBITED
7-46 Planning and configuring Exchange Online services
Question: You recently migrated all of your organizational mailboxes to Office 365. Many of
your users have mobile devices that connect by using Exchange ActiveSync. Your security
officer was shocked when he saw that a user did not have a password on his mobile device.
Why did this happen, and how can you fix it?
MCT USE ONLY. STUDENT USE PROHIBITED
8-1
Module 8
Planning and deploying Skype for Business Online
Contents:
Module Overview 8-1
Lesson 1: Planning and configuring Skype for Business Online service settings 8-2
Lesson 2: Configuring Skype for Business Online users and client connectivity 8-12
Lesson 3: Planning voice integration with Skype for Business Online 8-15
Module Overview
Skype for Business Online is a core component of Microsoft Office 365. Skype for Business Online provides
a variety of options for users to collaborate with each other, including presence information, instant
messaging (IM), and audio and video conferencing. Additionally, Skype for Business Online provides a full
voice solution, where you can replace some or all on-premises Private Branch Exchange (PBX)
functionality with a cloud-based solution.
Objectives
After completing this module, you will be able to:
Lesson 1
Planning and configuring Skype for Business Online
service settings
Most Office 365 subscriptions include Skype for Business Online. When you assign users licenses that
include Skype for Business Online, they can immediately start using this feature. However, before you
enable users to utilize Skype for Business Online, you should understand the Skype for Business Online
service, and you should be able to configure the service settings to meet your organization’s
requirements.
Lesson Objectives
After completing this lesson, you will be able to:
• Explain how to connect to Skype for Business Online by using Windows PowerShell.
• Explain how to configure organization settings.
• IM. Users can utilize standard text-based IM to communicate in real time with multiple users, and
users can transfer files to those users.
• Voice calls. Users can make Skype for Business calls to other Skype for Business users inside and
outside an organization, and if enabled, they can call Skype consumer users.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-3
• Web conferencing. Skype for Business Online can host conferences, which you can schedule or run as
needed. Conferences can include IM, audio, video, application sharing, slide presentations, and other
forms of data collaboration.
• Audio conferencing. Users can join Skype for Business Server–based audio conferences by using any
desktop or mobile device. When connecting to an audio conference by using a web browser, users
can provide a telephone number that the audio conferencing service calls.
• Enhanced presentations. Users can enhance their online presentations by using Skype for Business
Online screen sharing, application sharing, and virtual whiteboard features.
• Support for federation. You can configure federation with other organizations that are running Skype
for Business Online, Skype for Business Server on-premises, Microsoft Lync Server, or Microsoft Office
Communications Server—you can provide full Skype for Business functionality for users in multiple
organizations.
Additional Reading: For more information, refer to Skype for Business Compare plans:
http://aka.ms/vqcfmt.
Additional Reading: For more information on the Skype for Business options that are
provided with Office 365 and Skype for Business Online stand-alone subscriptions, refer to Skype
for Business Online Service Description: http://aka.ms/eljskd.
Some organizations use proxy servers or firewall settings to block users from accessing Internet locations.
If you are limiting the domains, URLs, and IP addresses that your internal users can access, then you must
ensure that internal clients have access to the domain names, URLs, and ports that Skype for Business
Online servers require.
Additional Reading: For more information on the domain names, URLs, IP addresses, and
port numbers that Office 365 and Skype for Business Online require, refer to Office 365 URLs and
IP address ranges: http://aka.ms/Ef9aum.
As a best practice, you should allow internal users to access Skype for Business Online servers by using
domain names or URLs rather than IP addresses. The IP addresses that are associated with the Skype for
Business Online servers might change frequently, whereas domain names and URLs are less likely to
change.
In addition to ensuring user access to Skype for Business Online servers, you can perform the following
key network optimization configurations:
• Disable authentication for Skype for Business Online audio and video traffic when an authenticating
HTTP proxy is used.
• Configure the network to allow User Datagram Protocol traffic for better audio and video
performance.
• Modify internal routers and optimize internal network paths for audio and video traffic.
Additional Reading: The Skype for Business Bandwidth Calculator is a tool that you can
use to calculate bandwidth requirements. You can download this tool from:
http://aka.ms/h028y7.
Additional Reading: For more information on Internet bandwidth usage for Office 365
services, refer to Network planning and performance tuning for Office 365: http://aka.ms/i09jrk.
Software requirements
To manage Skype for Business Online by using Windows PowerShell, your computer must be running a
64-bit Windows operating system and have the following installed:
• Windows PowerShell 3.0 or later. An appropriate version of Windows PowerShell is already pre-
installed on Windows Server 2012 or Windows 8 or later operating systems.
• The Skype for Business Online module for Windows PowerShell. This installs the Skype for Business
Online Connector module and the New-CsOnlineSession cmdlet on your local computer. You can
download this module from http://aka.ms/x3kyib.
Note: If you are using a computer that is running Windows 7, then you will need to install
Windows PowerShell 3.0 and the Microsoft Online Services Sign-In Assistant. This software
provides sign-in and authentication functionality for Office 365 applications, including Skype for
Business Online. This can be downloaded from the Microsoft Download Center at
http://aka.ms/vl42dg.
$cred = Get-Credential
$SfBSession = New-CSOnlineSession –Credential $cred
Import-PSSession $SfBSession
MCT USE ONLY. STUDENT USE PROHIBITED
8-6 Planning and deploying Skype for Business Online
After completing the first command, a credentials dialog box appears. Enter the user name and password
for a Skype for Business Online administrator. The second command creates the variable $SfBSession and
uses the New-CSOnlineSession command to create a connection to Skype for Business Online by using
the supplied credentials. The last command imports the session to your Windows PowerShell console. You
can then use all Skype for Business Online commands.
To remove the Windows PowerShell session and to disconnect from Skype for Business Online, run the
following command:
Remove-PSSession $SfBSession
• Mobile phone notifications. Mobile phone notifications alert Windows Phone and iOS users when
they receive incoming instant messages when the users are not actively using their Skype for Business
clients. Users can also disable these push notifications on their devices.
By default, push notifications are enabled for Windows Phones through the Microsoft Push Notification
Service and for iOS devices through the Apple Push Notification Service. You can disable either or both
options. If you disable these options for an organization, users will not receive push notifications even if
the options are enabled on their devices.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-7
• Logo URL. The logo that the URL points to must be a JPG or GIF image that is a maximum of 188
pixels wide by 30 pixels high.
• Legal URL. This points to a website that contains your organization’s legal disclaimers.
• Footer text. This allows you to enter free text, such as legal disclaimer information, directly into the
meeting invitation.
• To configure presence privacy settings, use the Set-CsPrivacyConfiguration cmdlet, with the
EnablePrivacyMode parameter. If this parameter is set to True, then users can turn on advanced
privacy mode so that only their contacts can see their presence information. If set to False, then
presence information is available to all users in the organization.
• To enable or disable push notifications to iPhones or Windows Phones, you can use the Set-
CsPushNotificationConfiguration cmdlet, which uses the EnableApplePushNotificationService and
EnableMicrosoftPushNotificationService parameters.
• To customize meeting invitations, use the Set-CSMeetingConfiguration cmdlet, and configure the
LogoURL, LegalURL, HelpURL, and CustomFooterText parameters.
• You can also use the Set-CSMeetingConfiguration cmdlet to configure other meeting parameters
for your organization, including the following:
o Use the AdmitAnonymousUsersByDefault parameter to define whether to allow anonymous users
into meetings automatically, or whether they will need to wait in a lobby until a meeting
presenter admits them.
o Use the AllowConferenceRecording parameter to define whether users will be able to record
meetings.
By default, domain federation with all domains is allowed when you configure an Office 365 tenant. You
can modify the default setting by choosing one of the following options:
• Off completely. This disables external access and will prevent users from communicating with
anyone in an external domain.
• On except for blocked domains. This enables domain federation for all domains except for those
that you explicitly add to the blocked domains list.
• On only for allowed domains. This enables domain federation for all the domains that you explicitly
add to the allowed domains list.
After federation is established between domains, users in the two organizations will be able to
communicate with contacts that they have added to their Skype for Business clients.
Note: Public IM connectivity in Skype for Business Online only supports public IM
connectivity with Lync or Skype users; it does not support other public IM networks such as AOL
Instant Messenger or Yahoo Messenger.
Skype communications between users in federated domains are restricted to Skype for Business Online
features that both organizations support. For example, if your organization supports video conversations
but the other domain does not, your users will not be able to start video conversations with users in that
federated domain.
Note: You can also use the Office 365 admin center to configure external communication
settings for Skype for Business Online. To do this, expand the External Sharing tab, and then
click Skype for Business. You can then enable or disable external access and configure the
blocked or allowed domains.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-9
• To enable or disable federation with public IM providers, you can use the
Set-CsTenantFederationConfiguration cmdlet with the AllowPublicUsers parameter.
• To allow federation with all domains, you can use a variable with the
New-CsEdgeAllowAllKnownDomains cmdlet, and then use the
Set-CsTenantFederationConfiguration cmdlet with the AllowedDomains
parameter and the defined variable.
• To view a list of blocked domains, you can use the Get-CsTenantFederationConfiguration cmdlet,
with the | Select-Object -ExpandProperty BlockedDomains parameters.
• To add a domain to the blocked domains list, you can use a variable with the
New-CsEdgeDomainPattern cmdlet, and then use the Set-CsTenantFederationConfiguration
cmdlet with the BlockedDomains parameter and the Add method with the defined variable.
When configuring Skype Meeting Broadcast, you can configure the following roles for users in your
organization:
• Organizer. A user needs to have meeting organization permissions to create a meeting request and
invite others to join the meeting. An organizer can also review meeting reports after a meeting is
complete. By default, only users assigned the Office 365 Global admin role can organize meetings.
• Producer. A user with producer permissions can manage meeting content such as live or dial-in
presentations, audio or video sources, and Microsoft PowerPoint decks. Producers can also record
meetings and post recordings to Office 365 Video.
• Event team member. Event team members can contribute to the event as a presenter.
• Attendee. Attendees do not have any presenter permissions; they can only attend and view a
meeting.
You cannot schedule Skype Meeting Broadcast in Outlook; instead, you have to connect to
https://broadcast.skype.com, which is the scheduling portal. After you sign in to the portal, you can
schedule a Skype Meeting Broadcast before sending an invitation.
MCT USE ONLY. STUDENT USE PROHIBITED
8-10 Planning and deploying Skype for Business Online
The steps for joining a Skype Meeting Broadcast are the same as joining any other meeting in
Skype for Business, with one exception. Even though users connect by using the familiar method,
participants will not receive any presentation until a presenter turns on audio. In a traditional
Skype for Business meeting, audio is not a requirement.
When running a Skype Meeting Broadcast, you can use a web browser and the Skype for Business Web
App, or you can use the Skype for Business 2015 client. Regardless, the client layout and the options
change slightly when in a broadcast session. For example, you can only show one video feed at a time,
and the only sharing that can occur is by using PowerPoint via Office Web Apps Server, or Office Online
Server.
Get-CsBroadCastMeetingConfiguration
3. Before users can configure meeting broadcasts, you need to enable external communications for your
organization, and you need to ensure that access to the meeting broadcast domains is not blocked.
You must enable the Let people use Skype for Business to communicate with Skype users
outside your organization option. If you are limiting external access by domain, you need to ensure
that the following domains are on the allowed domain list:
o noammeetings.lync.com
o emeameetings.lync.com
o apacmeetings.lync.com
o resources.lync.com
4. If you are limiting the URLs and IP addresses that your users can access on the Internet, you need to
ensure that users can access the following URLs and domains.
URLs Domains
https://broadcast.skype.com Skype.com
https://*.broadcast.skype.com *.skype.com
http://*.microsoftonline.com *.microsoftonline.com
https://*.microsoftonline.com *.microsoftonline.com
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-11
URLs Domains
http://aka.ms aka.ms
https://*.infra.lync.com *.infra.lync.com
You are preparing your Windows 10 workstation to manage Skype for Business Online by
using the Windows PowerShell command-line interface. What software do you need to
install on the computer?
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Lesson 2
Configuring Skype for Business Online users and client
connectivity
After configuring Skype for Business Online service settings, the next step is to configure users’ settings. By
default, all users that have an appropriate license have access to Skype for Business Online, and the users
will have full access to all Skype for Business Online functionality that you configured for your
organization. You might want to change this default configuration for some or all users.
Lesson Objectives
After completing this lesson, you will be able to:
To edit user settings, select the users tab in the Skype for Business admin center, select the user account,
and then select the Edit icon. You can configure the following settings on the general tab:
• Audio and video. This setting enables you to select one of four options for audio and video
capabilities:
o None
o Audio only
• Record conversations and meetings. This setting defines whether a user is allowed to use the
record option to record meetings.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-13
• Allow anonymous attendees to dial-out. This setting enables unauthenticated meeting attendees
to be called by the conferencing service instead of having to dial in directly to the service.
• For compliance, turn off non-archived features. This setting turns off the features that are not
archived when an organization implements the Microsoft Exchange in-place hold feature. You should
use this option if your organization is legally bound to archive electronically stored data.
You cannot manage user settings by using Windows PowerShell, except for assigning and configuring
audio conferencing providers (ACPs). You can use the Get-CsOnlineUser cmdlet to view information
about your users.
o External Skype for Business users. If you select this option, the user will be able to
communicate with all external domains that you have configured for the organization.
o External Skype users. To select this option, you must select the External Skype for Business
users option. Selecting this option enables the user to communicate with users on the Skype
public service.
• Lync 2013 Basic. This locally installed client provides a scaled-down set of Skype presence, IM, and
conferencing features. The Lync 2013 Basic client is available for organizations that have a
subscription that includes Skype for Business Online but not Microsoft Office 365 ProPlus. Lync Basic
does not provide the same enhanced features as the full Lync 2013 client that was described above.
The Office 365 admin center contains information about how to download the current version of Lync
Basic.
• Lync Windows Store app. This Lync app is optimized for touch, and it was designed specifically for
Windows 8 and Windows RT. Users can download this app from the Windows Store.
• Skype for Business Web App. The web-based Skype for Business Web App client offers users IM in
meetings, enhanced application and desktop sharing, a whiteboard, and presenter access controls.
Additionally, Skype for Business Web App now includes PC-based audio and video. Skype for Business
Web App is designed mainly for external users who are invited to Skype Meetings and for employees
who are not using their usual computer during a meeting. Skype for Business Web App supports
Windows and Macintosh operating systems only.
• Skype for Business Mobile app clients. They extend Skype for Business features to users’ mobile
devices. Skype for Business Mobile app clients provide voice and video over wireless connections, rich
presence, IM, conferencing, and calling features from a single interface. The Skype for Business
Mobile app is available for Windows Phone, iOS (iPhone/iPad), and for Android.
• Lync for Mac 2011. This client provides Mac users with integrated presence, IM, conferencing, and
audio and video capabilities, in addition to desktop sharing, application sharing, and file sharing.
Additional Reading: For more information on the available Skype for Business features for
different clients, refer to Client comparison tables for Skype for Business Server 2015:
http://aka.ms/us67gj.
Additional Reading: For more information on the available Skype for Business features for
different mobile device platforms, refer to Mobile client comparison tables for Skype for Business:
http://aka.ms/mrxvgx.
Question: You need to ensure that only specific users in your organization can communicate
with users in other organizations who are using Skype for Business. However, all other users in
your organization should be blocked. How would you configure Skype for Business Online to
achieve this?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-15
Lesson 3
Planning voice integration with Skype for Business Online
Many organizations that have deployed Skype for Business Server 2015 on-premises use the Skype for
Business infrastructure to provide telephony and voice functionality, including connectivity to the public
switched telephone network (PSTN) and mobile phones. Skype for Business Online has enabled dial-in
conferencing for audio conferences through non-Microsoft partners for some time. Some of the most
recent additions to Skype for Business Online have been new features that provide much of the same
functionality as Enterprise Voice does for on-premises deployments.
Lesson Objectives
After completing this lesson, you will be able to:
Skype for Business Online provides similar options for integrating voice functionality. The following
options are available:
• Dial-in conferencing by using a non-Microsoft provider. This allows users to join meetings by using a
phone rather than using a Lync or Skype for Business client. You can provide internal or external users
with a local or toll-free phone number, and users can utilize that number to connect to an audio
conference. For this option, you need to set up a subscription with non-Microsoft dial-in conferencing
or ACP, and you need to configure users to utilize that provider.
To enable dial-in conferencing with a non-Microsoft provider, you must subscribe to a Skype for
Business Online Plan 2, Office 365 Enterprise E1, or Office 365 Enterprise E3 license.
MCT USE ONLY. STUDENT USE PROHIBITED
8-16 Planning and deploying Skype for Business Online
• Cloud PBX. This provides a full Enterprise Voice solution that Office 365 hosts. With Cloud PBX, you
can replace your on-premises PBX solution, and you can provide users with a full-featured telephony
experience, including voice mail. Users can place phone calls from their computer-based clients or by
using other VoIP devices. Cloud PBX can integrate with your on-premises PSTN gateway solution, or
you can use a cloud-based PSTN gateway solution.
To enable Cloud PBX, you must subscribe to a Skype for Business Online Plan 2, Office 365 Enterprise
E1, or Office 365 Enterprise E3 license, and you must add the Skype for Business Cloud PBX add-in.
You can also subscribe to an Office 365 Enterprise E5 license, which includes the Skype for Business
Cloud PBX add-in.
• Voice-calling plans. If you use Cloud PBX and choose cloud-based PSTN integration, you can
subscribe to voice-calling plans that enable users to make a calls to PSTN phone numbers by using
Cloud PBX. You can subscribe to a Skype for Business PSTN Local Calling plan or a Skype for Business
PSTN Local and International Calling plan.
To use voice-calling plans, you must have a subscription that provides Cloud PBX, and you must add
the voice-calling plan.
• PSTN conferencing. If you enable Cloud PBX, you can also enable PSTN conferencing. PSTN
conferencing is similar to dial-in conferencing in that you can provide PSTN dial-in access to
meetings. However, with PSTN Conferencing, you use the Cloud PBX solution rather than a non-
Microsoft provider to enable dial-in access.
To enable Cloud PBX, you must subscribe to a Skype for Business Online Plan 2, Office 365 Enterprise
E1, or Office 365 Enterprise E3 license, and you must add the PSTN Conferencing add-in. You can also
subscribe to an Office 365 Enterprise E5 license, which includes the Skype for Business Cloud PBX and
PSTN Conferencing add-in.
Additional Reading: For more information on the licensing requirements for each of the
voice integration options, refer to Skype for Business Online licensing overview:
http://aka.ms/tm4tg0.
• Microsoft conferencing bridge. With this option, Microsoft provides all dial-in conferencing
components. Users dial in to a Microsoft conference bridge, and Office 365 handles all
authentications. This option is easier because you can manage all service and user settings from one
location, and users only need to remember their Office 365 credentials to access conferences.
Note: You can use both a non-Microsoft provider and a Microsoft conferencing bridge for
dial-in conferencing, but each user can only be configured with one or the other option.
• Do you want to provide only local dial-in numbers, or do you also want to provide toll or toll-free
phone numbers?
• Do you want to provide anonymous, external access to dial-in conferences, or do you want to provide
access to internal, authenticated users only?
Additional Reading: For more information on the features that ACPs and Microsoft dial-in
conferencing provide, refer to Dial-in conferencing in Office 365: http://aka.ms/Dt6jbp.
If your organization provides dial-in conferencing services by using an on-premises solution, you might
already have a dial-in conferencing provider. You should check whether the provider also provide dial-in
functionality for Skype for Business Online and Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
8-18 Planning and deploying Skype for Business Online
• The provider name. This enables you to choose your ACP from a list of supported providers for your
country.
• Toll number and toll-free number. The ACP supplies you these phone numbers. The numbers that
you enter here appear in the same format in Skype for Business Meeting requests. The toll number is
a required setting, but the toll-free number is optional.
• Passcode. This is the code that meeting participants enter when they join meetings.
2. Purchase the PSTN Conferencing add-in and assign it to each user. If you have an Office 365
Enterprise E5 subscription, the PSTN Conferencing add-in is already included.
3. Configure dial-in user settings for all users who will be allowed to use dial-in conferencing.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-19
If you implement Cloud PBX, calls between users in your organization are handled entirely in the cloud,
without ever connecting to a PSTN. If users are in different locations, they can make toll-free calls through
Cloud PBX.
Another Cloud PBX feature is voice mail. All Cloud PBX–enabled users have access to voice mail, which
allows users to listen to messages by using the Skype for Business client. The voice mail is delivered to a
user’s mailbox as an email with an audio attachment.
One of the features that most on-premises PBX solutions provide is the ability to place and receive calls
from PSTN and mobile phones. You can also connect Cloud PBX with PSTN to provide full dial-in and
dial-out access to PSTN and mobile phones. To provide this functionality, you can:
• Add the PSTN Calling service to Cloud PBX. With this option, Microsoft provides PSTN connectivity so
that all incoming and outgoing PSTN calls go through the Microsoft infrastructure.
• Integrate Cloud PBX with an on-premises PSTN connectivity solution. With this option, you can use
your existing PSTN connection to provide PSTN connectivity. Cloud PBX users are located in the
cloud, but when they place or receive a PSTN phone call, the call passes through your local
infrastructure to the PSTN. This might be attractive for organizations that have PSTN solutions in
place because it allows users to retain the same phone numbers.
MCT USE ONLY. STUDENT USE PROHIBITED
8-20 Planning and deploying Skype for Business Online
• Skype for Business PSTN Local Calling. With this option, users can place calls to PSTN phone numbers
that are in the same country as the user. Each licensed user gets 3,000 domestic dial-out minutes, 60
minutes of conference calling to phones, and unlimited incoming calls each month.
• Skype for Business PSTN Local and International Calling. With this option, users can place calls to
PSTN phone numbers that are in the same country as the user and to international numbers in 196
countries. Each licensed user gets 3,000 domestic dial-out minutes, 600 international dial-out
minutes, 60 minutes of conference calling to phones, and unlimited incoming calls each month.
Not all users in your organization have to use the same calling plan. You can buy both types of plans and
assign different calling plans to different users.
Note: At the time of writing this course, PSTN calling is only available to organizations that
have a United States–based Office 365 billing address.
Additional Reading: For more information on the PSTN voice-calling plans, refer to Skype
for Business Online PSTN services use terms: http://aka.ms/gv7f7f.
1. Purchase and assign appropriate licenses and PSTN voice-calling plans for your users.
2. Get the phone numbers for your organization. You acquire phone numbers for your organization by
requesting phone numbers from Office 365, or you can use the phone numbers that are already
assigned to you by your carrier.
Additional Reading: For more information on how to port existing phone numbers to
Office 365, refer to Transfer phone numbers over to Skype for Business Online:
http://aka.ms/I3rygm.
3. Configure emergency addresses and locations for your organization. Before you start assigning phone
numbers to users, you must configure at least one emergency address, and if applicable, one or more
emergency locations. Emergency locations are associated with an emergency address, but they
provide a more exact location within a building.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-21
You must have a subscription that includes Cloud PBX and a voice-calling plan before you can
configure addresses and locations.
4. Assign phone numbers to users. When assigning phone numbers, you must associate users with
emergency addresses.
• Deploy an edge server environment that provides connectivity between the on-premises environment
and Skype for Business Online.
• Deploy a Mediation Server environment that provides connectivity between Skype for Business Server
and PSTN gateways.
• At least one Skype for Business server that provides the Central Management store role.
You can use Skype for Business Server 2015 or Lync Server 2013 for an on-premises deployment.
Additional Reading: For more information on how to plan for and configure PSTN
connectivity through an existing Skype for Business Server deployment, refer to:
http://aka.ms/jawfqa and http://aka.ms/ul1d3b.
Note: At the time of writing this course, Cloud Connector edition is in preview release, so
the configuration and features might change.
MCT USE ONLY. STUDENT USE PROHIBITED
8-22 Planning and deploying Skype for Business Online
Reference Links: For more information on how to plan for and configure Cloud Connector
edition, refer to: http://aka.ms/otqqzu and http://aka.ms/hmurjm.
Not all features are currently available in Cloud PBX, so you might not be able to move all of your
voice functionality to the cloud. For example, if your organization needs Response Groups, Group Call
Pickup, or Call Park, you might need to retain an on-premises PBX solution until these features
become available.
• Understand your organization’s infrastructure. If your organization currently has a reliable on-
premises PBX infrastructure, and this infrastructure is meeting all of your organization’s needs, then it
makes sense to continue using that infrastructure and to implement only those Cloud PBX
components that are not available with the PBX. However, if your current PBX solution is not meeting
business requirements, or if it does not have the capacity to expand as your organization expands,
then implementing some Cloud PBX components might be the best solution.
If you have already deployed Skype for Business Server 2015 with Enterprise Voice, then you might
choose to implement a hybrid solution that continues to use the on-premises environment while also
taking advantage of some Cloud PBX features for some or all users.
You should also consider your organization’s Internet connectivity when deciding which Cloud PBX
components to implement. If your Internet connection has limited bandwidth or high latency, or if
the connection is not highly reliable, you might choose not to put the additional traffic that is created
by voice on that connection.
If you are concerned about your network bandwidth and performance, consider using Microsoft
Azure ExpressRoute to optimize your connectivity to Office 365.
Additional Reading: For more information, refer to ExpressRoute and QoS in Skype for
Business Online: http://aka.ms/edfrbb.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-23
• Consider ease of management. One significant benefit of using Cloud PBX is that it provides a single
interface for managing all of the voice integration components. Rather than having to manage one
environment for IM and conferencing and a different environment for voice, you can manage all
components from a single location. Additionally, when you use Office 365 to host all components,
you do not have to manage any servers or other infrastructure components.
• Consider geographic limitations. Not all Office 365 features are available in all countries at the same
time. If a Cloud PBX feature that you urgently need is not available in your country, you might need
to consider another solution as an interim or permanent solution.
Question: Cloud PBX is a relatively new offering in Skype for Business Online. Do you think
that your organization will be interested in this feature? What changes would you need to
make in your organization to start using Cloud PBX?
MCT USE ONLY. STUDENT USE PROHIBITED
8-24 Planning and deploying Skype for Business Online
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Password: Pa$$w0rd
Where you see references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your
unique hostdomain.com name displayed in the online lab portal.
This lab requires the following virtual machines: (use only the VMs required for your lab)
• LON-DC1
o Sign in as Adatum\Administrator
• LON-DS1
o Sign in as Adatum\Administrator
• LON-CL1
• LON-CL3
o Sign in as Adatum\Roman using the password Pa$$w0rd
• LON-CL4
1. Download and install the Skype for Business Online module for Windows PowerShell.
Task 1: Download and install the Skype for Business Online module for Windows
PowerShell
1. In Microsoft Edge, connect to http://go.microsoft.com/fwlink/?LinkId=294688.
2. Download and install the Skype for Business Online module for Windows PowerShell.
$cred = Get-Credential
$ SfBSession= New-CSOnlineSession –Credential $cred
Import-PSSession $SfBSession
c. Verify the privacy and push notification settings by running the Get-CSPrivacyConfiguration
and Get-CSPushNotificationConfiguration cmdlets.
2. Use the following commands to enable communication with all federated partners except for
litware.com:
$AllDomains = New-CsEdgeAllowAllKnownDomains
$BlockedDomain = New-CsEdgeDomainPattern -Domain "litware.com"
Set-CsTenantFederationConfiguration -AllowedDomains $AllDomains –BlockedDomains
$BlockedDomain
Get-CsTenantFederationConfiguration
5. In the Skype for Business admin center, verify the following settings:
o External communications are enabled for all domains except for litware.com.
4. Open the meeting, and then verify the help link and custom footer text.
Results: After completing this exercise, you should have configured Skype for Business Online service
settings.
2. In the Skype for Business admin center, verify that Christie Thomas is not listed as a Skype for Business
user.
3. Edit Maira Wenzel’s Skype for Business user settings to remove the option to record meetings, and to
prevent her from communicating with public Skype users.
4. Edit Francisco Chaves’s Skype for Business user settings to enable him to connect to audio meetings
only.
3. On LON-CL1, create a Skype meeting request for a meeting that will start within the next 15 minutes,
and then send the request to Francisco Chaves and Maira Wenzel.
6. Accept the meeting request from Holly, and then join the meeting.
7. On LON-CL1, join the meeting, and then verify that Maira is connected to the meeting.
10. On LON-DC1, open Internet Explorer, and then connect to https://portal.office.com. Sign in as
Francisco@adatumyyxxxxx.hostdomain.com.
12. Open Calendar, and join the meeting, and then install the Skype for Business Web App plug-in.
13. Verify that you can join the meeting and that Holly’s desktop is visible.
Results: After completing this exercise, you should have configured Skype for Business Online user
settings and validated Skype for Business Online functionality.
MCT USE ONLY. STUDENT USE PROHIBITED
8-28 Planning and deploying Skype for Business Online
o Access: Secure
o Attendees: Maria Wenzel
4. Join the broadcast meeting. Verify that Roman can join the meeting.
11. Keep the virtual machines running for the next lab.
Results: After completing this exercise, you should have configured a broadcast meeting and verified that
users can join the meeting.
Question: How will you change the Windows PowerShell steps that you ran in the lab if you
want to block all communication with external domains except for litware.com?
Question: Do you think that your organization will use Skype Meeting Broadcast?
NO WAY!
MCT USE ONLY. STUDENT USE PROHIBITED
8-30 Planning and deploying Skype for Business Online
Tools
The following tools are covered in this module:
• Skype for Business admin center. Accessible from the Office 365 admin center, use this tool to
configure Skype for Business Online service settings and user settings.
• Skype for Business Server Management Shell. Use this tool to configure Skype for Business Online
settings.
• The Skype for Business Online module for Windows PowerShell. This provides the Windows
PowerShell commands that are required to configure Skype for Business Online when you use the
Skype for Business Server Management Shell.
MCT USE ONLY. STUDENT USE PROHIBITED
9-1
Module 9
Planning for and configuring SharePoint Online
Contents:
Module Overview 9-1
Module Overview
SharePoint Online is one of the most important services within Office 365. It provides users the capabilities
to work together, share documents, and plan their collaboration. SharePoint Online helps in internal and
external collaboration and in finding information quicker and easier. All these services are accessed
through a web browser, which means that even if users are working online or offsite, they are always able
to accomplish tasks and work together. Some of the SharePoint Online features are now available only
online and not in the on-premises version.
This module describes the administrative features available within SharePoint Online and the most
common configuration tasks for any administrator who starts using SharePoint Online. This module
describes the concept of site collections and the different sharing options within SharePoint Online. A
brief overview of additional portals, such as the video portal, are also discussed.
Objectives
After completing this module, you will be able to:
Lesson 1
Configuring SharePoint Online services
You can use SharePoint Online as a collaboration platform that enables both internal employees to
collaborate among themselves and to collaborate with members of an external organization. This lesson
describes the administrative functions within SharePoint Online and provides an overview of the
SharePoint admin center. This lesson also describes commonly used administrative features and
configuration options for the overall SharePoint Online experience.
Lesson Objectives
After completing this lesson, you will be able to:
To access the SharePoint admin center through the Office 365 admin center, you have to first sign in into
https://portal.office.com. Then, you can switch to the Office 365 admin center. Here, you can access the
SharePoint admin center by clicking the Admin centers menu and then clicking SharePoint.
A global administrator of Office 365 automatically becomes a SharePoint admin center administrator. It is
also possible to assign an administrator for the SharePoint admin center alone.
2. Under Users, select the user who will be the SharePoint Online administrator.
Administrator roles are described in more detail in the “Managing Office 365 users and groups” module.
Note: Site collection administrators do not have access to the SharePoint Online admin
center.
The main areas that you can access from the SharePoint admin center are:
• Site collections. Here, you can create new site collections and manage them. Site collections are a
tiered set of sites.
• InfoPath. You use InfoPath Forms Services in SharePoint Online to deploy your organization's forms
to your sites, enabling users to fill out these forms in a web browser.
• User profiles. A user profile is the collection of user properties—and the policies and settings
associated with each of those properties—that describe a single user. Here, you find also settings for
your organization such as the management of promoted sites.
• BCS. In SharePoint Online, you can create Business Connectivity Services (BCS) connections to data
sources, such as Azure SQL Database or Windows Communication Foundation (WCF) web services,
that are outside the SharePoint Online site.
• Term store. Here, you can manage metadata information on a central location.
• Records management. You can manage records in place, which means that you can leave a document
in its current location on a site, or store records in a specific archive.
• Search. Here, you can customize the search experience for users. This customization includes defining
searchable managed properties in the search schema, identifying high-quality pages to improve
relevance, managing query rules and result sources, and removing individual results.
• Secure store. The Secure Store Service is a claims-aware authorization service that includes an
encrypted database for storing credentials.
• Apps. You can create an App Catalog site to make internally-developed custom apps available for
users to install. Users can find these apps under the From Your Organization filter on the Site
Contents page.
• Settings. Here, you manage SharePoint Online tenant-wide settings such as external sharing and
rights management, among others.
• Configure hybrid. Here, you can configure SharePoint Online hybrid with an on-premises SharePoint
Online site.
These limits change from time to time, and we recommend you review them often. These limits are
managed separately from Microsoft Exchange Online Limits.
MCT USE ONLY. STUDENT USE PROHIBITED
9-4 Planning and configuring SharePoint Online
Additional Reading: For more information, refer to SharePoint Online and OneDrive for
Business software boundaries and limits: http://aka.ms/jns65q.
Note: These settings disable the visibility of Sites and OneDrive for Business within Office
365. The app launcher and the entry menu do not show those menu items anymore. If a user
knows the direct link to their OneDrive for Business account or the Sites site, they can still access
it.
• Site collections
• User profiles
• Settings
• Configure hybrid
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-5
Office Graph
Office Graph collects individual activities and relationships across the entire Office suite. Email, social
conversations, meetings, documents in SharePoint Online, and OneDrive for Business are triggered to
present user information that is more relevant in their Office 365 experience. The Office Graph represents
the relationships and interactions between content and users within Office 365. If you want to disable that
and access to Office Delve, you can switch Office Graph off in the settings menu.
Note: If Yammer Enterprise is not enabled, switching to Yammer will disable the Newsfeed
icon in the app launcher but it will not enable the Yammer icon.
External sharing
These settings enable various sharing options across all site collections. By configuring these settings, a
SharePoint Online administrator can configure whether external user sharing is disabled or not, or if
anonymous sharing is allowed. Individual site collection settings follow those settings, which means if
anonymous sharing is disabled tenant wide, you are unable to allow it for a specific site collection.
Start a site
You can let users create their own team sites. Site creation is turned on by default and users with Create
Subsites permissions can create team sites. By default, these sites are created under the root SharePoint
Online site https://tenantname.sharepoint.com. Under the Start a site option, you can specify a path
where new team sites the users will create and alternatively, specify a custom template for these sites.
Custom script
With this setting, you can enable or disable custom script settings. You can use this setting to maintain the
security and integrity of sites within your SharePoint Online site collections. If custom scripts are disabled,
some SharePoint Online options are no longer available, such as save as site template, solutions gallery,
and blogs.
Additional Reading: For more information, refer to Turn scripting capabilities on or off:
http://aka.ms/Okimfj.
MCT USE ONLY. STUDENT USE PROHIBITED
9-6 Planning and configuring SharePoint Online
Preview features
Beside the First Release settings within Office 365, an administrator can disable Preview Features in
SharePoint Online in the following scenarios:
• The preview feature has a different Service Level Agreement (SLA) than Office 365.
Note: The SharePoint Online preview feature is not related to the First Release feature of
Office 365. The First Release feature allows all or a subset of users to access new Office 365
updates as soon as they become available and are rolled out to tenants through Microsoft.
Connected services
SharePoint 2013 workflows use Microsoft Azure Service Bus. You can disable this service in this setting.
Access apps
Access apps are databases running within SharePoint Online. Access apps are hosted within SharePoint
Online. You can enable or disable access apps.
The settings under user profiles influence general settings such as language settings or promoted
sites.
• Organizations. You can use properties in this menu collection to map fields to Active Directory
Domain Services (AD DS) or Lightweight Directory Access Protocol (LDAP)–compliant directory
services.
• My Site settings. With My Site settings, you can manage My Site owners, promoted links, and links
to Office client applications. To verify or update My Site settings, open the Setup My Sites menu
item. Here, you can configure various settings. For example, there is an option to set the read
permission level to grant access on personal sites for selected users only.
o Secondary My Site owner. An important setting is the secondary My Site owner. You can
configure a secondary user for use in scenarios when you remove a user from Office 365. In that
case, the manager of that person gets access to this My Site. If there is no manager, the
secondary My Site owner becomes the owner of this My Site.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-7
o Publish Links to Office Client Applications. Use this option to publish selected links to
SharePoint Online sites and lists when opening and saving documents from Office client
applications. Links published here appear under the My SharePoints tab when opening and
saving documents. You can configure this setting for a selected user base.
o Manage promoted sites. The Sites page lists all sites a user is following, as well as suggested
sites. You can add suggested sites under the promoted sites item. All links provided here are
visible under the Sites page. This is especially useful if an administrator wants to create promoted
links to selected sites on the main page for all users or for a subset of users.
The following table describes the options available within the From your organization setting.
Option Description
App Catalog Use this option to make apps available within your
organization. This can be apps developed in the
organization or third-party apps. You can make apps for
SharePoint Online and Office become available here, as well
as app requests.
Purchase Apps Use this option to purchase apps from the SharePoint Store.
Manage Licenses Use this option for license management of purchased apps.
Configure Store Settings Use this option to configure tenant-wide settings for apps.
Monitor Apps Use this option to track the usage of apps as well as review
errors.
App permissions Use this option to manage app access to the tenant.
MCT USE ONLY. STUDENT USE PROHIBITED
9-8 Planning and configuring SharePoint Online
To manage apps within the App Catalog, perform the following steps:
a. On the SharePoint Online Administration menu, on the left side, click Apps.
c. Create a new App Catalog site and click OK. The App Catalog site collection is created. You can
find it in https://tenantname.sharepoint.com/sites/apps. In the App Catalog site, all apps are
stored for the entire tenant.
2. Add apps to the App Catalog. It is possible to distribute apps for SharePoint Online or for Office. With
this functionality, users can add apps for SharePoint Online to their site collections. Office apps are
available in the on-premises installations of Office 365 ProPlus.
3. Optionally, install an app for all users. If you want an app to be used by all users, you can configure it
to be deployed.
• Video admins. Global administrators and SharePoint Online tenant administrators have this
permission level by default. These admins can perform administrative settings within the video portal.
• Channel admins. Channel administrators can create new channels. By default, any user within the
organization has channel administrator rights. A video admin can change this setting.
Channel management
Each uploaded video is uploaded in a selected channel. A channel admin can create new channels by
opening the video portal, clicking Channels, and then clicking New Channel. The channel admin
provides a name for the channel and assigns a color to the channel. After the channel is created, users can
upload videos to the channel. Within the Menu Channel settings, the channel admin can set the
permission level of the channel, select spotlight videos for the channel, and allow or deny Yammer
conversations for the channel.
Office 365 Video supports only the codecs and file formats that are supported by Azure Media Services.
Note: For the most up-to-date list of supported codecs and file formats, refer to Media
Encoder Standard Formats and Codecs: http://aka.ms/drbvv7.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Lesson 2
Planning and configuring SharePoint Online site
collections
In this lesson, you will learn how to plan and configure SharePoint Online site collections, set resource
quotas and warning levels, set storage quota for site collections, and configure the name and URL of site
collection. Using site collections helps you organize your organizations’ content into sites for different
purposes.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the types of sites you can create in SharePoint Online and Office 365.
• Plan for site collections.
• Describe the common errors and best practices when managing site collections.
• App Catalog
• Search Center
• My Site host
• Video portal
• Compliance Center
• E-Discovery Center
The following table describes the types of sites you can create in SharePoint Online and Office 365.
Site Description
Team site The team site is a simple template you can use for teamwork and
project collaboration. The site includes libraries and lists for:
• Shared documents
• Announcements
• Calendars
• Links
• Tasks
• Discussion board
Blog site The blog site gives you the possibility to have internal blogs
available for announcements, ideas, observations, and expertise
within your team or organization. The site contains Posts,
Comments, and Links menus.
Project site If you need to manage projects, the project site template provides
an easy way with collaborative features and a Projects Summary
Web Part.
Community site The community site is a site where members can discuss various
topics.
Document Center site This site is for the management of a large amount of documents.
You can use it as a content archive.
MCT USE ONLY. STUDENT USE PROHIBITED
9-12 Planning and configuring SharePoint Online
Site Description
Records Center site If you need to manage records such as legal or financial
documents, you can use the records center template. Here,
the entire records management process, from records
collection through records management to records
disposition, is supported.
BI Center site Use a business intelligence (BI) site to store, manage, share,
and view business reports, scorecards, and dashboards.
Search Center (Enterprise or Enterprise search is a top-level site collection. With this
Basic) site template, you are able to provide search elements based on
Enterprise search.
Enterprise Wiki This is a publishing site for sharing and updating large
volumes of information across an enterprise.
There are three categories of templates to choose from in the Office 365 admin center: Collaboration,
Enterprise, and Publishing, or you can pick the Custom template, which enables you to select a
template at a later time.
You should ask yourself the following questions when planning your site collections:
• What site templates should you use? You can create a site collection from a site template. These
templates already contain items such as document libraries, lists, pages, and several other common
site components that provide various features for your organization. Any sites that you create from a
template will inherit the template’s properties. It is common to use several different site templates
when building your site collection. You can also choose to create a custom site.
• How many site collections are required? This number is typically dependent on your organization’s
storage limits and its business needs. Some types of sites, such as the Enterprise Search Center and
the My Site host, exist as standalone site collections and may be automatically created for you when
you sign up for Office 365. You will likely need to create further site collections to fulfill the specific
requirements of your organization.
• How much storage is required for each site collection? When you purchase the SharePoint Online
service as part of your Office 365 plan, you are allocated a storage pool based on the number of user
licenses and the type of Office 365 plan you purchase. You can let SharePoint Online manage storage
automatically or allocate the storage by yourself. When assigning storage to your site collections, you
can see the total amount of storage allocated to your organization and how much of that remains to
allocate to other site collections. You can modify these storage levels later and you can increase or
decrease them as needed within your storage allocation limit.
• Is multilanguage support required? The Multilingual User Interface (MUI) feature allows your users to
display sites and web pages in other languages. This feature is not a translation tool; rather, it
modifies the display language for specific default interface components. MUI modifies the user
interface on a per-user basis and does not affect how other users view the site or page. This MUI
feature only modifies the viewable on-screen components; it does not modify content, such as
documents held within the site. The MUI feature is enabled in SharePoint Online by default, but if you
want to use it on a site collection, then you or another site collection administrator also need to
enable it on that site collection.
• Do you need to grant access to external users? Some of your users may need to collaborate with
users external to the organization. In this case, you will need to consider sharing content with those
external users; this will require thought and planning.
• Who will manage your site collections? The following roles can administer the SharePoint Online
service:
o Global administrator. This is the main administrative role for the Office 365 admin center and can
perform all administrative tasks, including managing service licenses, users and groups, domains,
subscribed services, and defining site collection administrators.
o SharePoint Online administrator. This role is a customized administrator role. This is the
administrator whose primary role is to administer SharePoint Online using the SharePoint admin
center. This role can create and manage site collections, define site collection administrators,
define tenant settings, and configure most other administrative elements, such as Business
Connectivity Services, Secure Store, InfoPath Forms Services, Records Management, Search, and
User Profiles.
Note: Office 365 global administrators are also automatically SharePoint Online
administrators.
MCT USE ONLY. STUDENT USE PROHIBITED
9-14 Planning and configuring SharePoint Online
o Site collection administrator. This role is granted the administrative permissions to manage a site
collection. Although a site collection can have several administrators, there can only be one
primary site collection administrator. When creating a new site collection, the SharePoint Online
administrator defines the primary site collection administrator. The SharePoint Online
administrator can add further people to the list of site collection administrators after the site
collection is created. Site collection administrators can add or delete sites, specify a secondary site
collection administrator, and modify site settings for any site in the site collection.
• What SharePoint Online limits exist? There are boundaries and limits within SharePoint Online. To do
a proper planning of a site collection design, it is necessary that you know which limits are present
and how they will affect your site collection planning. For example, a too deep site collection
structure may reach the character length limit of the website address.
• How to plan for governance? Governance is the set of policies, roles, responsibilities, and processes
that control how your organization cooperates to achieve business goals. As soon as you start
planning your site collection structure, you should also develop a plan to govern them. Examples
include:
• How to plan for the SharePoint Online site collection life cycle? The site collection life cycle defines
how provisioning and deprovisioning of a site collection works. SharePoint Online is a software as a
service (SaaS) and proper provisioning as well as deprovisioning planning can influence the costs of
your Office 365 environment. Proper planning includes planning around how long a site collection
should be archived before it can be deleted.
Best Practice: A recommended best practice is to define more than one site collection
administrator, where the additional administrators act as backups to the primary site collection
administrator.
4. On the ribbon, click New, and then click Private Site Collection.
o A website address and URL path for the site collection. You can choose either /sites or /teams as
part of the path and then supply a further path extension to be the path to the site in the empty
text box.
Note: You must ensure you select the correct language for your site collection here,
because it cannot be changed afterwards.
o A template that matches the purpose of the site collection. For example, if your site collection is
used for a specific project, you choose the project site from the list, and for a team site, you
choose the team site template.
o A site collection administrator. You can use either the Check Names or Browse buttons to help
find a user’s name.
o Optionally, a storage quota. Only if you decide to allocate the storage by yourself, you need to
set a storage quota to allocate to this site collection. This must not exceed the total storage
available that is displayed next to the box.
6. Click OK.
The site collection is then created and eventually appears in the URL list. You will know the site is created
when the URL for the site collection is highlighted in blue as a hyperlink. At this point, the assigned site
collection administrator can begin creating and managing sites in the site collection.
• You have a team site collection and that team has been disbanded.
When you delete a site collection, it stays in the Recycle Bin for 30 days before it is permanently deleted;
this gives you a 30-day window of opportunity to restore the entire site collection if it was deleted in error
or your situation has changed and you want to retain it.
Note: When you delete a site collection, you also delete all the sites, site components, and
content in the site hierarchy, including documents and document libraries, lists and list items,
events, site configuration settings, and security information for all sites and their subsites.
As other people will likely be affected by the removal of the site collection, ensure that all interested
parties—such as site owners and site contributors—are aware of the impending deletion and are given
time to move their content or data to another place if necessary.
MCT USE ONLY. STUDENT USE PROHIBITED
9-16 Planning and configuring SharePoint Online
2. In the Office 365 admin center, click Admin centers, and then click SharePoint.
4. Select the check box for the site collection(s) you want to delete.
6. On the delete site collections page, read the warning, and then click Delete.
2. In the Office 365 admin center, click Admin centers, and then click SharePoint.
3. In the leftmost side, click Site collections.
5. Select the check box for the site collection(s) you want to restore.
6. On the ribbon, click Restore Deleted Items.
The site collection will take some time to restore, and after restoration is complete, the site collection is
listed under Site Collections again.
• Title
• Website address
• Number of subsites
1. In the Office 365 admin center, click Admin centers, and then click SharePoint.
4. On the ribbon, in the Manage section, click Owners, and then click Manage Administrators.
5. In the manage administrators dialog box, under Primary Site Collection Administrator, change
the user name for the primary site collection administrator.
6. Click the Check Names button to verify that the user name is valid.
7. Click OK.
1. In the Office 365 admin center, click Admin centers, and then click SharePoint.
2. In the leftmost side, click Site collections.
4. On the ribbon, in the Manage section, click Owners, and then click Manage Administrators.
5. In the manage administrators dialog box, under Site Collection Administrators, add people to, or
remove them from, the list.
6. Click the Check Names button to verify that the user names are valid.
7. Click OK.
2. In the Office 365 admin center, click Admin centers, and then click SharePoint.
4. Select the check box for the site collection for which you want to specify a storage quota.
6. In the set server resource quota dialog box, enter a maximum number of resources to allocate to
the selected site collection out of the available displayed total. The default number of resources is
300.
7. Ensure the Send e-mail when each selected site collection resource usage reaches warning level
at check box is selected. This will send an email alert notification when you are getting close to the
server resource quota limit.
8. Enter a percentage value to set the warning level for the alert email to be triggered. The default is 85
percent.
• Send an email notification about site collection upgrades to the site collection administrator.
Additional Reading: For more information, refer to Introduction to the SharePoint Online
Management Shell: http://aka.ms/Yj9ioq.
As with other Microsoft services, you run Windows PowerShell command-line operations by using
cmdlets. You can view a full list of all the available cmdlets by running the Get-Command cmdlet and
access help on how to use each cmdlet by using the Get-Help cmdlet.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-19
Before you can run cmdlets, you have to set up the SharePoint Online Management Shell environment
and connect to the service.
1. Ensure that you have installed Windows PowerShell 3.0 from Windows Management Framework 3.0.
2. Install the SharePoint Online Management Shell from the Microsoft Download Center at:
http://aka.ms/f04q5o.
1. Open Windows PowerShell and load the SharePoint Online module by typing the following
command, and then pressing Enter:
Import-Module Microsoft.Online.Sharepoint.PowerShell
2. At the prompt, type the following command, and then press Enter:
You can use the Get-SPOSite cmdlet to view all site collections or view specific properties of site
collections.
To view a list of all your current site collections, at the prompt, type the following command, and then
press Enter:
Get-SPOSite
To view the details of a specific site collection, at the prompt, type the following command, and then
press Enter:
When you create a site collection, you can specify a site collection template to use. You can use the Get-
SPOWebTemplate cmdlet to view all the available site collection templates or all those that match the
given identity.
Get-SPOWebTemplate
MCT USE ONLY. STUDENT USE PROHIBITED
9-20 Planning and configuring SharePoint Online
You can use the New-SPOSite cmdlet to create new site collections in SharePoint Online. This cmdlet has
several parameters that you can use with it to specify configuration settings such as site collection owner,
storage and resource quota, name, and template.
To create a new site collection, at the prompt, type the following command, and then press Enter:
Example:
You can use the Set-SPOSite cmdlet to configure or update settings on existing site collections in
SharePoint Online. As with the New-SPOSite cmdlet, this cmdlet has several parameters that you can use
with it to specify configuration settings such as site collection owner, storage and resource quota, and
name.
To delete a site
To set the storage quota and quota warning level for an existing site collection, at the prompt, type the
following command, and then press Enter:
To restore a deleted site collection, at the prompt, type the following command, and then press Enter:
Additional Reading: For more information, refer to Use Windows PowerShell cmdlets to
administer site collections in SharePoint Online: http://aka.ms/rbb2c1.
To ensure that you manage SharePoint Online site collections correctly, we recommend the following best
practices:
• Consistently retain the look and feel of the SharePoint Online interface.
Which of the following sites do you find in the Enterprise section of the site
collection templates in the SharePoint admin center? (Select all that apply).
Community site
Enterprise Wiki
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
If you delete a site collection, you can restore it from the Recycle Bin for 30 T
days.
MCT USE ONLY. STUDENT USE PROHIBITED
9-22 Planning and configuring SharePoint Online
x Define an administrator
Lesson 3
Planning and configuring external user sharing
External user sharing in SharePoint Online is an Office 365 feature for administrators, power users, and
even for end users. External user sharing allows users to work together across organizational boundaries
by enabling a simple way to give external users a secured access to your site collections. This lesson
describes the concept of external user sharing and planning for it.
Lesson Objectives
After completing this lesson, you will be able to:
• Describe the methods for sharing site content with external users.
• Describe the options for sharing documents and auditing shared access.
• Remove external user sharing.
• Describe the common errors and best practices when configuring external user sharing.
Planning for sharing content with these external users is an important part of your overall permission
strategy for SharePoint Online in Office 365. There are three methods for sharing site content with
external users:
• You can share your entire site with external users by inviting them to sign in with either a Microsoft
account or an Office 365 user ID.
• You can share individual documents with external users by inviting them to sign in to your site with
either a Microsoft account or an Office 365 user ID.
MCT USE ONLY. STUDENT USE PROHIBITED
9-24 Planning and configuring SharePoint Online
• You can share individual documents with external users by sending them an anonymous guest link to
view or edit the document.
Note: External users who access the shared site or documents can obtain more permissions
than an anonymous guest who gets access to one specific document through a hyperlink sent by
email. This is because Microsoft can authenticate external users with either a Microsoft account or
an Office 365 user ID, and can ensure the permission level for these users. This is not the case
when a link is sent to any other unknown email address. In that case, every person who gets the
link can access the shared document.
• Do they only need to view the shared content, or do they also need to make changes to it?
• Which users in your organization need to be able to share content with external users?
• Which content on your site should never be shared with users external to your organization?
You can organize a SharePoint Online site so that content shared with external users is clearly
differentiated from content intended to stay within the organization. This can be as easy as creating a
document library or a subsite named internal and another subsite named external, or it can be much
more complex. It is important that you plan for the site structure before using external user sharing.
• Perform tasks on a site consistent with the permission level assigned. For example, if you add an
external user to the Members group, they will have Edit permissions and they will be able to add, edit,
and delete lists; they will also be able to view, add, update, and delete list items and documents.
• See other types of content on sites. For example, they can navigate to different subsites within the site
collection to which they were invited. They will also be able to perform other actions such as viewing
site feeds.
• Create their own personal sites, edit their profile, change their photo, or see aggregated tasks.
External users do not get their own OneDrive for Business document library.
• Be an administrator for a site collection (except in scenarios where you have hired a partner to help
manage Office 365). You can designate an external user as a designer for your public website.
• Access the Search Center or execute searches. Other search features that may not be available include
advanced content processing, continuous crawls, and refiners.
• Access Microsoft Power BI app for Windows features such as Power View, Power Pivot, Quick Explore,
or Timeline Slicer. These features require an additional license, which is not inherited by external
users.
Additional Reading: For more information, refer to Manage external sharing for your
SharePoint Online environment: http://aka.ms/adaoao.
Note: By default, external user sharing is enabled for the entire tenant and all the site
collections it already contains. It is common practice to disable it globally first and then start
planning how and where to use it.
Note: When you create a new private site collection, the default setting for this site is set to
Don't allow sharing outside your organization. You explicitly turn it on if you want to use
external user sharing in the new site.
The SharePoint Online administrator must enable sharing with external users. To configure external
sharing for a site collection:
1. In the Office 365 admin center click Admin centers, and then click SharePoint.
3. Select the check box for the site collection for which you want to configure external sharing.
4. In the Manage section of the ribbon, click Sharing. (Alternatively, you can open the URL for your
tenant at https://tenantname-admin.sharepoint.com/_layouts/15/online/TenantSettings.aspx)
o Don’t allow sharing outside your organization. This will prevent users from sharing sites or
content with any external users.
o Allow external users who accept sharing invitations and sign in as authenticated users. This
requires that any external user who have received an invitation to access shared content must
sign in with a Microsoft account (MSA) or with an organizational account (Org Account) before
they are allowed to access the content.
o Allow both external users who accept sharing invitations and anonymous guest links. This
allows external users who have received an invitation and signed in with a Microsoft account
(MSA) or with an organizational account (Org Account) to access shared content, but it also
allows users to share documents directly with external users through anonymous guest links.
6. Click Save.
Note: Be aware that anonymous guest links could potentially be shared with, or forwarded
to, other people; this means that content could be viewed by people other than your intended
target.
Additional Reading: For more information on configuring external user sharing for a
tenant or site collection, refer to Manage external sharing for your SharePoint Online
environment: http://aka.ms/adaoao.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-27
• Not allowed
• Share invitations
To share an entire site with an external user, you need to send them an invitation to the site, which they
will use to sign in to your site and access the content. The invitation is sent to external users through an
email message with a link to the site and an optional message you may have provided in the invitation.
When the external user receives the email invitation, they click the link and sign in with either a Microsoft
account or an Office 365 ID to access the site and its content.
Note: You can redeem invitations to view content only once. After an external user accepts
an invitation, the invitation cannot be shared or used by others to gain access.
When you send the invitation, you have the option of deciding what kind of permission that external user
will receive when they access your site. The available permission options are:
• Full Control. To provide full control of the site, select the Sitename Owners [Full Control] option.
• Edit. To allow external users to edit the site’s contents, select the Sitename Members [Edit] option.
• Read. To allow only read-only access, select the Sitename Visitors [Read] option.
It is a best practice to create a site dedicated to sharing nonsensitive content with external users and
setting specific unique access permissions for that site only.
Note: When granting external users access to your site content, you should always apply
the principle of least privilege, so that those external users only receive the minimum permission
required to perform their tasks, and not more permissions. You should only grant Full Control in
extremely rare cases.
2. Click SHARE.
3. In the Share sitename dialog box, enter the email address of the external user you want to invite to
share your document. (If you want to share with an internal user, enter their name instead).
6. Under Select a group or permission level, in the drop-down list, click Sitename Visitors [Read].
7. Click Share.
8. When the external user receives the emailed invitation, they will see your message, click the Go To
sitename link, and then sign in with either a Microsoft account or an Office 365 ID.
Note: By default, invitations expire after 7 days, so if the external user has not accepted the
invitation within that time, you need to send a new invitation.
Anonymous guest links only enable external users to open the document in the relevant Office Web Apps,
such as Word Online, Excel Online, PowerPoint Online, or OneNote Online, and they cannot open it in the
full desktop version of the application.
1. Navigate to the site containing the document you want to share with an external user.
2. Click the ellipsis (...) next to the document to open its callout window and click SHARE.
8. Click Share.
1. Navigate to the site that contains the document you want to share with an external user.
2. Click the ellipsis (...) next to the document to open its callout window and then click SHARE.
o Under Edit, click CREATE LINK to grant edit permission to the document.
5. After the anonymous guest link URL is created, copy it to a location where it can be easily retrieved,
such as Notepad.
7. You can then copy the anonymous guest link URL and paste into a location of your choice, such as an
email message, a chat window, or a social media page.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-29
Note: If you later disable external user sharing at the tenant level, any anonymous guest
links will stop working; when you enable it again, those anonymous guest links will start working
again.
Note: You cannot share files in a library that has been IRM-protected with external users.
1. On the site home page, in the upper right side of the page, click SHARE.
To see a list of users with whom a specific document has been shared:
1. Select the document in the library.
2. On the Files tab, in the Manage section of the ribbon, click Shared With. The Shared With dialog
box lists all the users with whom this document has been shared.
3. Click Close.
1. On the site’s home page, click the Settings icon (the wheel icon).
2. Click Site settings.
4. In the leftmost side, under Groups, select the group from which you want to remove the users, for
example, Sitename Members.
5. Select the user or users you want to remove, click Actions, and then click Remove Users from
Group.
6. Click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
9-30 Planning and configuring SharePoint Online
Revoking invitations
You can withdraw invitations you have sent to external users if you need to, but only if the external users
have not yet accepted the invitations. To revoke an invitation:
1. On the site’s home page, click the Settings icon (the wheel icon).
4. Under EXTERNAL USER INVITATIONS, click the ellipsis button (…) for the person or persons you
would like to revoke the invitation.
5. Click WITHDRAW.
1. Navigate to the library that contains the document for which you want to disable the anonymous
guest link.
2. Click the ellipsis button (…) for the document, and click a guest link.
1. In the Office 365 admin center, click Admin centers, and then click SharePoint.
3. Under External sharing, click Don’t allow sharing outside your organization.
4. Click OK.
3. Select the check box for the site collection for which you want to disable external user sharing.
4. In the Site Collections section of the ribbon, click Sharing.
6. Click Save.
After about a minute, sharing is turned off for the selected site.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-31
• Lack of awareness of what external users can and cannot do in SharePoint Online.
• Lack of documentation of SharePoint Online configuration in relation to external user sharing.
• Hijacking can happen. External users can forward the generated email-invitation to another person.
The person who opens the invitation link gets access to the shared content.
To ensure that you configure external user sharing successfully in SharePoint Online, we recommend you
follow these best practices:
• Plan what external users can see and access by segmenting your content by its data sensitivity.
• Consider creating a site purely for the purposes of sharing content with external users.
• Set appropriate permissions on the site collection so users cannot share info they should not be
sharing.
• External users can forward anonymous guest links with other people, who might also be able to view
or edit the content without signing in. Avoid using anonymous guest links for sensitive content;
instead, share a document by using an invitation that requires sign in.
• Ensure you know the identity of any external users before you start sharing content with them.
Remember that these users can sign in to your site and start browsing and accessing content just like
other site members. Depending on the access permission you give them, this may mean that they can
share content with other external users.
• If you share team site content, consider creating a subsite for the shared content, and then share that
subsite with external users so that you can assign unique permissions only to that subsite.
• External users may not receive the invitation email due to transportation errors or spam filters. In such
cases, send out a new invitation and inform the user to check their mailbox with the invitation-email.
• Every invitation is valid only for a specific timeframe, which usually is 7 days. After that time, you must
send a new invitation.
• Split your site collections for internal and external users to ease the management.
MCT USE ONLY. STUDENT USE PROHIBITED
9-32 Planning and configuring SharePoint Online
Note: Try external sharing with a demo user and check the result. Check your external user
sharing constantly to avoid unwanted permissions for external users. Unfortunately, it is not
possible to share documents programmatically through a SharePoint API or through Windows
PowerShell.
Best practices
To decide which method will be appropriate, the following list delivers some key facts to consider for
using external sharing.
• To share a site and require sign in, provide someone outside your organization with ongoing access
to information and content on a site. They need the ability to perform just like a full user of your site,
and create, edit, and view content.
• To share a document and require sign in, provide one or several people outside your organization
with secure access to a specific document for review or collaboration. These people do not require
ongoing access to other content on your internal site.
• To share a document, but not require sign in, share a link to a nonsensitive or nonconfidential
document with people outside your organization so that they can either view it or update it with
feedback. These people do not require ongoing access to content on your internal site.
Additional Reading: For more information, refer to Windows PowerShell for SharePoint
Command Builder: http://aka.ms/n3apxc.
For more information, refer to Index of Windows PowerShell for SharePoint Online cmdlets:
http://aka.ms/bccasb.
After having installed the SharePoint Online Management Shell environment, the cmdlets are ready for
you to use.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-33
To get a list of all external users in SharePoint Online for an Office 365 tenant:
1. Open Windows PowerShell and connect to SharePoint Online. You are now connected to the
SharePoint Online tenant.
2. To get a list of all external users, run the following command, and then press Enter:
The SharePoint Online API delivers a list of users with their sign in name and shows the output in the
Windows PowerShell output.
Note: Save this command in a showexternalusers.ps1 file for further use. This script
allows you to get all the external users in a SharePoint Online tenant by using the standard
Get-SPOExternalUser SharePoint online cmdlet and returns the users DisplayName and email
in the Windows PowerShell output window.
Note: To download an improved version of this script from the TechNet gallery, refer to
How to get all the external users in a SharePoint Online Tenant!: http://aka.ms/ajxjrb.
1. Open Windows PowerShell and connect to SharePoint Online. You are now connected to the
SharePoint Online tenant.
2. Retrieve the user by running the following command, and then press Enter:
Get-SPOExternalUser
3. Replace the email address with the desired external user email address by running the following
command, and then pressing Enter:
4. Remove this user by running the following command, and then pressing Enter:
6. This command removes the user from the list of external users in SharePoint Online and displays a
message in the Windows PowerShell output that reads “Successfully removed the following
external users. 10038FFD909DBCA2” where 10038FFD909DBCA2 is the UniqueID of the removed
user object.
MCT USE ONLY. STUDENT USE PROHIBITED
9-34 Planning and configuring SharePoint Online
Note: You can filter more than just one specific user with the -filter string. If you want to
remove, for example, all users with the outlook.com domain, you can use this string as filter
criteria.
Note: Anonymous users are invited with a guest link, and so they are not external users.
These shared links do not show with the Get-SPOExternalUser Windows PowerShell cmdlet.
Note: Currently there are no Windows PowerShell cmdlets for creating an external share.
You must do this directly in the SharePoint Online. In addition, there is no SharePoint Online API
for programmatically accessing the external sharing features.
The SharePoint Online Management Shell environment provides access to the Office 365 tenant and the
SharePoint Online REST Services. Besides the functionality of managing SharePoint Online sites, there
exists some cmdlets for working with external sharing.
1. Open Windows PowerShell and connect to SharePoint Online. You are now connected to the
SharePoint Online tenant.
2. To get a list of all external SharePoint Online users, run the following command, and then press Enter:
3. The SharePoint Online API delivers a list of users with their sign in name and shows the output in the
Windows PowerShell window.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
From a user perspective, you can share content in SharePoint Online for T
internal users in the same way as for external users.
Where can administrators enable external sharing for the Office 365 tenant? (Select
all that apply.)
x In the Office 365 admin center, use the external sharing menu
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, and 20347A-LON-CL1
User names: Adatum\Administrator for LON-DC1 and LON-DS1 and Adatum\Holly for LON-CL1
Password: Pa$$w0rd
In all of the tasks where you see references to Adatumyyxxxxx.onmicrosoft.com, replace yyxxxxx with
your unique Office 365 name that displays on the online lab portal.
Where you see references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your
unique hostdomain.com name that displays on the online lab portal. This lab requires the following virtual
machines (use only the virtual machines required for your lab):
This lab requires the following virtual machines: (use only the VMs required for your lab)
• LON-DC1
o Sign in as Adatum\Administrator
• LON-DS1
o Sign in as Adatum\Administrator
• LON-CL1
1. Configure settings.
3. Configure apps.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-37
o Enable external sharing for authenticated users and users gaining access through anonymous
guest links.
Results: After completing this exercise, you should have configured SharePoint Online service settings.
3. In the leftmost side, click Site collections, and create a new site named marketing. Use the
https://adatumyyxxxxx.sharepoint.com/sites/marketing URL, and add Holly as the site
administrator.
MCT USE ONLY. STUDENT USE PROHIBITED
9-38 Planning and configuring SharePoint Online
Note: It can take a few minutes until the Sharing menu on the ribbon is active. You can
speed this up by refreshing the page by pressing the F5 key.
5. Change the Sharing settings to Allow sharing with all external users, and by using anonymous
access links.
2. Edit the properties of the site, and add Brad Sutton as an additional site collection administrator.
3. Verify that you cannot access the site, and then request access.
4. Connect to https://Adatumyyxxxxx.sharepoint.com/sites/marketing.
6. On the Site Permissions page, approve Maira Wenzel’s access request, and then add Perry Brill to
the site members group.
7. Access the site again as Maira and verify that she has access.
Results: After completing this exercise, you should have created and configured SharePoint Online site
collections.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-39
2. In settings, enable external sharing for authenticated users and users gaining access through
anonymous guest links.
2. Share the AcctProj site with the Microsoft account you used for setting up your Office 365 trial. Grant
the user member permissions.
3. On the Marketing site, create a new document in the Documents folder. Enter some text in the
document.
4. Share the document with the Microsoft account you used for setting up your Office 365 trial. Grant
the user edit permissions.
2. Verify that the user can also access and edit the document in the Marketing document library.
Results: After completing this exercise, you should have configured a new site collection for external user
sharing, and you should have shared a site and a document with external users.
MCT USE ONLY. STUDENT USE PROHIBITED
9-40 Planning and configuring SharePoint Online
Best Practices
SharePoint Online offers several configuration options; planning a collaboration solution and configuring
SharePoint Online are tasks that you must do upfront to have a good SharePoint Online environment
where your users can start working with.
Module 10
Planning and configuring an Office 365 collaboration
solution
Contents:
Module Overview 10-1
Module Overview
SharePoint Online Services is a major part of Office 365 services. With Yammer Enterprise, Office 365
offers an enterprise social solution that helps you to build a collaborative environment within your
organization. You can use Yammer Enterprise as a stand-alone solution, or you can integrate it within
Office 365 and SharePoint Online.
OneDrive for Business is the personal space where users can store their documents, and share files and
folders to work together. Office 365 groups are relatively new in Office 365. They combine Microsoft
Exchange Online and SharePoint Online, and from a user experience perspective, they are present
everywhere throughout the Office 365 services.
This module describes how to plan and implement a SharePoint collaboration solution, and how to enable
Yammer Enterprise services within Office 365 and OneDrive for Business, and Office 365 groups.
Objectives
After completing this module, you will be able to:
Lesson 1
Planning and managing Yammer Enterprise
Yammer is an organization’s private social network, and it provides collaboration options and teamwork
capabilities. It is part of the Microsoft enterprise social strategy. Yammer is available as a stand-alone
product or as part of Office 365 Enterprise. Yammer helps organizations connect employees, and lets
them share the information they need. It helps users find answers, experts, and information in an easy
way. Yammer helps you to improve project collaboration within your organization. Yammer can help your
organization reduce internal email and email trees. Yammer is useful for collaboration with external
business partners because it provides the ability to create external networks.
Lesson Objectives
After completing this lesson, you will be able to:
Yammer Basic is available for free, Yammer Enterprise can be bought separately or is included in an
Office 365 subscription. You can buy Yammer either as a stand-alone product or as part of Office 365
Enterprise. A mobile app experience is also available if your users are connected through their mobile
devices.
• Yammer Basic. This is the free version that is available to all users, and offers fundamental features for
co-workers to collaborate within an organization.
• Yammer Enterprise. This is the premium version, which is provided either as a stand-alone upgrade
from the basic version or as part of some SharePoint Online and Office 365 plans. This enterprise
version of Yammer provides several additional features and resources to enable an organization to
implement a professional enterprise social network.
You can upgrade from a Yammer Basic network to the Yammer Enterprise network anytime during your
subscription period.
Note: The enterprise version of Yammer is available with some SharePoint Online and
Office 365 plans. However, it is a completely separate service, and therefore has different user
rights, and privacy and security policies than Office 365. Yammer is included in the following
Office 365 subscriptions: E1, E3, E5, K1, K2, Midsize, and Education.
• Basic social networking features: Users can create groups, polls, and use the chat feature to
collaborate within the organization.
• Collaboration features: Users can work together in groups, and share information, documents, videos
and notes.
• Yammer Mobile: The Yammer mobile app is available for Basic and for Enterprise Networks.
• Administration tools. Only the Yammer Enterprise version enables you to configure Yammer, manage
users, and perform data analytics.
• Network-level apps and integrations. You can activate Office 365, manage apps for your network, and
secure your network.
• Integrated Office 365 experience. You can integrate Yammer with the overall Office 365 experience.
• Services and support. You can get technical support through Office 365 Enterprise support all day,
every day.
MCT USE ONLY. STUDENT USE PROHIBITED
10-4 Planning and configuring an Office 365 collaboration solution
You can integrate your business applications via Open Graph with your Yammer network. By using
Yammer Embed, you can bring Yammer conversations into your business applications. For example, you
can extend your apps with Like and Follow buttons, and share updates within your Yammer network.
Yammer also provides a dedicated app directory.
Administering Yammer
After you enable Yammer Enterprise within Office 365, you will see the Yammer icon in the Office 365 app
launcher. You also can access Yammer as an Administrator in the Office 365 admin center.
The primary location for administering Yammer is within the Yammer admin center. A global Office 365
administrator is automatically a verified network administrator in Yammer. It is also possible to configure a
customized administrator for Yammer alone. Admin and User roles are described in more detail later in
this lesson. Single sign-on (SSO) is available through Office 365 sign-in. This means that all users who have
an Office 365 account can sign in to Yammer with the same credentials.
Network access
Only coworkers can join a Yammer network, which means that only users who are members of the same
domain can join the Yammer Enterprise network. A Yammer network is the place where users meet to
collaborate, conduct conversations, and interact. Within Office 365, you can merge more than one
domain into a single Yammer network. Yammer communications are secure and visible only to people
within your organization and those people who are members of your Yammer network or part of a
selected conversation.
• Discovery. Contains all conversations that are most relevant to you. The feed contains information
based on your subscriptions and your interactions within your Yammer network.
• All. Shows the conversations to which you have access within your network.
• Following: Shows conversations that you actively subscribe to, and all conversations your followers
have participated in or liked. You see conversations about topics that you follow, and conversations
from groups that you have joined.
On the left of the Yammer portal page, you find navigation options for all the groups to which you
subscribe. The groups are sorted by relevance, with the group in which you participate the most
appearing at the top. If you need to search within Yammer, you have a search box on the left side of the
Yammer navigation pane.
• Inbox. Takes you to the inbox, where you find information about conversations in which you are
tagged, or announcements in a group or network to which you belong.
• Notifications. Show all the likes for posts that you publish, or comments that you make.
On the right side of your Yammer portal, you see the recent activities of your coworkers. From here you
can view group descriptions, subscribe to groups by email, or move through apps.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-5
Note: A network migration migrates only the users with their user information. If you
merge networks, the content (groups, posts) of the merged network is no longer available. Only
the content of the primary network remains active. Network migrations cannot be reversed.
• You can start multiple network migrations back to back, without waiting for the previous ones to
complete.
• If a user exists in both networks, the user's account from the parent network will remain and be
promoted from a guest account to a regular account.
Note: If you need to preserve any content from the Yammer network that will merge,
export it before the migration takes place. Create a communication plan, and inform your users
about the change.
3. On the left pane, click the Settings icon at the bottom of the page.
6. In the Network Migration Wizard, on the Step 1 of 3 - Check/Add Verified Domains page, note all
the verified domains that are available in your network, and then click next.
MCT USE ONLY. STUDENT USE PROHIBITED
10-6 Planning and configuring an Office 365 collaboration solution
7. On the Step 2 of 3 - Choose a Yammer Network to Migrate page, note the first Domain that can
be merged.
8. If you want to add this domain to your Yammer network, select the domain, and then click next.
9. On the Step 3 of 3 - Export Data & Start Migration page, note the information about the network,
and then start the migration.
10. Click Start Migration, and then confirm the migration in the Confirm dialog box.
Best practice
If your organization has more than one Yammer network, activate Yammer with the network that has the
largest number of active users in it.
4. Click Admin, click Content and Security, click Security settings, and then configure the following
security settings:
o IP Range. You can configure or restrict access to the network if you allow only specific IP ranges.
o Password policies. This is only necessary if you do not have any connection to Office 365. With
simplified sign-in for Office 365, you use the credentials from Azure Active Directory. Azure
Active Directory provides the identity management for Office 365 accounts.
o External Messaging. With this setting, you can enforce Exchange Online Transport Rules in
Yammer. Users can add external participants to their Yammer conversations with external
messaging. Exchange Online Transport Rules is a set of proactive controls to prevent organization
information from being shared. These are configured within Exchange Online to protect content
from Yammer networks. So if you apply this setting, and one of your users tries to add an
external participant and this violates your Exchange Online Transport Rule, the user receives an
error message. You should not see this method as an option to opt out of the external messaging
setting.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-7
o Enforce Office 365 identity in Yammer. The best way to manage users in Yammer is through their
Office 365 identities. In that scenario, you are able to maintain a single identity for all Office 365
users. By enforcing Office 365 identity in Yammer and configuring federated identity for Office
365, administrators can achieve SSO capabilities for all services in Office 365, including Yammer.
The default setting is off.
3. On the left pane, click on the Settings icon at the bottom of the page, and then click Network
Admin.
4. Click Admin, click Content and Security, and then click Security settings.
5. Scroll down to the section Enforce Office 365 identity in Yammer, and then select the Enforce
Office 365 identity in Yammer.
User experience for accounts that sign in with or without enforced Office 365
identity
If you enforce Office 365 identity, you can manage all users out of Office 365. This makes user activation
and auditing simple. However, if you use Yammer as a stand-alone tool, you might need to have Yammer
identities in place and perform all the user management tasks within Yammer. Below are the scenarios:
• Office 365 identity enforced. The user is prompted to sign in with his/her Office 365 identity. If the
customer has implemented the federated identity model in Office 365, the user signs in with his/her
SSO credentials.
• Office 365 identity not enforced. If the user has a corresponding Office 365 email account, he signs in
with his Office 365 identity.
• Office 365 identity not enforced. If the user has no corresponding Office 365 email account, he signs
in with his Yammer identity.
Note: Before you start enforcing Office 365 identities in Yammer, make sure that all current
Yammer users have a corresponding Office 365 identity and inform the users about this change.
MCT USE ONLY. STUDENT USE PROHIBITED
10-8 Planning and configuring an Office 365 collaboration solution
Role Permissions
Group Admin Has the same rights as User, and the following additional rights:
• Create groups
• Post announcements in own groups
• Configure group settings (name, picture, and description)
• Perform member management within groups
• Moderate content
• Mark notes and files as official within groups
• Control membership within groups
Network Admin Has the same rights as Group Admin, and the following additional rights:
• Configure network settings and applications
• Configure network design
• Configure usage-policy behavior
• Configure user-profile fields
• Invite anyone (also external guests)
• See all groups (also unlisted)
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-9
Role Permissions
• Delete any message
• Post announcements
• Grant and revoke Network Admin privileges
• Remove or block users
Verified Admin (Is an Has the same rights as Network Admin, and the following additional rights:
Office 365 Global
• Manage user-account activity
Admin, provisioned by
default) • Bulk update users
• Perform integrations
• Monitor keywords
• Set data-retention policy
• Export data
• Configure settings
• Access all groups
• Export content
If you are using Office 365 sign-in credentials, user management uses Azure Active Directory and Office
365 identities. If you use Yammer as a stand-alone solution, you can manage Yammer users through the
Yammer admin portal by using the following procedure:
3. On the left pane, click on the Settings icon at the bottom of the page.
Note: The profile fields are not connected to your internal Active Directory fields or to your
SharePoint user profile fields. Some of this information is also visible in external networks in
which you are a member.
MCT USE ONLY. STUDENT USE PROHIBITED
10-10 Planning and configuring an Office 365 collaboration solution
3. In the left panel, click on the Settings icon at the bottom of the page.
4. Click Network Admin.
6. Select the appropriate check boxes if you want to enable a policy reminder in the sidebar, or if you
require your users to accept the policy during sign-up.
8. Type the user policy text in the Enter your policy in the textbox below text box.
9. Click Save.
Note: You can use HTML tags such as <h1>, <b>, and <i> to format your policy, but
JavaScript is not allowed.
• It is important to substantiate ideas, but please keep messages brief and to the point.
• When you first join, select the colleagues you want to follow. Posts from these colleagues will appear
in your Following feed. To see all the posts in your organization, select All.
• Fill out your profile information. Complete the Expertise and Education sections, and be sure to add
a profile picture.
• Browse the Group directory, and join groups that you find important. If a specific group does not
exist, start a new one and invite members of your team to contribute messages. For best results, use
groups as a replacement for existing email listservs.
• Use the Yammer FAQs, and How-to-Guide to help clarify common concerns.
• Take time to explore Yammer. You will get the hang of it!
• Post a question, or send a direct message to Network Admin with any specific questions.
You must invite external parties (with external email addresses), or they must request access to an external
network. On joining, they can only see content that is posted specifically to that external network, which
means that they will not have access to another organization’s home network.
Within the Yammer admin portal, you can decide who is allowed to create an external network, and if
approval is required to create an external network. You also can disable external networks completely.
MCT USE ONLY. STUDENT USE PROHIBITED
10-12 Planning and configuring an Office 365 collaboration solution
6. Select the required options, if you want to restrict who is able to create an external network.
• Require admin approval for your organization’s members to join other organizations' external
networks.
• Disable the Our External Networks directory, and remove the External Networks link in the
networks menu.
o Provide a description.
o Set permissions.
o Require admin approval for users to join other organizations' external networks.
5. Click save.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-13
To replace the SharePoint Newsfeed on the Office 365 portal with Yammer icon, perform the following
steps:
1. In the Office 365 admin center, click Admin centers, and then click SharePoint.
2. In the SharePoint admin center, click Settings.
4. Click OK.
After a little while, the Yammer icon will show up instead of the SharePoint Newsfeed Icon in your App
Launcher.
5. In the Categories list, click Media and Content, and then click Script Editor.
6. In Add part to, select where you want to add the Web Part, and then click Add.
7. Locate your new script editor web part, and then click Edit Snippet.
8. Paste the script you copied from Yammer into the script editor Web Part.
9. Click Insert.
10. Save and publish the SharePoint page. You should see the Yammer group conversation on the
SharePoint page.
MCT USE ONLY. STUDENT USE PROHIBITED
10-14 Planning and configuring an Office 365 collaboration solution
3. On the left panel, click the Settings icon at the bottom of the page.
4. Click Settings.
5. Type the desired information about yourself, and change your profile picture.
Note: A good user profile helps your coworkers find information about you and your skills.
Note that some of these fields are also visible when you are a member of an external network.
Set up notifications
Yammer offers numerous notifications. Users can receive notifications for likes, mentions and a lot more
in. This can be somewhat overwhelming in the beginning of any Yammer experience. A good way to help
your users is to advise them to configure their notification settings.
1. Sign in to http://portal.office.com as global administrator.
3. On the left navigation pane, click the Settings icon at the end of the page.
4. Click Settings.
5. Click Notifications.
We recommend that users deselect as many options as possible. You should leave only those notification
settings selected that you actually want in your email inbox. A Best practice is to check those notifications
when you are tagged in a post or if you sign in from somewhere else for security reasons.
Note: If you are a member of a group, and you do not want to miss any conversation in the
group, subscribe to the group directly through the notification settings.
Configure preferences
In the preferences tab, users can change their time zone and preferred language.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-15
Select the three Office 365 subscriptions with which Yammer Enterprise is available.
x Enterprise Network
x Enterprise Administrator
Group Administrator
x Verified Administrator
x Enterprise Integrations
Which two things must be in place before you enable Yammer Enterprise within Office 365?
Lesson 2
Planning and configuring OneDrive for Business
Microsoft OneDrive for Business is a private library for storing, organizing, and sharing users’ work
documents. It is an integral component of a user’s Office 365 online environment, and it is available when
the organization purchases SharePoint Online licenses.
Lesson Objectives
After completing this lesson, you will be able to:
If your OneDrive for Business library is hosted on a server running SharePoint Server in your organization,
your organization’s administrators determine how much storage space is available. OneDrive for Business
includes libraries, a Recycle Bin, and personal newsfeed information.
All files that you store in OneDrive for Business are private, unless you decide to share them. You can
either share a file with everyone in the organization by simply locating it in the Shared with Everyone
folder, or you can share a file with specific co-workers by using the SHARE option. You can do this by
clicking the ellipsis (…) icon, and then typing the names of the users to send a sharing invitation. You
might even be able to share with partners outside of your organization, depending on what your
organization allows.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-17
Note: Microsoft OneDrive for Business is not the same as OneDrive, which is a cloud-based
service intended for personal storage and is provided with Microsoft Accounts such as
user@outlook.com accounts. This can be confusing because, in the App Launcher and in the
Office 365 portal, the OneDrive for Business feature is actually displayed as “OneDrive” in the
navigation bar.
Note: When you send email from Outlook 2016 or from Outlook Web App, you can attach
a file stored in OneDrive for Business as a link, instead of sending an attachment. When you
attach a file as a link, you automatically give the recipients permission to edit the file. Also, this
practice saves space in everyone's mailbox, and it encourages people to edit the same copy that
is stored in OneDrive for Business.
The OneDrive for Business storage space in the cloud is available automatically for each user who has a
SharePoint Online license and is separate from the tenant allocation. While SharePoint sites usually store
organization-or team-related content, OneDrive for Business is ideal for personal use.
OneDrive for Business enables users to synchronize folders and files between their local computers and
the cloud. Another important benefit is that OneDrive for Business provides sharing functionality to
collaborate with other users, inside and outside of your own organization.
In summary, OneDrive for Business can make sense in many scenarios. For example, it can serve as a
central personal file storage (which was called “Home Directory” in local networks), as a way to use
documents offline and online with automatic synchronization, and to share documents with coworkers or
partners securely.
It is a common practice to store business files in your OneDrive for Business storage that other team
members will not need to collaborate on or access regularly.
• You can share a file with specific co-workers by using the SHARE option. You do this by clicking the
ellipsis (…) icon for a file, and then typing the names of the users to send a sharing invitation.
• In File Explorer, you can right-click a file, and then select click More OneDrive sharing options. This
opens Microsoft Edge. In the files list, select the file or folder, and then click Share on the menu bar.
In the sharing dialog box, type the names of the people you want to share your files with, and then
send a sharing invitation.
Note: In older Office 365 tenants, there was a folder named Shared with Everyone. All
files in that folder were visible automatically for all users within the organization. This folder no
longer exists in new Office 365 tenants.
To check if one specific document is shared with other users, select the document or the folder, and then
click Share. In the share dialog box, open Shared with to see a list of all users who have access to that
specific document.
Note: Currently, it is not possible to set a timeframe for sharing files or folders. Objects are
shared until the owner stops the sharing. This must be done manually.
The following versions of Office 2013 include the OneDrive for Business sync client:
Additional Reading: For more information, refer to System requirements for Office:
http://aka.ms/ghq4zw.
is
The OneDrive for Business sync app in available in different languages for both the x86 and x64 platforms.
Additional Reading: Download OneDrive for Business sync app in different languages and
for the x86 and x64 platforms from: http://aka.ms/we3v3g.
• You can sync up to a total of 20,000 items across all synchronized libraries.
• In SharePoint Server 2013, file names can have up to 128 characters while in SharePoint Online, file
names can have up to 256 characters.
• Folder name and file name combinations can have up to 250 characters.
• Restricted characters in file names in SharePoint Online are: \ / : * ? " < > | # %.
• A file or folder name that begins with a tilde (~) sign is not supported in SharePoint Online.
• The same file name restrictions that apply to SharePoint Online are also valid for SharePoint Server
2013, with some additional characters: \ / : * ? " < > | # { } % ~ &.
• A file name that begins with a period (.) or a tilde (~) sign is not supported in SharePoint Server 2013.
• There are some invalid file types that cannot be uploaded, such as *.tmp, *.ds_store, desktop.ini,
thumbs.db, or ehthumbs.db files. Additionally, in SharePoint Server, the IT administrators can block
individual file types to prevent them from being uploaded.
Note: For more information, refer to Restrictions and limitations that apply when you sync
SharePoint libraries through OneDrive for Business: http://aka.ms/ps7xle.
This URL also provides a download of a tool named MicrosoftEasyFix20150, which helps fix sync
issues with OneDrive for Business automatically.
MCT USE ONLY. STUDENT USE PROHIBITED
10-20 Planning and configuring an Office 365 collaboration solution
Note: The old sync client is still used for synchronization of SharePoint Document Libraries
because this is not supported currently in the new OneDrive for Business sync client.
• Support for selective sync. The user can control which folders will synchronize.
• IT administrator deployment, with configurable options such as the ability to block sync for the
OneDrive consumer service and setting the default sync folder location.
• Updates to the new sync client independently of Office and Windows updates.
Current restrictions
• Windows 8.1 support will be added at a later stage.
• SharePoint Document Library sync will be added in future releases. As a workaround, OneDrive for
Business next generation sync client works side by side with the existing sync client (groove.exe) for
users who require sync for OneDrive for Business and SharePoint Online document libraries.
• If a user opens a locally synced Office document from File Explorer, the Office integration is limited,
because the Office application is not aware that the file is a document from the cloud. As a result, the
user cannot use document co-authoring, and the most recent document list shows the local path and
not the cloud path. In addition, sharing is not available, and the cloud (modern) attachments are not
available in Outlook 2016.
Additional Reading: For more information, refer to Deploying the OneDrive for Business
Next Generation Sync Client in an enterprise environment: http://aka.ms/Q8m3fx.
Additional Reading: For more information, refer to Deploying the OneDrive Next
Generation Sync Client on OS X and configuring work or school accounts: http://aka.ms/xdv82u.
Additional Reading: For more information, refer to Meet the OneDrive for Business Next
Generation Sync Client: http://aka.ms/tvnzw1.
Finding the OneDrive for Business sync client version installed on your system
If you are using OneDrive for Business sync client, in the taskbar navigation area, locate the white or blue
OneDrive cloud icon, and then note the pop-up text.
• If the cloud icon is gray, you have the new OneDrive for Business Next Generation Sync Client but
have not set it up for your work or school account. Click the gray cloud icon, and sign in by using
your work or school sign-in credentials.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-21
• If the cloud icon is white, and the pop-up text reads OneDrive or OneDrive – Personal, the
OneDrive consumer service sync client is installed, and it uses the same program as the new OneDrive
for Business Next Generation Sync Client.
• If the cloud icon is blue, and the pop-up text reads OneDrive for Business, the old OneDrive for
Business sync client is installed.
• If the cloud icon is blue and the pop-up text reads "OneDrive - your organization's name, the new
OneDrive for Business Next Generation Sync Client is installed and configured.
Additional Reading: For more information, refer to Which OneDrive sync client am I
using?: http://aka.ms/p17elm.
Analyzing data
While analyzing existing data, you should ask
yourself the following questions:
• How many files will be migrated? Depending on the sync client that you use (see previous topic),
there is a limit on maximum number of files that you can synchronize. Also, there is a 5,000-item limit
for viewing content in document libraries, and 20,000 for synchronizing personal sites. If you have
more than 5,000 files in one folder, try to split the content over multiple subfolders within SharePoint
Online site collections.
• What are the largest file sizes? This depends on the sync client that you use. The maximum file size
with OneDrive for Business is 2 GB, whereas with the OneDrive for Business Next Generation Sync
Client, it is 10 GB. If some files exceed this size, you cannot migrate them into OneDrive for Business.
As an alternative, use another storage system such as a local storage area network, network-attached
storage (NAS), a DVD or Microsoft Azure blog storage.
• What does the folder structure look like, and what is the maximum path length? Use the
MicrosoftEasyFix20150 utility to ensure that filenames do not include special characters, and apply
the rules that you learned in the previous topic. The maximum path length that can be synchronized
is 260 characters. If your folder names are too long, try to use abbreviations, such as “HR” instead of
“Human resources.”
• What file types exist? OneDrive for Business is ideal for storing Microsoft Office documents. However,
it is not a good idea to move other file types, such as pictures, multimedia files, development code,
and similar content, into SharePoint.
Additional Reading: For more information, refer to Types of files that cannot be added to
a list or library: http://aka.ms/orzefl.
There are no file types blocked in SharePoint online and Office 365
• Is there content that is no longer used? Check if content exists that is not being used anymore, to
reduce the number of files that you plan to migrate. Discuss with the customer if it is really necessary
to keep old data. Cleaning up content is generally a good practice to archive or delete old unused
files from any storage system before you migrate them to another system.
Additional Reading: For more information, refer to SharePoint Online and OneDrive for
Business: software boundaries and limits at: http://aka.ms/Ywqifr.
Migrating data
After you clean up and prepare the local data, the best way to migrate the data into OneDrive for
Business storage is to use File Explorer. Both the next generation sync client and the old sync client
manage uploading all content to the personal cloud storage.
Note: When you synchronize files to OneDrive for Business, metadata associated with files
and folders are not migrated to the OneDrive for Business storage (to the SharePoint Online
document library). Metadata associated with files or folders is not preserved, and invalid
characters, file type restrictions, or path lengths are not detected.
Some third-party tools provide additional features and migration capabilities. In a future release, the
import function within Office 365 will also be able to import data to OneDrive for Business or you go with
a third party migration tool.
Additional Reading: For more information on a list of third-party tools that you can use
during migration, refer to Migrating File Shares to OneDrive for Business: http://aka.ms/oo1zjq.
• Check the version of your installed OneDrive for Business sync client to see the tool's restrictions. If
you are running the stand-alone version of OneDrive for Business, make sure that you download the
latest version of the sync client.
Additional Reading: To download the SkyDrive Pro client for Windows, go to:
http://aka.ms/elihab.
• Check your upload speed with an online speed test tool, to get an indication of the maximum upload
speed from your location, and try to schedule uploads outside of business hours. Usually, nights are a
good time to upload a high volume of content.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-23
Additional Reading: To check your upload speed, you can use a speed test service such as
http://www.speedtest.net.
• If synchronization issues occur, try to repair the issues by identifying the underlying problems. You
can usually do this by fixing filename issues and path length on the local computer.
• Managing security is top priority. Because it is easy to share content, users need to know which
objects are shared, or if there is content that is inheriting unwanted permissions. It is easy to create
orphaned permissions on objects; for example, when sharing a folder. Users should be aware of the
fact that they need to control which content is shared with whom.
• Objects, once shared, can be shared again. An external user can transfer permissions on a document
to another user. The document owners can stop sharing, but they need to monitor their shares.
• Monitoring shares can be done by checking shares periodically. This must be done actively by the
owner of the OneDrive for Business document library.
Note: Folders and files can be managed best with File Explorer. Shares must be monitored
in the OneDrive for Business site in Microsoft Edge, and can only be controlled online.
Besides the security aspects, users should also check the synchronization of their content between their
local computers and the cloud. Both the OneDrive for Business clients notify any issues in the System Tray
area of the taskbar.
MCT USE ONLY. STUDENT USE PROHIBITED
10-24 Planning and configuring an Office 365 collaboration solution
• Inform your users about how OneDrive for Business works, and how they can migrate their content.
• Inform your users about the benefits of using OneDrive for Business, compared to local storage or
other services.
• Help users understand the difference between OneDrive for Business and the OneDrive consumer
version.
• Support users if errors occur during synchronization, and show them how to fix common errors.
• Encourage users to use the sharing functionality whenever needed instead of sending documents as
email attachments. Explain how sharing makes their life easier by sharing with internal users and
external users.
• Show users the advantages of sharing and using advanced features such as versioning and archiving,
the Recycle bin, Co-Authoring, document preview, and simplified search.
Note: You also can use OneDrive for Business in local environments. If you want to
implement OneDrive for Business in your organization's SharePoint Server 2013 on-premises
deployment, you must have configured the MySites and the User Profile Service application. To
display the user's My Site as a default Save or Open location in Office 2013, you must configure
SharePoint Server 2013 to use Exchange Autodiscover.
Additional Reading: For more information on the required prerequisites and configuration
settings, and how to plan for OneDrive for Business in SharePoint Server 2013, refer to Plan for
OneDrive for Business in SharePoint Server 2013 at: http://aka.ms/irhv85.
In hybrid deployment scenarios, you can also redirect your users to OneDrive for Business in Office 365.
Additional Reading: For more information, refer to How to redirect users to Office 365 for
OneDrive for Business at: http://aka.ms/j5ttiy.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-25
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Select three characters that are not supported in filenames that you store in OneDrive for
Business and SharePoint Online.
x #
&
x %
x ?
MCT USE ONLY. STUDENT USE PROHIBITED
10-26 Planning and configuring an Office 365 collaboration solution
Lesson 3
Configuring Office 365 groups
Office 365 groups are groups that are available across all Office 365 services and are highly integrated
with all Office 365 services. Office 365 groups help in collaboration and teamwork. Through the Outlook
groups, mobile app users are informed about new content or new communications in the group. Users
also can use this app to work collaboratively with co-workers. Office 365 groups are available only in
Office 365. They are part of Azure Active Directory. Each Office 365 group has a mailbox, a calendar, an
OneNote notebook, and an OneDrive for Business site collection.
Lesson Objectives
After completing this lesson, you will be able to:
There are two different group types, public and private. A public group is open to everyone. If you are
interested in that group, you can visit the group, and check out the content and conversations. If it is
interesting to you, you can join the group and be a member. You can subscribe to the group to get email
notifications about group discussions. A private group is exclusive, and is only open to its members. The
content and conversations are secure and is not viewable by everyone. Choose a private group if you are
concerned about security and privacy. To join a private group, you must obtain approval from the group
administrator. Each group, private or public, can receive emails.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-27
Note: At the time of writing this course, you cannot change a public group into a private
group, and vice versa.
There are some limitations that group members and owners should be aware of:
• Groups with more than 1,000 members are supported, but there might be performance limits.
Office 365 groups are similar to distribution groups in that members receive email messages sent to the
group. The Office 365 group components include a file store and a mailbox store.
Note: Because Office 365 groups have several components, it can take time to create the
groups.
Groups interact with all Office 365 services, such as Outlook, SharePoint, Yammer, Delve, and Planner.
MCT USE ONLY. STUDENT USE PROHIBITED
10-28 Planning and configuring an Office 365 collaboration solution
3. Select Groups in the left navigation pane, and then click Groups.
5. On the right pane, you have three options for group type: Office 365 group, Distribution list or
Security group. Select Office 365 group.
6. Review the Office 365 options. Type a name, an email address, and a description. Select if the group
will be public or private, and then select the language.
7. Select the group owner. The group owners are the ones who can manage the group.
8. Select if group members are subscribed to the group or not subscribed.
9. Click Add.
Note: If group members are subscribed to a group, they receive all messages and calendar
items in their inbox.
Note: At the time of writing this course, you cannot add external members to an Office 365
group. If you need that functionality, you must create a Distribution list.
o Delete Group. If you do not need the group anymore, delete it. The group, its email
conversations, calendar, and documents stored in OneDrive for Business storage will be deleted
along with the group. This action cannot be undone.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-29
Note: Add the time of writing this course, you cannot restore a deleted group.
o Edit Details. Sometimes it is necessary to change or update the name of a group. This name
appears in the address book, on the To: line in email, as the name of the group. A group
description helps your users to decide if a group is relevant for them
To manage Office 365 groups, you must first connect to Exchange Online by using Windows PowerShell.
You use Windows PowerShell on your local computer to create a remote PowerShell session to Exchange
Online:
$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic
-AllowRedirection
Import-PSSession $Session –AllowClobber
Additionally, you can send an email to a group by adding the group name to the To: line of your email
and send it.
Group calendar
Each group has its dedicated group calendar. Every member of the group automatically sees meeting
invites and other events. All group calendars are visible in Outlook and Outlook We App, and can be
viewed side by side. Events that you create in the group calendar are added and synchronized
automatically with your personal calendar.
Note: You can add folders only if the custom scripts on personal sites feature is disabled.
Subscribing to a group
You can be a member of a group, and you can subscribe to it. When you subscribe to a group, you are
requesting that conversations or events from the group be sent to your inbox. You can directly answer to
group conversations from your inbox. Subscribing is not enabled by default. Each user can decide to
subscribe to a group or not subscribe. This helps you subscribe only to the most relevant groups.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-31
5. Set the policy on the mailboxes of the user who is not allowed to create Groups by using the
following command:
Select two services with which Office 365 groups are already integrated.
Yammer
Delve
x OneNote
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Password: Pa$$w0rd
Where you see references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your
unique hostdomain.com name displayed in the online lab portal.
• LON-DC1
• LON-DS1
• LON-CL1
• LON-CL3
o Sign in as Adatum\Roman using the password Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
10-34 Planning and configuring an Office 365 collaboration solution
4. Use Yammer.
4. Select the two options that users need to accept the usage policy and that a policy reminder is
displayed.
5. Name the Usage policy ADatum Acceptable Use Policy.
7. Click Save.
Task 2: Configure Yammer service settings, and enforce Office 365 identity
1. Go to Content and Security, and click Security settings.
4. Click Save.
8. Verify that you received a message from Yammer with report about monitored keyword appearance
in Roman post.
Results: After completing this exercise, you should have enabled Yammer Enterprise for A. Datum.
8. File Explorer opens and displays the location where the synchronized files will be stored. Verify that
the Word document has been synchronized to the local computer.
2. In Private folder, create a new Word document named Holidays.docx. Open the file, type some text,
save the document, and then close Microsoft Word.
3. In Project A folder, create a new Word document named project targets.docx. Open the file, type
some text, save the document, and then close Word.
6. In Microsoft Edge, navigate to the folder Private, open the synchronized document Holidays.docx,
add some text in Word Online, and then return to the OneDrive for Business Files site.
7. Switch back to File Explorer, navigate to the folder Private, and then open Holidays.docx. You will
see that the changes made in Word Online are synchronized automatically.
4. Open an InPrivate Microsoft Edge window and connect to Office 365 as Holly. Access Holly’s mail.
5. Verify that you can open and edit the document shared by Roman.
6. In Roman’s online OneDrive for Business folder, stop sharing the document.
Results: After completing this exercise, you should have configured OneDrive for A. Datum.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-37
2. Assign Holly Dickson as the group owner, and Roman Miler as a group member.
2. Create a new unified group named Planning Group by using the new-unified group cmdlet.
5. Switch to the group calendar, and then add an entry named Planning meeting for tomorrow.
6. Check if the calendar item synchronizes to Holly’s calendar.
9. Click Outlook. Verify that the AdatumMarketing group appears in your Groups list.
10. Join the Planning Group and verify that you see the message and document that Holly created in the
group.
11. Keep the virtual machines running for the next lab.
Results: After completing this exercise, you should have configured Office 365 groups at A. Datum.
MCT USE ONLY. STUDENT USE PROHIBITED
10-38 Planning and configuring an Office 365 collaboration solution
Question: If you enforce Office 365 identities in Yammer, what is the impact for Yammer
users with no Office 365 identities?
Question: Which Windows PowerShell cmdlets can you use to create an Office 365 group
and to add the group owner?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-39
• Familiarize yourself with the different OneDrive for Business sync clients and their limitations and
features.
• Decide if and when you should use Office 365 groups, because they are essential to some of the
Office 365 components.
Review Question
Question: Discuss the differences between Office 365 groups and Yammer and possible use
cases where you need one tool or the other.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
11-1
Module 11
Planning and configuring Rights Management and
compliance
Contents:
Module Overview 11-1
Lesson 2: Planning and configuring Azure Rights Management in Office 365 11-13
Module Overview
Many organizations are considering moving to the cloud—however, they still have security concerns
about making this transition. To use a trustworthy service provider, your organization needs to define
security and compliance regulations. By using a cloud service, your organization entrusts your service
provider to process your data. Security, compliance, and privacy in Microsoft Office 365 have two equally
important dimensions:
Service provider capabilities that include technologies, operational procedures, and policies that are
enabled by default.
Customer-managed controls that allow you to customize your Office 365 environment based on the
specific needs of your organization while still helping to maintain security and compliance.
Enhancing security and compliance is an ongoing process and not a steady state. In this module, you will
learn about the compliance features in Office 365 and how to manage them. You will plan and configure
Microsoft Azure Rights Management (Azure RMS), and you will be able to discuss the security features in
Office 365.
Objectives
After completing this module, the students will be able to:
Lesson 1
Overview of the compliance features in Office 365
Office 365 complies with industry standard regulations, and its design helps you to meet the regulatory
requirements for your business. In this lesson, you will learn what compliance features are available within
Office 365 and how to use and manage them.
In modern Information Technology (IT) environments, information security is essential. Users require
access to their IT services at all times and on any device. For many devices, such as desktops, tablets, and
smartphones, you need to help ensure that data is as secure as possible. Multiple-device access benefits
your users, especially with the mass consumerization of IT, which spreads to business and government
organizations. Employees introduce technologies, and the devices they use at home and in their
workplaces with this type of access provide malicious hackers a larger surface of attack areas.
Lesson Objectives
After completing this lesson, you will be able to:
Describe advanced security and compliance features in Office 365 Enterprise E5 subscriptions.
The security considerations in planning an Office 365 implementation cover a large set of topics, which
include:
Service-level security features. This level of security enhancement exists to help protect your service
and data through layers of security features, including physical, logical, and data layers. This level of
security enhancement provides many features, including:
Security-related customer controls. Each service within Office 365 offers its own and individual
security features you can control. These features help you to meet your compliance requirements,
control spam and antimalware settings, encrypt data, and control access to content for your users.
You use encryption technologies at the Office 365 service level. The technologies you can configure
within your Office 365 tenant include:
o Security-enhanced email traffic through Secure Multipurpose Internet Mail Extensions (S/MIME).
o Transport Layer Security (TLS) for Simple Mail Transfer Protocol (SMTP) messages to partners.
Privacy by design. The key principles in the data security features within Office 365 are:
o You own the data. If you cancel the service, you get your data back.
Privacy-related customer controls. Customer controls allow you to use policies and features within
Office 365, including:
o Rights Management in Office 365. This capability restricts access to documents, workbooks, and
presentations. Azure RMS helps you to prevent sensitive information from being printed,
forwarded, or copied by unauthorized people
o Privacy-related controls for sites, libraries, and folders. Microsoft SharePoint Online sites are set to
private by default. Microsoft OneDrive for Business does not share uploaded documents until the
user provides explicit permissions and identifies whom to share with.
Service compliance. Compliance obligations and non-Microsoft audits are required to help meet
compliance and security goals. In addition, governmental requirements exist, including industry
requirements, internal policies, and requirements derived from industry best practices. As a result,
Office 365 has obtained independent verifications, including:
o Statement on Standards for Attestation Engagements 16 (SSAE 16) Service Organization Control
1 (SOC 1) (Type II) audits.
o Data transfer for data outside of the European Union (EU) through the EU Model Clauses.
o A Health Insurance Portability and Accountability Act (HIPAA) business associate agreement with
all customers.
o Payment Card Industry Data Security Standard (PCI DSS) Level One.
Customer compliance. Customer compliance helps users to control their security and compliance
needs within the enterprise. Examples include:
o Multi-Factor Authentication
When you plan an Office 365 implementation, it is important to review your internal security
requirements and then create a checklist with the following questions:
What security features do you have, and what is available with Office 365? What are the built-in
security features, and which customer controls does Office 365 offer?
Are you transparent in the way you use and access data?
Office 365, many organizations defer to legal counsel to help ensure that they are legally safe.
Optional contractual supplements are available, including:
o Office 365 and Microsoft Dynamics CRM Online data processing agreements (with EU standard
contractual clauses).
o Office 365 and Microsoft Dynamics CRM Online data processing agreements.
o The Office 365 and Microsoft Dynamics CRM Online HIPAA and Health Information Technology
for Economic and Clinical Health (HITECH) business associate agreement (with an
implementation guide).
FISMA. United States federal agencies can procure information systems and services only from
organizations that meet the FISMA regulations.
ISO/IEC 27001:2013. This standard from ISO and the International Electrotechnical Commission (IEC)
is widely used and the best-known standard for an information security management system. Office
365 meets this security benchmark with physical, logical, process, and management controls. Since
2015, even ISO 27018 privacy controls for the most recent Office 365 audit are included.
EU Model Clauses. The EU Data Protection Directive is a key instrument for the EU privacy and human
rights law. The EU Model Clauses legitimize the transfer of personal data outside the EU, and they
comprise the preferred method for the data transfer of personal data outside the EU.
The U.S.–EU Safe Harbor Framework. The U.S.–EU Safe Harbor Framework also addresses the transfer
of personal data outside the EU. Office 365 follows the principles and processes stipulated by this
framework.
Note: At the end of 2015, the European Court of Justice declared the U.S.-EU Safe Harbor
Framework invalid, and it is currently undergoing revisions.
The Family Educational Rights and Privacy Act (FERPA). United States educational organizations are
required to follow FERPA regulations regarding the use or disclosure of student education records.
This also includes student information send in email and email attachments.
SSAE 16. Independent organizations can audit Office 365 and provide SSAE 16 SOC 1 Type I and Type
II and SOC 2 Type II reports on how the service implements controls.
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA
pertains to how private sector organizations collect, use, and disclose personal information in regards
to commercial business.
The Gramm–Leach–Bliley Act (GLBA). This act protects customers’ nonpublic personal information,
and financial institutions are required to follow these regulations to protect their clients’ information.
Data encryption. Data is encrypted both at rest and in transit between datacenters and between
datacenters and users.
Data mining. You cannot access data for advertising purposes.
MCT USE ONLY. STUDENT USE PROHIBITED
11-6 Planning and configuring Rights Management and compliance
Data ownership. The data stored within Office 365 is available to you at virtually any time.
Data deletion. If you decide to leave Office 365, Microsoft provides the support to return or offboard
your data.
Data regions. You decide which region will host your data.
Additional Reading: For more information about data regions, refer to Where is my data?:
http://aka.ms/l4tjga.
Custom controls about privacy features. You can turn features that impact privacy on or off to meet
your needs.
Additional Reading: For more information, refer to Office 365 Trust Center:
http://aka.ms/vjvvco.
Home. This page provides top-level information about the Protection Center and what is available
here.
Permissions. This page provides an overview of all the permissions granted to users in your
organization for compliance tasks, such as device management, DLP, eDiscovery, and retention.
Security policies. On this page, you can manage devices and set up DLP policies.
Data Management. This page has options for importing data from other systems. You can also set
data retention policies here.
Search & Investigation. On this page, you can use eDiscovery to manage cases.
Service Assurance. Service Assurance provides information about how Microsoft helps to maintain
the security, privacy, and compliance of Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-7
Home
Compliance Reports
Trust Documents
Settings
Contact Us
Additional Reading: For more information, refer to Office 365 Service Trust Portal:
http://aka.ms/vqu38w.
1. Collect data. Collect the data that will help you analyze your score.
2. Analyze the results. The results are presented in an interactive web experience.
3. Act. Suggested recommendations are made based on the results.
Additional Reading: Office 365 Secure Score is in preview at the time of this writing, so its
features and availability might change. For more information, refer to Office 365 Secure Score:
http://aka.ms/h7br1z.
Within Office 365 you’ll find Administrator roles, like the Global admin or Limited admin access. The
Limited admin access roles contain admin roles like Billing administrator, Password administrator, Service
administrator, User management administrator, Exchange administrator, SharePoint administrator and
Skype for Business administrator.
o Case Management
o Compliance Search
o Hold
o Organization Configuration
o View-Only Recipients
eDiscoveryManager. The eDiscovery Manager performs searches and places holds on mailboxes,
SharePoint Online sites, and OneDrive for Business locations. The eDiscovery Manager can also create
and manage eDiscovery cases, including adding and removing members from a case. The eDiscovery
Manager creates and edits compliance searches associated with a case. The assigned roles include:
o Case Management
o Compliance Search
o Export
o Hold
o Preview
o Review
o Case Management
o Compliance Search
o Hold
o Organization Configuration
o Role Management
o View-Only Recipients
Reviewer. The Reviewer uses a limited set of the analysis features in Equivio Analytics. Members of this
group can see only the documents that are assigned to them. They cannot create, open, or manage
an eDiscovery case. The assigned role includes:
o Review
Service Assurance User. The Service Assurance User accesses the Service Assurance section within the
Protection Center. Members of this role group can use this section to review documents related to
security, privacy, and compliance in Office 365 to perform risk and assurance reviews for their own
organization. The assigned role includes:
o Service Assurance View
Supervisory Review. The Supervisory Reviewer controls policies and permissions for reviewing
employee communications. The assigned role includes:
o Supervisory Review Administrator
Retention policy and archiving. These permissions are set in the Exchange admin center. Members of
this group can configure compliance features such as Retention Policy Tags (RPTs), message
classifications, and transport rules. The assigned roles include:
o Audit Logs
o Journaling
o Message Tracking
o Retention Management
o Transport Rules
Document deletion. These permissions are set in the Document Deletion Policy Center. You can find
the Document Deletion Policy Center at https://<tenantname>.sharepoint.com/sites
/CompliancePolicyCenter/. The Compliance Policy Center contains policies to protect the SharePoint
content you want, and you can set policies to delete content you do not want. Policies created here
are assigned to a site collection or template. Because of compliance, legal, or other business
requirements you might be required to retain documents for a certain time frame. Other documents
held longer than required can create an unnecessary legal risk. By creating a document deletion
policy, you can delete documents after a specific time frame. For instance, a document deletion policy
can delete all the documents in OneDrive for Business that are older than seven years.
You can grant users access in two ways: through the Office 365 Protection Center or through Windows
PowerShell.
To grant users access through the Office 365 Protection Center, complete the following steps:
3. In the Office 365 admin center, open the Admin centers link, and then click Compliance.
5. Choose the role group that you want to add the user to, and then click Edit.
6. On the role group's properties page, under Members, click Add, and then add the user you want.
7. After you select all the users you want, click Add, and then click OK.
8. Click Save.
To grant user access through Windows PowerShell, complete the following steps:
1. Connect to the Office 365 Protection Center by using remote Windows PowerShell.
2. On your local computer, open Windows PowerShell, type the following command, and then press
Enter.
$UserCredential = Get-Credential
3. Type your Office 365 user name and password, and then click OK.
4. Connect to remote Windows PowerShell, type the following command, and then press Enter.
Import-PSSession $Session
7. After you finish adding users, type the following command, and then press Enter to close the
Windows PowerShell session.
Remove-PSSession $Session
Customer Lockbox
Office 365 operates with the principles of least privilege and just-in-time access. Therefore, Microsoft
personnel do not have permission to access customer content on an ongoing basis. If permission is
granted, it is for a limited time. A customer must provide explicit approval if Microsoft personnel needs to
access the customer content to perform a service operation. The already-existing approval workflow for
this type of access is extended to customers. Customer Lockbox addresses customer concerns about
access to their data in the service by the service provider. Customer Lockbox technology obtains access to
customer data on all Office 365 services. Customer Lockbox enforces multiple levels of approval within
Microsoft so that Microsoft engineers receive access to customer data when it is necessary and for a
limited time. All access control activities in the service are logged and audited. With Customer Lockbox,
you as a customer are part of this approval process. Until you approve a request, the Microsoft engineer
will not be granted access.
The most common scenario where Microsoft engineers might need to access customer content is when
the customer makes a support request that requires access for troubleshooting.
People who are members of the customers control group provide approvals or rejections of Customer
Lockbox requests. Customer Lockbox is enabled in the initial release through remote Windows PowerShell
commands. Examples of customer content include:
Email bodies and email attachments.
Binary large objects (BLOBs) or structured storage data (for example, Microsoft SQL Server containers)
created by a customer.
Security information—for example, certificates, encryption keys, and passwords owned by a customer.
Note: Because attachments need to be checked, they are first blocked for the recipient.
Safe Attachments launches a unique hypervisor to open an attachment, and this can result in a
delivery delay of up to 30 minutes. (The average delay is 7–10 minutes.)
MCT USE ONLY. STUDENT USE PROHIBITED
11-12 Planning and configuring Rights Management and compliance
x DLP
ISO 27018
What are the role groups that exist in the Protection Center?
x eDiscovery Manager
ComplianceUser
ComplianceReviewer
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-13
Lesson 2
Planning and configuring Azure Rights Management in
Office 365
In this lesson, you will begin to understand the integrated security features within Office 365 and how to
use them. In addition, you will look at the Rights Management features and how to use them. With Azure
RMS, your organization can help to protect content in Office 365. Various Rights Management templates
are available to help protect content in Office 365.
You will also learn about the differences between Active Directory Rights Management and Azure Active
Directory (Azure AD) Rights Management.
With the integration of Azure RMS, you will learn how to help make Office 365 more secure on your
terms.
Lesson Objectives
After completing this lesson, you will be able to:
Azure RMS is included in Office 365 Enterprise E3, Office 365 Enterprise E5, Enterprise Mobility Suite, and
Enterprise Cloud Suite and is available as a standalone plan through Azure RMS Premium.
MCT USE ONLY. STUDENT USE PROHIBITED
11-14 Planning and configuring Rights Management and compliance
To use Azure RMS you must have Azure AD. You use your organizational account to sign in to the Azure
classic portal, where you can configure and manage Rights Management templates.
Activate Azure AD
1. Sign in to the Office 365 portal with your global administrator account.
3. In the Office 365 admin center, open Admin centers, and then click Azure AD.
Note: To activate Azure AD within your Office 365 account, you do not need a credit card.
A content key helps to protect an Azure RMS protected document. This content key is unique for each
document and is placed in the file header, where your Azure RMS tenant root key helps to protect it.
Microsoft either generates or manages this tenant root key, or you can generate and manage your own
tenant key.
Documentation protection method. The algorithm is Advanced Encryption Standard (AES), and the
key lengths are 128 bits and 256 bits.
Key protection method. The algorithm is Rivest-Shamir-Adleman (RSA), and the key length is 2,048
bits.
1. The user prepares the user environment on the client in a one-time process by installing the RMS
client application.
2. The Azure RMS client connects to Azure RMS and authenticates the user with that user’s Azure AD
account (Office 365 organizational account).
Note: The authentication is automatic, and no user prompts appear when the tenant
domain and users’ accounts are federated with Azure AD.
As soon as the user is authenticated, certificates are issued that allow the user to authenticate to
Azure RMS in order to consume protected content and to protect content offline. A copy of the user’s
certificate is stored in Azure RMS. This helps to ensure that if the user moves to another device, that
user will have access to his or her protected data.
Now that the user is protecting data, the Azure RMS client creates a random content key and
encrypts the document with it.
The Azure RMS client creates a certificate with an included policy. This policy is based on a template
or specific document rights, the policy includes:
After that, the organization’s key is used to encrypt the policy and the symmetric content key.
The Azure RMS client signs the policy with the user’s certificate.
The policy is embedded into a file with the body of the document previously encrypted.
The policy stays with the encrypted document as long as it stays encrypted.
Now you can store the document virtually anywhere or share it by using essentially any method.
1. The authenticated user sends the document policy and the user’s certificates to Azure RMS.
5. An encrypted user license with the list of user rights is returned to the Azure RMS client.
6. The Azure RMS client decrypts this encrypted use license by using its own user private key.
7. The Azure RMS client also decrypts the rights list and passes it to the application.
AD RMS
AD RMS supports on-premises Microsoft server
products such as Exchange Server, SharePoint
Server, and file servers that run Windows Server
and File Classification Infrastructure (FCI). When
comparing AD RMS to Azure RMS, several
differences exist, such as the following:
You must define a trust between two organizations in a direct, point-to-point relationship. To define
this relationship, you can use either trusted user domains or federated trusts that you create by using
Active Directory Federation Services (AD FS).
No default policy templates are available. Instead, you need to create each policy.
Users can define their own permission sets if the templates are not sufficient.
The supported Office applications are:
The supported Windows clients are those running Windows Vista with Service Pack 2 and later.
Smart card authentication is supported if Microsoft Internet Information Services (IIS) is configured to
request certificates.
Cryptographic Mode 1 is supported by default, and additional configuration is required to support
Cryptographic Mode 2 for stronger security enhancement.
Azure RMS
Azure RMS supports online and on-premises Microsoft server products such as Exchange Server,
SharePoint Server, and file servers that run Windows Server and FCI. Azure RMS does this by:
Supporting the Information Rights Management (IRM) capabilities in Microsoft online services such as
Exchange Online, SharePoint Online, and Office 365.
Supporting on-premises Microsoft server products such as Exchange Server, SharePoint Server, and
file servers that run Windows Server and FCI.
Note: On-premises systems require Azure AD Premium, which is not part of the Office 365
Enterprise services.
Allowing protected content to be shared among users within the same organization or across
organizations when the users have Office 365 or Azure RMS or they sign up for Rights Management
for individuals without the need to build explicit trust relationships.
Making two default rights policy templates available and allowing you to create custom templates.
You can create custom templates for only a subset of users.
Allowing users to define their own permission sets if the templates are not sufficient.
Supporting the Rights Management sharing app, which supports sharing of files with people in
another organization, document tracking, and email notifications.
Requiring a Rights Management license to protect content. No such license is required to consume
content that has been protected by Azure RMS (which includes users from another organization).
Always using RSA-2048 for public key cryptography and SHA-256 for signing operations.
Note: Azure Rights Management does not currently support bring your own key for
Exchange Online.
3. In the Office 365 admin center, in the left side menu, select Settings and then click Apps.
4. Click Microsoft Azure Rights Management.
5. On the Microsoft Azure Rights Management page, click Manage Microsoft Azure Rights
Management settings.
6. On the Rights Management page, click activate.
7. When prompted with Do you want to activate Rights Management?, click activate.
Note: You can also enable Rights Management through Windows PowerShell with
Enable-Aadrm.
If you want to help ensure that only those users who are correctly licensed to use Azure RMS can protect
content, use the following command.
o Specific permissions: View Content, Save File, Edit Content, View Assigned Rights, Allow Macros,
Forward, Reply, Reply All
Users can set their permissions through the Rights Management sharing application. In Microsoft Outlook
and Outlook Web App, users can select the Do Not Forward option for email messages. In addition, you
can create custom templates for:
Defining custom rights, such as View and Edit (but not Copy or Print), for a template.
The configuration of additional options in a template includes an expiration date and whether you can
access the content without an Internet connection.
1. Sign in to the Office 365 portal with your global administrator account.
11. See your newly created template added to the list of templates, with a status of Archived. At this
stage, the template is created but not configured, and it is not visible to users.
13. Click Configure rights for users and groups. Get started and add the users and groups you want to
add to this template.
14. Select the following rights for the users or groups:
o Viewer
o Reviewer
o Co_Author
o Co-Owner
o Custom
15. If you want this template to be a departmental template, select scope.
17. Select the users and/or groups whom you want to be able to see the template.
18. Click CONFIGURE, and then add the additional languages that users will employ together with the
name and description of the template in that language.
19. Optionally set the value for content expiration by specifying a date or a number of days starting from
the time that the protection is applied to the file. For offline access, you can specify that the content is
not available without an Internet connection or that the content is available only for a specified
number of days. When users reach this threshold, they must be reauthenticated, and their access is
logged.
For business purposes, this provides better business insights, monitors for abuse, and performs forensic
analysis.
Office 365. Office 365 natively supports Azure RMS. Therefore, no client computer configuration is
required to support the IRM features for applications such as Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Outlook, and Outlook Web App.
Exchange Online. To configure Exchange Online to support Azure RMS, you must configure the IRM
service for Exchange Online. To do this, open Windows PowerShell (there is no need to install a
separate module), and run the following Windows PowerShell commands for Exchange Online.
Set-ExecutionPolicy RemoteSigned
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication
Basic -AllowRedirection
Import-PSSession $Session
Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-
rms.na.aadrm.com/TenantManagement/ServicePartner.svc
Note: Depending on the location of your tenant, replace the link in the preceding
command with one of the following:
You can use the following optional command to test the configuration.
SharePoint Online and OneDrive for Business. These applications support Azure RMS. SharePoint
Online relies on Azure RMS to assign usage restrictions and encrypt messages. You need to set up
Rights Management in SharePoint Online, as well. To protect SharePoint lists and libraries, you must
first activate Azure RMS for your organization and then turn on IRM in SharePoint Online by
completing the following steps:
a. Sign in to the Office 365 portal with your global administrator account.
d. Select SharePoint.
e. In the SharePoint admin center, select settings.
f. On the Settings page, in the IRM section, select Use the IRM service specified in your
configuration, and then select Refresh IRM Settings.
g. After you enable IRM in SharePoint Online, you can protect SharePoint lists and libraries.
MCT USE ONLY. STUDENT USE PROHIBITED
11-22 Planning and configuring Rights Management and compliance
Note: After IRM is enabled for a list or library, each downloaded file is encrypted so that
only authorized users can view it.
Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint
XPS
Client configuration
Several configuration options are available, depending on what clients you use:
Clients running Office 2016 or Office 2013. These versions of Office natively support Azure RMS.
Therefore, no client computer configuration is required to support the IRM features for applications
such as Word, Excel, PowerPoint, Outlook, and Outlook Web App.
Clients running Office 2010. Your users must have installed the Rights Management sharing
application for Windows.
All computers and mobile devices that support Azure RMS. The Rights Management sharing
application is required for client computers to use Azure RMS with Office 2010, and it is
recommended for all computers and mobile devices that support Azure RMS. You can centrally roll
out the application, or each user can download it individually.
Additional Reading: For more information about downloading the mobile applications
and the application for the desktop client, refer to Microsoft Rights Management:
http://aka.ms/j19a1v.
Configure a super user account for Azure RMS. In certain instances. authorized users need to access
Azure RMS protected files. For these cases, you can configure a super user account for your
organization. The super users always have full owner rights, and they are able to remove or change
the protection that was previously applied. This ability, which is sometimes referred to as reasoning
over data, is a crucial element in maintaining control of your organization’s data. The following
scenarios show why configuring super users might be necessary:
o An employee leaves the organization, and you need to read the files that he or she protected.
o You have existing IT services for DLP solutions, content encryption gateways, and antimalware
products that need to inspect files that are already protected.
o You need to decrypt files in bulk for auditing, legal, or other compliance reasons.
By default, the super user feature is not enabled, and no users are assigned this role.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-23
If you need to manually enable the super user feature, use the Windows PowerShell cmdlet Enable-
AadrmSuperUserFeature, and then assign users (or service accounts) as needed by using the Add-
AadrmSuperUser cmdlet.
Deploy the Azure RMS connector (only with Azure AD Premium). The Rights Management connector
allows you to quickly enable existing on-premises servers to use their IRM functionality with the
cloud-based Azure RMS service. This requires an Azure AD Premium license.
x Viewer
Author
Reader
Blocker
x Co-Author
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Lesson 3
Managing the compliance features in Office 365
In this lesson, you will learn how to configure the advanced security features in Office 365. You will learn
about retention tags, archive mailboxes, and DLP.
Lesson Objectives
After completing this lesson, you will be able to:
Configure document deletion policies in both SharePoint Online and OneDrive for Business.
Online archiving applies only to certain plan levels in Office 365. The following plans have the service
integrated:
Note: Online archives can theoretically be of unlimited size but, in fact, have an initial fair
use quota of 160 gigabytes. You can raise this limit by calling support.
5. In the In-Place Archive section, click View details. Note that until the user signs in and opens his or
her In-Place Archive, this section provides a warning message. Click OK, and then click cancel to close
the Archive Mailbox dialog box.
You can also enable archives in bulk by selecting multiple mailboxes, and then in the details pane, clicking
Enable.
To enable an In-Place Archive by using Windows PowerShell, type the following command, and then press
Enter.
To enable an archive for all users, type the following command, and then press Enter.
To check which mailboxes are enabled for archiving, type the following command, and then press Enter.
1. In the Protection Center, navigate to Data management and then click Archive.
To disable an In-Place Archive by using Windows PowerShell, type the following command, and then
press Enter.
To connect a disabled archive to a mailbox user, you have to use Windows PowerShell and establish the
GUID of the disconnected archive. To do so, type the following command, and then press Enter.
You then type the following command, replacing the GUID shown with the one resulting from the
previous command.
After you enable an In-Place Archive, the user has several ways of moving messages to it:
Configuring AutoArchive
Personal tags. Manually set to messages and folders through user assignment.
These retention tag types include some or all of the following elements:
A unique name.
A retention period, measured in days (with the option of Never for personal tags).
These retention tags are then linked in to a retention policy, and that policy is applied to mailboxes,
folders, and messages.
If necessary, you can create additional retention tags to meet your organization’s requirements and either
add those tags to the default retention policy or create a new retention policy to hold them.
In their own mailbox settings, users can select which personal retention tags to apply from all the defined
retention policies.
A retention policy is a collection of retention tags that can consist of one or two DPTs along with a
maximum number of RPTs and a virtually unlimited number of personal tags. The organization can apply
the retention policy to user mailboxes, and users can select which personal tags to apply to folders and
messages in their mailboxes.
Note: Users cannot see the retention policy names. They see only the retention tags within
those policies. However, a mailbox can have only one mailbox policy applied.
A retention policy can have two DPTs, each with a different retention action, along with one RPT for each
default folder and virtually any number of personal tags.
Never Delete
5 Year Delete
1 Year Delete
6 Month Delete
1 Month Delete
MCT USE ONLY. STUDENT USE PROHIBITED
11-28 Planning and configuring Rights Management and compliance
1 Week Delete
If these retention tags meet your organization’s requirements for retaining and deleting messages, you do
not have to define any more retention tags or policies. Alternatively, you can create additional retention
tags and add them to the default MRM policy.
If your organization’s requirements do not align with what the default MRM policy provides, you need to
define the retention tags and create a new retention policy that includes those tags together with any of
the existing retention tags.
Alternatively, you might have a situation where, for legal or regulatory reasons, individual employees or
entire departments have different retention needs. You can then create a new retention policy for those
employees, link the appropriate retention tags, and then apply the policy to those mailboxes.
To globally manage retention tags and policies across an organization, use Windows PowerShell to
connect to Exchange Online.
You configure a retention tag through the Protection Center or by using Windows PowerShell commands
while connected to Exchange Online.
To create a retention tag through the Protection Center, complete the following steps:
1. In the Protection Center, expand Data management click Retention and then click Manage
Retention tags for mailboxes.
2. In the Retention tags window, click new, which is the plus sign (+), and then select one of the
following:
o Applied automatically to an entire mailbox (default)
4. Set a name, configure the retention action and retention period, and then click Save to add the
retention tag to the list of default tags.
To create a retention tag by using Windows PowerShell, open a Windows PowerShell connection to
Exchange Online by using the Connect-MsolService cmdlet and administrative credentials. Then in the
Windows PowerShell window, type the following command, and then press Enter.
The new retention tag is visible in the Exchange admin center and can be added to retention policies.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-29
To configure retention policies by using the Protection Center, complete the following steps:
1. In the Protection Center, expand Data management, click Retention, and then click Manage
Retention policies for mailboxes.
2. ON the retention tags page, click new, which is the plus sign (+).
4. Click new, which is the plus sign (+), and then select policy tags from those listed.
5. Click Save.
The equivalent Windows PowerShell cmdlet is New-RetentionPolicy, which uses the following syntax.
1. In the Protection Center, expand Data management, click Retention, and then click Assign
retention policies for mailboxes.
2. In the list view, select the mailbox to which you want to apply the retention policy, and then click the
edit icon.
4. Under Retention policy, select the policy you want to apply to the mailbox, and then click Save.
For multiple recipients, use the following process:
4. On the Bulk assign retention policy page, select the retention policy you want to apply to the
mailboxes, and then click Save.
To use Windows PowerShell to change the policy for one mailbox, type the following command, and then
press Enter.
To change policy for all mailboxes, type the following command, and then press Enter.
To change an old retention policy to a new one, type the following command, and then press Enter.
$OldPolicy={Get-RetentionPolicy "Old-Retention-Policy"}.distinguishedName
Get-Mailbox -Filter {RetentionPolicy -eq $OldPolicy} -Resultsize Unlimited | Set-Mailbox -
RetentionPolicy "New-Retention-Policy"
To test whether a mailbox policy has been applied, type the following command, and then press Enter.
Provide a default policy with a default rule that automatically applies without any action required by
site owners.
Create a policy that includes several deletion rules that a site owner can choose from.
2. The first time you navigate from the Protection Center to the Document Deletion Policy Center, the
policy center is automatically created for you. Alternatively, you can manually create the policy center
by creating the site collection and selecting Compliance Policy Center on the Enterprise tab.
6. Select New, type a name, and then complete the following steps to create a rule:
a. Select either permanently delete or delete to the Recycle Bin. The Recycle Bin helps to provide
a second-stage safety net before an item is permanently deleted from a site.
b. Choose whether the deletion date is calculated from the date when a document was created or
when it was last modified.
c. Type a number of days, months, or years as the time frame after which a document will be
deleted.
d. Choose whether the rule is a default rule. The first rule that you create is automatically set as the
default rule. A default rule is automatically applied to all libraries in the sites that use the policy.
7. Click Save.
1. In the Protection Center, in the navigation pane, expand Data management, and then click
Retention. On the Retention page, in the Delete section, click Manage document deletion
policies for sites. The Document Deletion Policy Center opens in a new browser tab.
5. Click Save.
6. Select Manage Assigned Policies, and then select the policy you want to assign.
7. Click Save.
Note: If you want to enforce the policy with no option for site owners to opt out, select the
Mark Policy as Mandatory check box.
1. In the Protection Center, in the navigation pane, expand Data management, click Retention, and
then under Delete, click Manage document deletion policies for sites. The Document Deletion
Policy Center opens in a new browser tab.
4. Select Choose a site collection. You can search for the site collection by name or by URL. After you
have find it, select the appropriate site collection, and then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
11-32 Planning and configuring Rights Management and compliance
1. In the Protection Center, in the navigation pane, expand Data management, click Retention, and
then under Delete, click Manage document deletion policies for sites. The Document Deletion
Policy Center opens in a new browser tab.
2. Select either Policy Assignments for Site collections or Policy Assignments for Templates.
4. Select Delete.
5. Click OK.
1. In the Protection Center, in the navigation pane, expand Data management, and then click
Retention.
2. On the Retention page, in the Preserve section, click New, which is the plus sign (+).
4. Select what you want to preserve: Mailbox, SharePoint Online, OneDrive for Business.
5. Click Next.
7. Click Next.
Note: An optional step is to type the keywords you want to search for in the What do you
want to look for? (optional) box.
10. See the overview, and choose whether you want the preservation policy on or off.
1. In the Protection Center, in the navigation pane, expand Data management, and then click
Retention.
Health records
Keywords
DLP policies help you to identify, monitor, and automatically protect sensitive information across Office
365. A DLP policy contains the location of the content to be protected, and these locations might include
Mailboxes, SharePoint Online, or OneDrive for Business. The DLP policy also contains the DLP rules, which
are built through conditions and actions.
1. In the Protection Center, in the navigation pane, expand Security policies, and then click Data loss
prevention.
2. On the Data loss prevention page, click go to the Exchange admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
11-34 Planning and configuring Rights Management and compliance
9. Click Save.
1. In the Protection Center, in the navigation pane, expand Security policies, and then click Data loss
prevention.
2. On the Data loss prevention page, click go to the Exchange admin center.
12. Choose between a new rule and one of the predefined rules.
1. In the Protection Center, in the navigation pane, select Security policies, and then click Data loss
prevention.
2. On the Data loss prevention page, click go to the Exchange admin center.
4. Select Reports.
Creating DLP policies for SharePoint Online and OneDrive for Business
You use DLP policies to help protect and manage
your organization’s information across various
locations. For example, you can set up policies to
block access to content, automatically encrypt
documents, or notify users if content is saved to
the wrong location.
Create a DLP policy for SharePoint Online and OneDrive for Business
To create a DLP policy for SharePoint Online and OneDrive for Business, complete the following steps:
1. In the Protection Center, in the navigation pane, expand Security policies, and then click Data loss
prevention.
o New custom policy. This option allows you to create a new custom DLP policy without any
predefined settings.
o Financial. This option helps to detect the presence of information commonly considered to be
financial data.
o Medical. This option helps to detect the presence of information commonly considered to be
related to health records.
o Privacy. This option helps to detect the presence of information commonly considered to be
personally identifiable information.
4. Click Next.
5. Select whether the policy applies to SharePoint Online, OneDrive for Business, or both. You can also
select specific site collections.
6. Click Next.
7. Click New, which is the plus sign (+).
9. Click Options to add the settings for an incident report. Add the severity level, with the available
range from Low to High, and whether to email the incident report to someone.
Note: Before you enforce DLP policies, you should consider rolling them out gradually to
assess their impact.
MCT USE ONLY. STUDENT USE PROHIBITED
11-36 Planning and configuring Rights Management and compliance
1. In the Protection Center, in the navigation pane, expand Security policies, and then click Data loss
prevention.
2. Click Edit to edit the policy, or click Delete to delete the policy.
You can find all content and user activity by using Office 365 Advanced eDiscovery—whether that content
and activity exists in Exchange Online, SharePoint Online, or OneDrive for Business—helping to provide
you with unified protection for your Office 365 organization.
6. Click Next.
7. Type the keywords you want to search for, or leave it empty to search for all content.
8. Click Search.
After a search successfully runs, you can prepare the search results for further analysis with Office 365
Advanced eDiscovery. This allows you to analyze large, unstructured data sets and reduce the amount of
data that is relevant to a legal case. The Office 365 Advanced eDiscovery features include:
Near-duplicate detection
Email threading
Predictive coding
Themes
Note: To analyze user data with Office 365 Advanced eDiscovery, the user must have an
Office 365 Enterprise E5 license assigned or the appropriate standalone license. Administrators
and compliance officers who are assigned to cases and use Office 365 Advanced eDiscovery to
analyze data do not need an Office 365 Enterprise E5 license.
1. In the Protection Center, in the navigation pane, select Search & investigation.
3. In the details pane, under Analyze, click Analyze with Equivio Analytics.
4. On the Prepare the search results page, choose if you want only indexed items or all document
versions and if you want a notification message sent to a user when the preparation is ready.
5. Click Start export with Equivio.
1. In the Compliance Center, click eDiscovery, and then click Go to Equivio Analytics.
2. Navigate to the Cases page in Office 365 Advanced eDiscovery.
3. Select the case that you want to add the data to, and then click Go to case.
4. Navigate to the Process page, and then under Container, click the item that corresponds to the
results from your previous search. Note that the titles in the list match the names of searches from the
Protection Center.
5. Click Process to add the selected search results to the case database.
MCT USE ONLY. STUDENT USE PROHIBITED
11-38 Planning and configuring Rights Management and compliance
The Protection Center makes a unified audit log search available. The advantage of the audit log search is
that you can search in one place.
User activity in SharePoint Online and OneDrive for Business:
o Sharing activities
o Synchronization activities
Admin activity in Azure AD, the directory service for Office 365:
Additional Reading: For more information, refer to Search the audit log in the Office 365
Protection Center: http://aka.ms/V27n6z.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-39
The Office 365 audit log records activities performed within the last 90 days. Note that after an event
occurs in Exchange Online, Azure AD, SharePoint Online, or OneDrive for Business, there might be some
delay for the corresponding audit log entry to be displayed. The Azure AD audit log contains user, group,
application, domain, and directory activities performed in the Office 365 admin center or in the Microsoft
Azure Management Portal. To run an audit log search, complete the following steps:
1. In the Protection Center, in the navigation pane, select Search & investigation.
5. Optionally configure the users, files, folders, or sites you want to search.
x A unique name
x A delete action
A create action
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Preservation policies help to keep the content you need by preserving email
and documents.
T
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-41
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 75 Minutes
Password: Pa$$w0rd
LON-DC1:
LON-CL1:
2. Use the following commands to connect to remote Exchange Online with remote PowerShell. Use
Holly’s credentials to connect.
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication
Basic -AllowRedirection
Import-PSSession $Session
3. Use the following command to set the IRM sharing location to the region you are in.
Note: Depending on the location of your tenant, replace the link in the preceding
command with one of the following:
4. Use the following command to configure Azure RMS as a trusted publishing domain.
5. Use the following command to set the IRM configuration for licensed users only.
7. Remove the remote Windows PowerShell session, and then close Windows PowerShell.
3. Open Outlook 2016. Create a new message for Brad Sutton. On the Options tab, click Permission,
and then connect to the Rights Management server to get templates.
4. Click Permission again, apply the Do not Forward policy, and then send the message.
7. Enable Information Rights Management (IRM), and then configure a policy with the following
settings:
10. Check Brad’s email, and then verify that you received an email from Holly that is IRM protected. Click
the message.
11. Verify that you do not have the option to forward or print the message.
13. Open the document in the Documents library, and then verify that you get a message that the
document is read-only.
To test in SharePoint. save a doc to Team site, In File, Info, Protect the document.
Results: After completing this exercise, you will have configured Rights Management for Exchange Online
and SharePoint Online.
2. In the Office 365 admin center, click Compliance, and then open the Protection Center.
3. In the Protection Center, configure Brad Sutton as a Compliance Administrator and Christie Thomas
as an eDiscovery Manager.
DPT:
Personal tag:
Personal tag:
2. Verify that Brad does not have permission to configure SharePoint Online deletion settings. Close
Microsoft Edge.
5. On the Compliance Policy Center page, edit Sample Document Policy by using the following
settings:
b. Create a new rule named Delete Messages at 7 years that will permanently delete messages
seven years after they were created.
6. On the Compliance Policy Center page, click Policy Assignments for Site Collections.
MCT USE ONLY. STUDENT USE PROHIBITED
11-46 Planning and configuring Rights Management and compliance
7. Apply Marketing Document Policy to the Marketing site collection, and then mark the policy as
mandatory.
8. On the Retention page, under Preserve, create a new preservation policy as follows:
a. Type Retain contract details as the policy name, and then click Next.
b. Make sure that the search locations include Francisco Chaves’s mailbox and the
https://adatumyyxxxxx.sharepoint.com/sites/AcctsProj/ site collection
2. In the navigation pane, click Security Policies, and then click Data loss prevention.
3. Create a new DLP policy from a template with the following settings:
o Configure the policy to send notifications and provide policy tips for users.
2. In the Protection center, click Security Policies, and then click Data Loss Prevention.
3. On the Data loss prevention page, click go to the Exchange admin center.
c. Create a new rule that will Block messages with sensitive information unless the sender
overrides.
f. If the user overrides the block, configure the email to use rights protection.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-47
2. Send a new email to your Microsoft account with a subject of Server IP address and a message body
of 10.10.10.10.
3. Access Christie’s mailbox, and then verify that she has an In-Place Archive.
4. Verify that she received a notification about the message that Brad sent to your Microsoft account.
Results: After completing this exercise, you will have implemented the Office 365 compliance features.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Best Practice: Security enhancement is a continuous process. Good planning and tenant
preparation helps to secure the environment for users.
Module 12
Monitoring and troubleshooting Microsoft Office 365
Contents:
Module Overview 12-1
Module Overview
As an administrator, you regularly need to monitor Microsoft Office 365 services and troubleshoot any
issues that result in service interruptions. In this module, you will learn about the different troubleshooting
and monitoring options that are available for Office 365.
Objectives
After completing this module, you will be able to:
Lesson 1
Troubleshooting Office 365
You can use several tools to troubleshoot a cloud service. In this lesson, you will learn about some
common tools that you can use to troubleshoot Office 365. Additionally, you will learn about some
self-service tools that you can use to analyze Office 365 issues.
Lesson Objectives
After completing this lesson, you will be able to:
Common issues with Office 365 relate to connectivity and network settings. Often you might see that
even though a service is working, your users cannot connect to it, which might be because of changes in
the firewall settings in the on-premises environment that are not working. For such issues, Microsoft
provides troubleshooting tools.
In the Office 365 admin center, in the navigation pane, you can find the following menu items that relate
to Office 365 troubleshooting and monitoring:
Health
o Service Health
o Message Center
Support:
o Overview
o Service Requests
Reports
Admin centers
When you sign in to the Office 365 admin center, you get an overview of the tenant’s service health. The
Service Health dashboard is divided by service. This allows you to see details about affected services.
Details include an overview of each service and the logs from the past 30 days. If your organization uses
an internal monitoring solution that can consume health status notifications via an RSS feed, then you also
can subscribe to the service health status via RSS.
Additional Reading: For information on which tools you should use for specific Office 365
problems, refer to Tools and Diagnostics: http://aka.ms/ude7mv.
Note: To administer Office 365 with a mobile device, Microsoft provides the Office 365
Admin app for Windows Phone 8 and later, which you can download: http://aka.ms/kiapdx.
The Microsoft Remote Connectivity Analyzer website provides a set of tools for identifying common
connectivity issues with Microsoft Exchange Server, Skype for Business, Microsoft Lync, and Office 365.
Not all tests in the Microsoft Remote Connectivity Analyzer are for Office 365 only; several tests are also
for on-premises systems. You can access several tests from the tabs in the Microsoft Remote Connectivity
Analyzer website.
Note: Not all occurrences of Lync in the Microsoft websites and tools have been replaced
by Skype for Business at the time of writing this module.
Tab Tests
Office 365 This points to the Microsoft Office 365 Support and Recovery Assistant tool,
which is a new tool that users can run to fix common Office 365 problems. At
the time of writing this module, the tool focused on problems with Outlook.
This includes all the tests from the Exchange Server tab, in addition to the
tests mentioned below:
Office 365 General Tests:
o Office 365 Exchange Domain Name Server (DNS) Connectivity Test
o Office 365 Lync Domain Name Server (DNS) Connectivity Test
o Office 365 Single Sign-On Test
Free/Busy Test:
o Free/Busy
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-5
Tab Tests
Client This points to the Microsoft Office 365 Support and Recovery Assistant tool,
which is a new tool that users can run to fix common Office 365 problems. At
the time of writing this module, the tool focused on problems with Outlook.
This tool checks for network connectivity from a client to Office 365 services
to identify issues that affect network performance between client PCs and
Office 365:
Microsoft Office 365 Support and Recovery Assistant
Microsoft Office 365 Client Performance Analyzer
Microsoft Lync Connectivity Analyzer Tool
Message Analyzer The Microsoft Message Analyzer strips down message headers and displays
the included values in a readable form. You can strip down an email’s
message header by pasting the message header in the text box and clicking
Analyze headers.
After a test completes, the Microsoft Remote Connectivity Analyzer provides a detailed log on the test
steps that passed successfully and the steps that failed, followed by a suggested resolution. You can save
this log information to the Clipboard or to an XML or HTML file. For most tests, a Tell me more about
this issue and how to resolve it link is available that provides additional information, which might help
you fix the issue.
The Microsoft Office 365 Support and Recovery Assistant tool provides a wizard that presents a series of
questions that guide you into identifying the issue that you are experiencing, and then provides potential
solutions to your issue. At the time of writing this module, the tool helped troubleshoot issues related to:
Office setup
Outlook
Mobile devices
Outlook on the web
You can install the Microsoft Office 365 Support and Recovery Assistant tool from the Microsoft Remote
Connectivity Analyzer website at http://testconnectivity.microsoft.com. The prerequisites for the Microsoft
Office 365 Support and Recovery Assistant tool include:
o Windows 10
o Windows 8
o Windows 7
o Windows Vista
Lync (Skype for Business) diagnostics require the Unified Communications Managed API (UCMA) 4.0
runtime, which only runs on 64-bit operating systems.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-7
o Microsoft Edge
o Internet Explorer
The Microsoft Office 365 Support and Recovery Assistant tool is similar to the Microsoft Remote
Connectivity Analyzer in that it provides a log with the test steps that passed successfully and the steps
that failed, and it then provides a Tell me more about this issue and how to resolve it link that makes
suggestions to help fix any reported issues. You can save the log as MCATestResults.html.
Message Analyzer
Email messages transmit between mail servers by
using Simple Mail Transfer Protocol (SMTP). SMTP
message headers contain information that records
the origins of a message and its path through one
or more SMTP servers to its destination. The
Message Analyzer feature can display the contents
of these headers and help diagnose any email
transfer issues. All Message Analyzer processing
occurs in the browser, and no additional software is necessary. You can use the Message Analyzer on any
SMTP header, whether Exchange, Office 365, or any other SMTP server or agent generates it.
1. Note the reason for the failure, such as “NonExistentDomain” or “550 Requested action not taken:
mailbox unavailable”.
4. Paste the message in the text box, and then click Analyze headers.
5. Diagnostic information and the time taken for the message to be rejected will display in the Message
Analyzer.
Delivery reports
Delivery reports provide an alternative method for tracking email delivery. You can run them at the
Exchange Server or Office 365 level or within Outlook on the web to track personal messages.
Two kinds of delivery reports are available: the reports that generate when you perform message tracing
with the Exchange Online message trace tool and personal delivery reports.
MCT USE ONLY. STUDENT USE PROHIBITED
12-8 Monitoring and troubleshooting Microsoft Office 365
The Exchange Online message trace tool in the Exchange admin center
To run the Exchange Online message trace tool from the Exchange admin center, perform the following
steps:
2. In message trace, next to Sender, click add sender, and then select the users to trace.
o Last 24 hours
o Last 48 hours
o Last 7 days
4. Under Delivery status, select one of following statuses or search for all:
o Delivered
o Failed
o Pending
o Expanded
o Unknown
5. Optionally, provide a Message ID to narrow the search based on a specific Internet message ID,
which is also known as the client ID. The sending mail system generates this ID, and it is in the header
of the message with the "Message-ID:" token. Specify the full message ID of the message, which
might include angle brackets (< >).
6. Click search.
7. Double-click any returned message to view the sender, recipient, message size, message ID, IP
address information, and delivery status. The Exchange Online Message trace tool then displays a
series of events that are associated with the message; for example, RECEIVE, SUBMIT, and SEND for a
successful message; or RECEIVE, SUBMIT, and FAIL for a message that could not deliver.
To run personal delivery reports in Outlook on the web, perform the following steps:
2. On the Options page, click organize email, and then click delivery reports.
Note: At the time of writing this module, the Options menu for Outlook on the web was
changing. You might have to access the earlier version of the Options menu to view delivery
reports. To do this, on the Settings menu, under My app settings, click Mail. On the Options
page, click Other, and then click Go to earlier version.
Note: Personal delivery reports provide limited options when compared to Office 365
message trace delivery reports. For example, individual users cannot search all mailboxes, they
can only search for messages in their own mailbox.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-9
After selecting the appropriate option, the troubleshooter displays a series of items to check or test, along
with suggested solutions and relevant links if an item matches the tester's situation.
MCT USE ONLY. STUDENT USE PROHIBITED
12-10 Monitoring and troubleshooting Microsoft Office 365
Do-it-yourself troubleshooter
If something is not working correctly in an Office
365 environment, a good starting point is to use
the Office 365 troubleshooter, also known as the
do-it-yourself troubleshooter, for initial diagnosis.
1. Select the service with which you are having issues, such as Exchange Online.
o You receive a "One or more users need an assigned license in order to retain an Exchange
Online mailbox or archive" message on the Users page of the Office 365 portal
Note: Microsoft updates the troubleshooter periodically. Microsoft regularly adds new self-
service troubleshooting steps for services such as Office 365 Groups, Skype for Business, Microsoft
Office Delve, Microsoft Office Sway, and all other Office 365 services.
Which of the following are options or tools that you can use for monitoring and troubleshooting
Office 365?
x Service Health
Protection Center
x Service Requests
Notification Center
Alert Center
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-11
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
The Microsoft Office 365 Support and Recovery Assistant is a new tool that T
users can run to fix common Outlook problems.
MCT USE ONLY. STUDENT USE PROHIBITED
12-12 Monitoring and troubleshooting Microsoft Office 365
Lesson 2
Monitoring Office 365 service health
In Office 365, you can monitor service health by using tools such as the RSS feed and the Service Health
dashboard. These tools provide information about planned maintenance, service updates, and historical
data. In this lesson, you will learn how to use these tools to monitor service health.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the importance of service health information in the Office 365 dashboard.
Explain how to monitor Office 365 with Microsoft System Center Operations Manager (Operations
Manager).
Normal service. This indicates that the service is available and suffered no incidents during the
reporting period. The icon for this status does not link to any additional information.
Extended recovery. This indicates that steps have completed to resolve the service incident. However,
it will take an extended period for service operations to return to normal. During this time, some
service behaviors might take longer than normal to complete.
Service restored. This indicates that an incident was active earlier today, but the service was restored.
Service interruption. This indicates that the service is not functioning, and users cannot access the
service.
Additional information. This indicates that an incident was active during a previous day. The incident
might be resolved or it might still be active.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-13
Service degradation. This indicates that the service is slow or is occasionally unresponsive for brief
periods.
PIR published. This indicates that a report of the service incident has published.
Restoring service. This indicates that the service incident is in the process of resolving.
Note: In the unlikely event that the Office 365 admin center is not available, there is a
separate link to the Service Health dashboard: http://aka.ms/vlkz7v. If the issue relates to Azure
AD, for example sign-in issues, refer to: http://aka.ms/kfxpxv.
The table that you access from the Support page displays status information for the current day and the
previous six days. This table shows the status of each of the online service components, and you can click
the status icons for more information.
You can also click View history to see further historical service health data. On the history page, you can
see specific incidents that have occurred within the last 30 days and the categories they come under,
including Office 365 Portal, Identity Service, Skype for Business Online, and Exchange Online.
To see specific incident details, find the incident in the calendar, and then click it, which gives you
chronological data about the outage or issue and any resolution to the problem. If a post-incident report
has published, you can also download or view the report for more details.
Note: The Service health page only includes information about the health of your online
services; it does not cover other items, such as network infrastructure issues.
Planned maintenance
You can view information about any upcoming Office 365 maintenance tasks in the Support page. This
page displays the date and time of any planned maintenance, and you can click the link for each
maintenance task for more information.
RSS feeds
Office365 also provides a link to an RSS feed for Office 365 service health. You can add the feed to your
Common RSS Feed List. You can view this in programs that use the Common RSS Feed List, such as
Microsoft Edge and Outlook. The feed updates each time a new incident event adds or an existing
incident event updates.
Report Description
Mailbox access by non- This report returns a list of mailboxes that anyone other than the owners
owners of the mailboxes accessed. This report generates from an audit log that
logs information such as the person who accesses the mailbox, when
they accessed it, what actions they performed, and whether their actions
were successful or not.
Role group changes This report returns a list of all the changes made to Office 365 role
groups by administrators in your organization. This report generates
from an audit log that logs information about who made the change,
when they did it, and what the change was.
Mailbox content search This report returns a list of all the mailboxes that were put on hold or
and hold were removed from In-Place Hold or In-Place eDiscovery. It contains
additional information about who put the mailbox on hold and when
they did it.
Mailbox litigation holds This report returns a list of all changes made to per-mailbox litigation
holds. This report generates from an audit log that logs information
about who enabled or disabled litigation hold on a mailbox and when
they did it.
1. Open the Windows PowerShell command-line interface, and then connect to Exchange Online.
2. At the command prompt, type the following command, and then press Enter:
To enable mailbox audit logging for all users’ mailboxes, perform the following steps:
2. At the command prompt, type the following command, and then press Enter:
3. At the command prompt, type the following command, and then press Enter:
Note: For more information on how to connect to Exchange Online by using remote
Windows PowerShell and how to enable mailbox auditing in Office 365, refer to Enable mailbox
auditing in Office 365: http://aka.ms/kna8cb.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-15
Mail reports
Several mail-related reports are available under
the Mail section on the Reports page in the Office
365 admin center. The following table lists some
of these reports.
Report Description
Active and inactive This report shows the number of active and inactive mailboxes over a period.
mailboxes A mailbox is considered inactive if a user has not accessed it for more than 30
days.
New and deleted This report shows the number of active, new, and deleted mailboxes.
mailboxes
New and deleted This report shows the number of created and deleted groups.
groups
Mailbox usage This report shows the total number of mailboxes, inactive mailboxes,
mailboxes that have exceeded their storage quota, and mailboxes that are
currently using less than a quarter of their storage quota.
Types of mailbox This report shows the number of mailbox connections made over time, which
connections then group by connection type, such as Post Office Protocol version 3 (POP3),
Internet Message Access Protocol (IMAP), and Outlook on the web.
All of these reports display as charts, and they provide links to view each chart as a table instead. Some of
the reports have clickable links that display the information on a daily, weekly, monthly, or yearly basis.
Protection reports
Several protection-related reports are available under the Protection section on the Reports page in the
Office 365 admin center. The following table lists some of these reports.
Top senders and This report shows a list of top email users. You can view which users are:
recipients Top mail senders.
Top mail recipients.
Top spam recipients.
Top malware recipients.
Top malware for mail This report shows the number of malware detections in received mail before
the malware action applied. It also displays a list of top malware recipients,
showing each recipient’s email address and a count of received malware.
Malware detections This report shows the number of malware detections in sent mail before the
malware action applied.
MCT USE ONLY. STUDENT USE PROHIBITED
12-16 Monitoring and troubleshooting Microsoft Office 365
Spam detections This report shows the number of detected spam messages grouped by spam
filtering type, such as SMTP blocked, IP blocked, and Content filtered. It also
displays a list of top spam recipients, showing each recipient’s email address
and a count of received spam emails.
Sent and received This report shows received mail grouped by the type of traffic, such as Good
mail mail, Malware detections, Spam detections, Rule messages. Rule messages are
received and sent messages that match at least one transport rule or data loss
prevention (DLP) policy.
All of these reports display as charts, and they provide links to view each chart as a table instead.
Additionally, they all have clickable links to enable the chart to display the information over seven-day,
14-day, 30-day, or custom date periods. All dates and times are in Coordinated Universal Time (UTC).
The download installs a Microsoft Excel 2013 reporting workbook that provides a comprehensive view of
the email protection information that is also available on the Reports page of the Office 365 admin
center.
To use the mail protection reports workbook for Office 365, perform the following steps:
1. On the desktop, double-click the Mail Protection Reports for Office 365 shortcut.
3. Select one of the worksheet tabs in the workbook, and then click the Query button in the worksheet.
The workbook contains summary graphs for various types of email message filtering and includes
information about messages that were identified as good mail, spam, or malware. It also displays graphs
for messages that were identified by a transport rule or a DLP policy.
You also can use data slicers in Excel 2013 to perform deeper data analysis. If you notice specific trends or
unusual activities in the data, you can get more detailed information from the report by running queries
on the other tabs in the workbook and viewing more detailed information about the messages
themselves.
Note: The Mail Protection Reports for Office 365 Excel Plugin currently only works with
Excel 2013 and not with Excel 2016.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-17
Auditing cmdlets
Cmdlet Purpose
New-MailboxAuditLogSearch Search the contents of the mailbox audit log and send
the results to the recipients that you specify.
Cmdlet Purpose
Get-MessageTrackingReport Return the data for a specific message tracking report. This cmdlet
requires you to specify the ID for the message tracking report that
you want to view. Therefore, you first need to use the Search-
MessageTrackingReport cmdlet to find the message tracking
report ID for a specific message. You then pass the message
tracking report ID from the output of the Search-
MessageTrackingReport cmdlet to the Get-
MessageTrackingReport cmdlet.
MCT USE ONLY. STUDENT USE PROHIBITED
12-18 Monitoring and troubleshooting Microsoft Office 365
Cmdlet Purpose
Cmdlet Purpose
Additional Reading: To view a list of all Exchange Online Protection cmdlets, refer to:
http://aka.ms/i09sv9.
2. Here, you can see your current service requests and you can click the plus sign (+) above the list to
create new service request. When you click to create new service request, the Support Overview
page appears.
3. On the Support Overview page, select the topic for the service request. Find the common topics in
the Create a service request column. You can expand the list by clicking More at the end of the list.
Note: If you create a new service request about an issue that Microsoft is investigating
currently, you will see a corresponding note such as “We're investigating a problem that may
be related to your issue. Go to Service health to see if this is the same problem your users are
having. If so, you may not need to create a service request,” followed by the topic, for example,
“Exchange - In extended recovery - EX41924.” You then can decide if you still want to create a
new service request.
5. On the New service request page, under identify the issue, select the feature (for example, Mail
Flow), and the symptom (for example, I received a non-delivery report (NDR) for an email I sent).
Depending on the selections, the issue form expands and shows more text boxes. Fill out the text
boxes, and then click Next.
6. Click the Review suggestions links to view possible solutions for the specified problem. You should
read these before proceeding with the service request because the issue might be a common issue
that you can resolve without requesting additional support.
Note: If a service is unavailable, you should check the Service Health dashboard before
opening a new service request. If a service appears to be unavailable but there are no reports in
the Service Health dashboard, you should call the Office 365 support phone number for your
country or region.
7. On the Add details page, you then add further information to the service request, including a
summary, issue details, service availability, and the number of affected users. You can also attach
additional files to that service request. Include screenshots of any errors or other relevant documents
with the service request. Note that these files must be smaller than 5 megabytes (MB) each. Click
Next.
8. On the Confirm and submit page, check the email address and the phone number that the
Microsoft support team can use to contact you. Your data will already be filled out from your user
sign-in information. Correct the data if necessary. Click Submit request to submit the service request.
A reference number for the request is provided, and the new request will be listed in the service requests
list. Service requests pass directly to a support representative, who will respond with an email message.
The target initial response time for a new service request depends on both the severity level of the issue
and the Office 365 subscription type, as highlighted in the table below.
Microsoft assigns a severity level to a service request when it opens, based on the type of Office 365
subscription, an assessment of the issue type, and the customer impact. The three types of severity are:
Severity A (Critical). This is assigned when one or more services are not accessible or are unusable.
Severity B (High). This is assigned when the service is usable but in an impaired state.
Severity C (Non-critical). This is assigned when the issue is important but does not currently have a
significant impact on the service or productivity.
MCT USE ONLY. STUDENT USE PROHIBITED
12-20 Monitoring and troubleshooting Microsoft Office 365
The following table shows the availability and response times for the three severity types, depending on
the Office 365 plans.
Office 365 for Enterprises and Office 365 Business and Education
Severity level
Government plans plans
Severity A (Critical) Available: 24 hours a day, seven Available: 24 hours a day, seven
days a week* days a week*
Response time: one hour Response time: one hour
* Office 365 support teams take calls and service requests 24 hours a day, seven days a week. This service
depends on the region and is available in most countries.
Elevated support provides additional support options and service level agreements (SLAs) over the
standard Office 365 support. Elevated support can include service update management, end-to-end
support for clients and services, reactive and advisory services from advanced engineers, incident
management, and on-site workshops that Microsoft Premier Support Services or Microsoft partners
provide.
After you submit a service request, any further actions that the support representatives require, such as
requests for additional information, display as “Action required” in the list of open requests on the Service
requests page. It is important to close the request when an issue is resolved or assistance is no longer
necessary.
You must import the Office 365 management pack for Operations Manager into System Center. After you
add an Office 365 subscription, the management pack offers monitoring for services such as:
Subscription health
Service status
Alerts
Additional Reading: For more information on how to obtain and set up this management
pack, refer to System Center Management Pack for Office 365: http://aka.ms/it7q1b.
A service in the Service Health dashboard can have which of following statuses?
x Normal service
Service anomaly
x Extended recovery
x Investigating
Operations aborted
Via email
x Via phone
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1
Password: Pa$$w0rd
In all of the tasks, where you see references to “Adatumyyxxxxx.onmicrosoft.com”, replace
“Adatumyyxxxxx” with your unique Office 365 name that displays in the online lab portal.
LON-DC1:
LON-DS1:
2. Go to Outlook on the web, and then create an email to user@alt.none with any subject and body
text.
3. Browse to testconnectivity.microsoft.com.
4. Click the Message Analyzer tab, paste the content, and then click Analyze headers.
5. Note the diagnostic information and the time taken for the message to be rejected.
4. Under Delivery status, select Failed, and then click Search. Note the two messages.
5. Note the differences between the message processing events: Receive, Submit, Spam Diagnostics, and
Fail for the nonexistent domain, and Submit, Receive, Spam Diagnostics, and Fail for the nonexistent
user.
Results: After completing this exercise, you should have used the Message Header Analyzer to identify
why email failed to deliver.
MCT USE ONLY. STUDENT USE PROHIBITED
12-24 Monitoring and troubleshooting Microsoft Office 365
o Mailbox usage
o Malware detections
o Spam detections
Results: After completing this exercise, you should have monitored the health of Office 365 services and
viewed reports in the Office 365 admin center.
Question: How would you view all the failed messages for a group of users?
Question: What is the first tool you will use to search for service incidents and failures?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-25
Module 13
Planning and configuring identity federation
Contents:
Module Overview 13-1
Module Overview
In this module, you will learn how to plan and configure identity federation. While there are multiple
identity models for Office 365, Active Directory Federation Services (AD FS) provides identity federation
between on-premises Active Directory Domain Services (AD DS) and Microsoft Azure Active Directory
(Azure AD). This module enables multiple features with the cloud provider, including single sign-on (SSO)
with Office 365.
Objectives
After completing this module, you should be able to:
Describe how identity federation works, and how you can use AD FS to implement identity federation.
Describe hybrid solutions for Microsoft Exchange Server, Microsoft Skype for Business Server, and
Microsoft SharePoint Server.
MCT USE ONLY. STUDENT USE PROHIBITED
13-2 Planning and configuring identity federation
Lesson 1
Understanding identity federation
Before you begin designing your AD FS deployment, you must understand how identity federation works,
and the advantages this identity model provides you. You will learn the core components, the various
topologies, and how you can use AD FS to implement authentication, using federated identities, in
Office 365.
Lesson Objectives
After completing this lesson, you should be able to:
Describe the underlying technologies – Security Assertion Markup Language (SAML) tokens, and
security token service.
Describe AD FS, and how you can use it to implement identity federation.
Describe how SSO works with Office 365 – web clients, Microsoft Outlook, and Skype for Business.
Compare identity federation, directory synchronization, and password synchronization and explain
why an organization would choose one option over another.
Claims-based authentication
When you consider identities such as Integrated
Windows authentication, Kerberos authentication,
or NT Lan Manager (NTLM), you most likely think
about Microsoft Windows user accounts and
groups. When you consider identities in Active
Server Pages (ASP), such as the ASP.NET
membership and roles provider, you probably
think about user names, passwords, and roles.
When you consider what the different
authentication mechanisms have in common, you
can abstract the individual elements of identity
and access control into two parts: a single, general
notion of claims, and the concept of an issuer or an authority.
A claim is a statement that one subject makes about itself or another subject. For example, the statement
can be about a name, identity, key, group, privilege, or capability. Claims are issued by a provider, are
given one or more values, and then packaged in security tokens that are issued by an issuer, commonly
known as a security token service (STS). You can think of a security token as an envelope that contains
claims about a user.
Additional Reading: For a full list of definitions of terms associated with claims-based
identity, see Claims-based identity term definitions at http://aka.ms/wnc2ys.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-3
Thinking in terms of claims and issuers is a powerful abstraction that supports new ways of securing your
applications. Because claims involve an explicit trust relationship with an issuer, your application believes a
claim about the current user only if it trusts the entity that issued the claim. Trust is explicit in the claims-
based approach—not implicit as in other authentication and authorization approaches with which you
might be familiar. The following table shows the relationships between security tokens, claims, and issuers.
The claims-based approach to identity makes it easier for users to sign in using Kerberos authentication
where it makes sense. However, it is just as easy for them to use one or more (perhaps more Internet-
friendly) authentication techniques, without you having to recode, recompile, or even reconfigure your
applications. You can support almost any authentication technique. Some of the more popular
authentication techniques are Kerberos authentication, forms authentication, X.509 certificates, smart
cards, and other information-type cards.
Here are a few situations in which claims-based identity might be the right choice for you. You might
have web-facing applications that are used by people who do not have accounts in your Active Directory
domain. Another reason might be that your company has merged with another company and you are
having trouble authenticating across two AD DS forests that do not have a trust relationship. Perhaps you
want to share identities with another company that has non–.NET Framework applications or you need to
share identities between applications running on different platforms. Another situation might be an
application that needs to send email to the authenticating user or an email to their manager.
Claims-based identity allows you to factor out the authentication logic from individual applications.
Instead of the application determining who the user is, it receives claims that identify the user.
Federated trusts
At this point, you have learned about claims-
based identity where the issuer directly
authenticates the users to a claims-based
application. However, you can take this one step
further. You can expand your issuer’s capabilities
to accept a security token from another issuer,
instead of requiring the user to authenticate
directly. Your issuer would issue security tokens
and accept security tokens from other issuers that
it trusts. This enables you to federate identity with
other realms, which are separate security domains.
MCT USE ONLY. STUDENT USE PROHIBITED
13-4 Planning and configuring identity federation
Managing a role database for remote users is just as difficult. Imagine Alice, who works for a partner
company and uses your purchasing application. On the day that your information technology (IT) staff
provisioned her account, she worked in the purchasing department, so the IT staff assigned her the role of
Purchaser, which granted her permission to use the application. However, because she works for a
different company, how will your company be able to find out if she transfers to the Sales department? In
addition, what will happen if she quits employment with the partner company? In both cases, you would
want to know about her change of status, but it is unlikely that anyone in the human resources
department at her company will notify you. Any data that you store about a remote user will eventually
become outdated. Therefore, how can you safely expose an application for a partner business to use?
Another feature of claims-based identity is that you can decentralize it. Instead of having your issuer
authenticate remote users directly, you can set up a trust relationship with an issuer from a separate
company. This means that your issuer will trust their issuer to authenticate users in their realm. Therefore,
their employees would not require additional credentials to use your application. Instead, they would
continue using the same SSO mechanism they have always used in their company. In addition, your
application still works because it continues to receive the same security token it needs. Moreover, the
claims that you receive in your security token for these remote users might include their role with the
company. This is because they are not employees of your company, but your issuer is responsible for
determining the proper assignments based on their role.
Finally, your application does not need to change when a new organization becomes a partner. The ratio
of issuers to applications is a benefit of using claims—you reconfigure one issuer and many downstream
applications become accessible to many new users. Another benefit is that claims allow you to store data
about users logically. Data can be kept in the store that is authoritative rather than in a store that is more
convenient to use or easily accessible. This allows you to grant access to users from other organizations
without creating a user account in your environment. Once your company decides which realms should
be allowed access to your claims-based application, your IT staff can set up the proper trust relationships.
3. The security token is then presented to the Contoso federation server. Since a federated trust is
configured between the two organizations, the Contoso federation server accepts the token in lieu of
authenticating the user directly.
4. The Contoso federation server then issues a security token to the user.
5. Finally, the user sends the security token to the Contoso application.
Note: Users are not actively aware of this process in most scenarios – the Internet browser
or smart client does this in the background on their behalf.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-5
Because of the federated trust, your application only accepts security tokens that are signed by the issuer
that it trusts. Remote users cannot receive access if they try to send a token from their local issuer directly
to your application.
Service providers
According to the Organization for the Advancement of Structured Information Standards (OASIS) (the
organization that created SAML), a service provider is defined as a role donned by a system entity where
the system entity provides services to principals or other system entities. In essence, a service provider is
an entity that provides web services. Examples of service providers include ASPs, Storage Service Providers,
and Internet service providers (ISPs).
Identity providers
According to the OASIS, an Identity Provider (IdP) is defined as a kind of provider that creates, maintains,
and manages identity information for principals and provides principal authentication to other service
providers within a federation, such as with web browser profiles. An IdP is sometimes called an identity
service provider or identity assertion provider. In essence, an IdP is an online service or website that
authenticates users on the Internet by means of security tokens, one of which is SAML 2.0.
Note: IdPs also can provide services beyond those related to the storage of identity
profiles.
What is AD FS?
Active Directory Federation Services (AD FS)
provides the infrastructure that enables a user to
authenticate in one network and use a secure
service or application in another. With Office 365,
AD FS enables users to authenticate through their
on-premises AD DS, and then use an account in
Office 365 without requiring any further
authentication prompts. AD FS also provides SSO
for users accessing Office 365 or another service,
with the same account that they sign in to their
workstation. This requirement for matching on-
premises identities with remote service accounts is
MCT USE ONLY. STUDENT USE PROHIBITED
13-6 Planning and configuring identity federation
why an Office 365 SSO solution requires both AD FS and directory synchronization. When you implement
AD FS, all password management and password polices are maintained by your on-premises AD DS.
How AD FS works
In the WS-Federation model, a service provider (also known as a relying party), is a partner in a federation
that creates security tokens for users. The term arose because the application relies on an issuer to provide
information about identity. Further, an IdP (also known as a claims provider), is a partner in a federation
that consumes security tokens to provide access to applications. Upon deployment of AD FS, an implicit
claims provider trust is enabled for the Active Directory domain in which the AD FS server resides.
When a user initiates an authentication request through AD FS and when they are using an AD FS client—
for example, Microsoft Edge—, AD FS initially verifies the user credentials in AD DS. After successful
authentication by AD DS, the STS component of AD FS issues a security token that authorizes the user to
the application or service, such as Office 365. In this scenario, Office 365 implicitly trusts the token issuer,
or the Active Directory domain.
The security token contains claims about the user, such as user name, group membership, user principal
name (UPN), email address, manager details, and phone number. It is up to the consuming application,
such as Office 365, to decide how to use these claims, and to make appropriate authorization decisions;
the application does not make authentication decisions, as these are made by AD DS.
The trust between the parties is managed through certificates. While the certificates used for security
token signing and encryption can be self-signed by the AD FS server, typically HTTPS communications
between the issuer and the consuming application or service requires a public key infrastructure (PKI). A
primary example of this is AD FS as the issuer, and Office 365 as the consuming application or service.
Authentication
The primary AD FS authentication methods are:
Forms authentication. This authentication method is for resources published to the outside of the
corporate network and accessible from clients over the Internet. While forms authentication is
enabled by default you also can enable certificate authentication—smart card authentication or user
client certificate authentication—that integrates with AD DS.
Integrated Windows authentication. This authentication method is for resources that are published to
the inside of the corporate network and are accessible from intranet resources. While Integrated
Windows authentication is enabled by default, you also can enable forms authentication and/or
certificate authentication.
Set-AdfsProperties –WIASupportedUserAgents
If the client’s user agent does not support Windows authentication, AD FS uses the default
authentication method of forms authentication.
You also can enable device authentication to provide multi-factor authentication (MFA). Device
authentication requires that a registered device is used before a user can access a resource. MFA requires
that you enable at least one additional authentication method.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-7
Additional Reading: For more information about using devices for MFA and SSO, see
Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor
Authentication Across Company Applications, at: http://aka.ms/cnmkt7.
Note: Office 365 has a separate MFA process for administrator accounts that is now
extended to user accounts. This authentication process requires users to acknowledge a phone
call, text message, or app notification after correctly entering their password. The MFA feature in
Office 365 is not the same as the MFA feature in AD FS.
Attribute stores
The AD FS attribute stores are the directories or databases used to store user accounts and associated
attribute values. AD FS supports the following directories or databases as attribute stores:
User experience
When a user authenticates through AD FS on the corporate intranet, the user will not be prompted for
their credentials on subsequent attempts, providing:
Internal DNS can resolve the AD FS service name to the backend AD FS servers, or to the load-
balanced IP for the AD FS service.
Any web proxy is configured to bypass the proxy for client requests to the URL for AD FS. You can use
a Group Policy Object (GPO) to add the URL for AD FS to the local intranet zone in Microsoft Internet
Explorer, or Microsoft Edge.
A service principal name (SPN) is registered under the AD FS service account for the AD FS service.
This will enable Kerberos authentication.
The default authentication method for the AD FS service is Integrated Windows authentication.
Note: Users can avoid a credentials prompt when the access a cloud service using the same
account that they use to sign in to the workstation.
When a user authenticates through AD FS over the Internet, you might prefer to secure the access to the
AD FS server. If so, you can deploy a proxy server in the perimeter network to intercept the authentication
request. The proxy server also uses forms authentication, which displays a webpage form for users to type
their credentials. This deployment option has a smaller security footprint since it only requires opening
the SSL port (443) to the Internet. By contrast, Integrated Windows authentication requires a range of
ports and services and should not be exposed to the Internet. As opposed to the user experience for users
on the corporate intranet, the user could be prompted each time they authenticate through AD FS over
the Internet.
Note: For more information about customizing the AD FS sign-in pages, refer to:
http://aka.ms/bis6uu.
MCT USE ONLY. STUDENT USE PROHIBITED
13-8 Planning and configuring identity federation
AD FS versions
Versions of AD FS since the initial release include:
AD FS 1.0. AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2.
AD FS 1.1. AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an
installable server role.
AD FS 2.0. AD FS 2.0 was released as an installable download for Windows Server 2008 service pack 2
(SP2) or above.
AD FS 2.1 AD FS 2.1 was released with Windows Server 2012 as an installable server role.
AD FS 3.0. AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not
require a separate installation of Microsoft Internet Information Services (IIS), and it includes a new
AD FS proxy role called the Web Application Proxy.
AD FS 3.1. AD FS 3.1 is an installable server role on Windows Server 2016. Similar to AD FS 3.0, there is
no requirement for a separate IIS install. AD FS includes the Web Application Proxy.
AD FS 1.x was limited in its standards support, including WS-Federation passive requestor profile
(browser), and SAML 1.0 tokens.
AD FS 3.0 now:
Note: The labs in this course use AD FS 3.0 on Windows Server 2012 R2.
Separate AD FS proxy role removed. The AD FS proxy server is replaced by the Web Application
Proxy, which is used to publish the AD FS federation server to the Internet. Web Application Proxy can
publish many other applications than just AD FS.
As described earlier in the module, with SSO, authentication uses a security token from AD FS to access
Office 365 services rather than a user authenticating directly to Office 365. In the most common
environments, you create user accounts in your on-premises AD DS, and deploy directory synchronization
to synchronize the user accounts to Office 365. While policy settings are synchronized only from AD DS,
new features in the Microsoft Azure AD Connect directory synchronization tool synchronize user accounts
to both destinations. This allows you to create the user account in Office 365, and Azure AD Connect then
synchronizes it to your on-premises AD DS.
Note: It is important to understand that SSO with Office 365 is, in effect, a hybrid
environment. While most of the object attributes are the same, users have two separate accounts,
including an on-premises Active Directory account and an Azure AD account. Although you
assign Office 365 services to the Azure AD account, users do not authenticate to Office 365 with
their on-premises Active Directory account. Rather, the user’s on-premises Active Directory
account credentials provide them access, or authorize them, to the Azure AD Account in Office
365 through the claims within the security token.
One disadvantage to only deploying password synchronization in directory synchronization is that your
environment includes two separate password policies—on-premises and in the cloud—and password
updates require successful synchronization. However, one advantage to deploying password
synchronization within directory synchronization is that a major failure in your on-premises infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
13-10 Planning and configuring identity federation
can potentially have only a minimal impact to your Office 365 services. More information on deploying
AD FS with High Availability is provided later in this module.
Note: Password write-back, or password synchronization from Office 365 to your on-
premises AD DS is now available in Azure AD Connect. However, Azure AD Premium licensing is
required.
Directory Services and SSO are key parts of integrating your on-premises environment and
online services. You are planning for the deployment of your company’s Office 365 tenant.
To ensure your users are able to use their credentials from your on-premises AD DS, you
need to evaluate which identity solution to deploy based on your business requirements.
Lesson 2
Planning an AD FS deployment
In this lesson, you will learn how to plan an AD FS deployment to support identity federation with
Office 365. AD FS is important in order for users to access Office 365 services. You will also learn how
to plan a highly available environment based on the size of your environment.
Lesson Objectives
After completing this lesson, you should be able to:
Describe the requirements for deploying AD FS, including Domain Name System (DNS) records and
certificates.
Describe the optional scenario of deploying SSO with Azure virtual machines.
AD FS server roles
Depending on the environment in your
organization, you must deploy certain AD FS
server roles to meet your business and security
requirements. You can use one or more server
roles to provide an AD FS federated identity
management solution in support of these
requirements.
Federation service
Beginning with Windows Server 2012, AD FS
includes a federation service role service. In
addition, AD FS can issue, manage, and validate
requests for security tokens and identity
management. The federation service can act as an identity provider by authenticating users to provide
security tokens to applications that trust AD FS. In addition, it also can act as a federation provider by
consuming tokens from other identity providers and then providing security tokens to applications that
trust AD FS.
Note: While not a requirement, federation servers in a federation server farm should be
located on the same network. You typically can use Network Load Balancing (NLB) or some other
form of clustering to allocate a single IP address for the multiple federation servers.
Federation proxy
When providing extranet access to applications and services that are secured by AD FS, you might choose
to deploy a federation proxy. A federation proxy is a computer that has been configured to act as an
intermediary proxy service between the clients on the Internet and your federation service that is located
behind your firewall on the corporate network. In order to allow remote access to the cloud service, such
as from a smartphone, home computer, or Internet kiosk, you should strongly consider deploying a
federation server proxy.
Note: Federation proxies cannot produce security tokens themselves; instead, they are used
to route or redirect tokens to clients, and if necessary, route or redirect the tokens back to the
federation server. For this reason, federation proxy servers are not required for providing remote
access to cloud services. However, they are strongly recommended.
The predecessor to Web Application Proxy was limited to brokering connections between external users
and the federation service. Now, Web Application Proxy provides reverse proxy functionality for web
applications inside a corporate network to external users. In addition, it pre-authenticates access to web
applications for the federation service, and functions as an AD FS proxy.
Database
AD FS uses a database to store configuration data—and in some cases transactional data—related to the
federation service. During deployment, you can choose to use either the built-in Windows Internal
Database (WID) or SQL Server. While most of the functions of the two database types are relatively
equivalent, one of the major differences is how they function in a federation server farm. When you
deploy a federation server farm using WID, the federation server farm replicates data between a primary
federation server and secondary federation servers.
Note: There are no feature differences between using WID or SQL Server that are required
for integration with Office 365. More information about determining which type of AD FS
configuration database to use is discussed later in this module.
Creating the first federation server in a farm also creates a new Federation Service. When you use WID for
the AD FS configuration database, the first federation server that you create in the farm is referred to as
the primary federation server. This means that this computer is configured with a read/write copy of the
AD FS configuration database. All other federation servers that you configure for this farm are referred to
as secondary federation servers because they must replicate any changes that are made on the primary
federation server to the read-only copies of the AD FS configuration database stored locally. Secondary
federation servers connect to and synchronize the data with the primary federation server in the farm by
polling it at regular intervals to verify if data has changed.
Note: The poll interval of the secondary federation servers is five minutes by default, but an
immediate synchronization can be forced at any time by using Windows PowerShell cmdlets.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-13
The secondary federation servers exist to provide fault tolerance for the primary federation server and to
load-balance access requests across network sites. If the primary federation server is offline, all secondary
federation servers continue to process requests as normal. However, no new changes can be made to the
AD FS database until the primary federation server is brought back online, or a secondary server is
promoted to the primary federation server role. You can manage assignment of the primary and
secondary federation server in the federation server farm when you use the Set-AdfsSyncProperties
Windows PowerShell cmdlet.
Note: When you deploy a federation server farm using WID, some features of AD FS might
not be available. To have access to the full feature set when you configure your server farm,
consider using SQL Server to store the AD FS configuration database instead.
When you deploy a federation server farm using SQL Server, the term primary federation server does not
apply because all of the federation servers can equally read and write to the AD FS configuration database
that uses the same clustered SQL Server instance. More information about how to deploy a federation
server farm when you use SQL Server is discussed later in this module.
AD FS is no longer dependent on IIS. This offers enhanced performance and reduces the footprint of
services, especially when AD FS is installed on Active Directory domain controllers.
Group managed service account support. This enables AD FS to run with service accounts without
managing expiring service account passwords.
SQL Server merges replication support when deploying AD FS across globally dispersed data centers.
These planning considerations are examined in detail throughout the remainder of this module.
When you start planning your AD FS environment for integration with Office 365, there are a number of
design decisions you need to consider before starting the deployment process. These design decisions
include:
Remediation of AD DS
Server placement
Remediation of AD DS
Several user attributes must be examined in AD DS before implementing AD FS. For example, the UPN
must be set for every user, and must be known by each user if used as his or her sign-in name. UPNs used
for SSO can contain only letters, numbers, periods, dashes, and underscores. If there are invalid characters
in UPNs, these must be remediated before AD FS is enabled.
The UPN domain suffix must be either the domain to be configured for SSO, or a subdomain. If the Active
Directory domain name is not a public Internet domain (for example, it ends with a “.local” suffix), the
UPN must be changed to include either a publically registered domain, or a subdomain of an Internet
domain name.
If the domain suffix needs to be changed and directory synchronization has already been deployed, the
UPNs for users in Office 365 might not match the UPNs for the corresponding users in your on-premises
AD DS. To remediate these UPNs, you can reset the UPNs using the Windows PowerShell cmdlet Set-
MsolUserPrincipalName.
Use the following Set-MsolUserPrincipalName cmdlet that is available in the Windows Azure AD
Module for Windows PowerShell:
Configuration database
As discussed earlier in this module, when planning for federation services, you can choose to use either
the WID or SQL Server for hosting the Configuration database. For most AD FS deployments, we
recommend deploying a federation server farm with the WID deployment topology as the default choice,
as it is easier to deploy. In addition, it supports up to five federation servers in a farm, and up to 30
federation servers in a farm with few relying parties in federated trusts. WID also provides load balancing
and fault tolerance.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-15
While SQL Server is not subject to the same limitations of WID, it does require more setup and
management. If you choose to deploy the federation server farm with SQL Server deployment topology,
all federation servers in the farm read and write to the same SQL Server database instance. This
deployment topology is typically reserved for more advanced AD FS deployments that require one or
more of the following criteria:
Support for more than 100 claims providers or more than 100 relying parties in a federated trust.
Support for more federation servers in a farm than what is supported by WID. Federation servers in a
farm with WID has a limit of 30 federation servers if you have 100 or fewer relying parties in
federated trusts. If you have more than 100 relying parties, you are limited to five federation servers.
Geographic load balancing to distribute the higher traffic across multiple data centers based on
location.
High availability of the Configuration database.
Additional performance enhancements, including the ability to scale out using more than five
federation servers in the same federation server farm.
The need to use SAML/WS-Federation token replay detection to protect the integrity of
authentication requests by making sure that the same token is never used more than once. This helps
mitigate man-in-the-middle attacks.
The need to use SAML artifact resolution to direct browser clients with an artifact to a SAML artifact
endpoint URL for resolution. This provides an alternate mechanism for passing tokens to client
applications
Note: If you deploy a federation server farm with SQL Server, you must install AD FS using
Windows PowerShell. However, you can migrate an AD FS configuration database from WID to
an instance of SQL Server.
Federation proxies
The role of federation server proxies is to redirect client authentication requests coming from outside your
corporate network to your federation server farm. You should plan on deploying federation proxies to
your AD FS environment if any of the following scenarios apply:
Roaming work computers. These are users who are signed in to domain-joined computers with their
corporate credentials but who are not connected to the corporate network. For example, a roaming
work computer could be a work computer at a user’s home or at a hotel, which can access the cloud
service.
Home or public computer. When a user’s computer is not joined to the corporate domain, the user
must sign in with their corporate credentials to access the cloud service.
Smartphone. On a smartphone, the user must sign in with their corporate credentials to access a
cloud service such as Microsoft Exchange Online, by using Microsoft Exchange ActiveSync.
Microsoft Outlook or other email clients. The user must sign in with their corporate credentials to
access their Office 365 email if they are using Outlook or an email client that is not part of the
Microsoft Office suite such as an Internet Message Access Protocol (IMAP) or POP email client.
MCT USE ONLY. STUDENT USE PROHIBITED
13-16 Planning and configuring identity federation
However, if your company supports browsers that do not support Extended Protection for Authentication,
you should consider disabling it in AD FS, thereby not requiring the channel binding token for all
federation communication. However, this could leave client credentials vulnerable to man-in-the-middle
attacks.
Virtualization
You might decide to host your federation service from a virtualized infrastructure. All of the AD FS server
roles, including the federation server and the federation proxy, are supported in virtual machines on
Microsoft Hyper-V. If you plan to use this technology to host more than one federation server or proxy,
you should consider hosting the virtual machines on separate host computers.
Server placement
The most critical component of an AD FS deployment is the federation server or server farm. Therefore,
planning your server placement strategy properly is important. The federation servers must be domain-
joined and should be deployed behind a firewall on the corporate network to prevent exposure to the
Internet. However, the federation proxy should not be domain-joined and should be deployed in the
perimeter network.
Note: AD FS availability only affects user authentication and does not affect Office 365
services. For example, if users are not able to access their email in Office 365, their mailbox in
Exchange Online will continue to receive email.
balancing or fault tolerance. However, if the AD FS federation server is deployed as a stand-alone server,
then you will not be able to add additional servers later.
With Windows Server 2012 R2 and later, you can only deploy the AD FS federation server in a federation
server farm. While this deployment method provides you with the option of adding more federation
servers later, we recommend that you deploy more than one federation server in a farm for your
production environments.
NLB
You should use NLB or other forms of clustering to allocate a single IP address for multiple AD FS
federation servers. With this deployment option, failure of a single federation server should not affect the
federation services for users. Similarly, you also should use NLB to provide an AD FS proxy array in the
perimeter network to ensure that external clients are not impacted by failure of any AD FS proxy
computer.
Note: While not covered in this course, you also can deploy a hardware load balancer
instead of NLB to provide high availability to your federation servers and federation proxy
servers.
Configuration database
If you chose WID as your AD FS data storage, there is a copy of the Configuration database on each
server. However, if you chose SQL Server as your AD FS data storage, you need to plan for a high
availability SQL Server deployment. As opposed to WID, deploying an AD FS federation server farm with
SQL Server does not enable high availability of the configuration database, by default. For example, if the
SQL Server is unavailable, the AD FS federation server is unable to connect to the Configuration database,
and the AD FS service will not start. For this reason, you should consider deploying AD FS with a SQL
Server cluster or a SQL Server failover partner. While you can enable the SQL Server cluster at any time,
the SQL Server cluster failover partner can only be enabled during AD FS deployment or afterwards. This is
because you use AD FS to configure the failover partner.
Additional Reading: For more information on the high availability solutions of SQL Server
refer to: http://aka.ms/lsr6m4.
Capacity planning
Capacity planning for federation servers helps you
assess the hardware requirements for each
federation server and the number of federation
servers to deploy. Capacity planning also helps
you estimate and prepare for growth in the size of
the AD FS configuration database.
A value (40, 60, or 80 percent) that best represents the percentage of total users expected to send
authentication requests to AD FS during peak usage periods.
A value (one minute, 15 minutes, or one hour) that best represents the length of time the peak usage
period is expected to last.
The total number of users that will require SSO access to the target claims-aware application, based
on whether the users are:
Additional Reading: For more information about The AD FS Capacity Planning Sizing
spreadsheet, or to download it, refer to: http://aka.ms/n0uyfb.
Estimation table
AD FS can scale to support tens of thousands of users, and allows you to add more federation servers to a
server farm as your company scales up. You can use the following table to help you estimate the
minimum number of AD FS federation servers and web application proxies or federation server proxies
that you will need to deploy. These estimations are based on the number of users who will require SSO
access—including remote access—to the cloud service.
Note: Unless otherwise noted, all of the federation servers should be deployed in a
federation server farm with a WID store for the Configuration database. While fewer federation
servers might be possible in some of the scenarios below, an additional federation server is
included to provide redundancy.
Minimum number
Number of users accessing
of AD FS servers to Recommendation and steps
Office 365 services
deploy
Fewer than 1,000 users 2 federation servers, With fewer users, consider deploying the
federation servers on two existing domain
2 proxies
controllers and then implement load balancing
using NLB. For the proxies, consider using two
existing web servers or proxy servers, and then
configure them both for the federation server
proxy role or the Web Application Proxy role.
15,000 – 60,000 users 3-5 federation For every increment of 15,000 users over 15,000,
server,; 2 proxies you should deploy an additional federation
server to the load-balanced farm, up to the
maximum of five servers that WID supports—or
more with a SQL Server database. For the
proxies, consider deploying additional nodes to
improve performance.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-19
Minimum number
Number of users accessing
of AD FS servers to Recommendation and steps
Office 365 services
deploy
More than 60,000 users 5+ federation With enterprises with over 60,000 users, you
servers, 3+ proxies should implement five or more federation
servers using SQL Server for the configuration
database. You also should deploy three or more
proxies using hardware load balancing instead
of NLB.
AD FS requirements
Prior to deploying AD FS, multiple requirements
must be in place. The following are the various
requirements that you must plan for when
deploying AD FS:
Certificate
Hardware
Software
AD DS
Configuration database
Browser
Extranet
Network
Attribute store
Application
Authentication
Workplace join
Permissions
Certificate requirements
Certificates play the most critical role in securing communications between federation servers, Web
Application Proxy, claims-aware applications, and web clients. The requirements for certificates vary,
depending on whether you are deploying a federation server or a federation proxy computer. Within any
AD FS deployment, you are required to have the following four certificates:
SSL certificate. Standard SSL The certificate must be a publicly trusted X509 v3 certificate.
certificate used for securing
All clients that access AD FS must trust the certificate.
communications between
federation servers and While we recommend that you use the same SSL certificate for the
clients. Web Application Proxy, it is required to be the same when supporting
Windows Integrated Authentication endpoints, through the Web
Application Proxy, with Extended Protection Authentication enabled.
MCT USE ONLY. STUDENT USE PROHIBITED
13-20 Planning and configuring identity federation
Service communication While the SSL certificate is used as the service communication
certificate. Enables certificate, by default, you can enable another certificate.
Windows Communication
If using the SSL certificate, you will need to enable the renewed SSL
Foundation (WCF) message
certificate for the service communication certificate upon expiration, as
security for securing
this is not automatic.
communications between
federation servers. This certificate must be trusted by clients of AD FS that use WCF
message security, so you might consider using a publicly trusted
certificate.
The certificate cannot use Cryptography Next Generation (CNG) keys.
You can manage this certificate in the AD FS Management console or
through Windows PowerShell.
Note: Certificates that are used for token signing and token decrypting and encrypting are
critical to the stability of the federation service. If you deploy your own token-signing & token-
decrypting and encrypting certificates, you should ensure that they are backed up and are
available independently during a recovery event.
Hardware requirements
The following minimum and recommended hardware requirements apply to the AD FS federation servers
that are deployed on Windows Server 2012 R2:
Central processing unit (CPU) 1.4 gigahertz (GHz) 64-bit Quad-core, 2 GHz
speed processor
Software requirements
The following software requirements apply to AD FS federation servers that are deployed on Windows
Server 2012 R2:
For extranet access, you must deploy the Web Application Proxy role service which is part of the
Windows Server 2012 R2 Remote Access server role. Previous versions of a federation server proxy are
not supported with AD FS on Windows Server 2012 R2.
A federation server and the Web Application Proxy role service cannot be installed on the same
computer.
You can deploy AD FS with any standard service account. Alternatively, you might use a group managed
service account, but you are required to deploy at least one domain controller with Windows Server 2012
or higher. The AD FS service account must be trusted in every user domain that contains users who could
authenticate to the federation service. For Kerberos authentication to function properly between your
domain-joined clients and AD FS, the HOST/adfs_service_name must be registered as a SPN on the service
account. By default, AD FS will configure this automatically when deploying a new federation server farm
if it has sufficient permissions to perform this operation.
In single forest scenarios, all of the AD FS federation servers must be a joined to an Active Directory
domain, and all of the AD FS federation servers within a federation server farm must be joined to the
same Active Directory domain. In addition, the domain that the AD FS servers are joined to must trust
every user account domain that contains users who could authenticate to the federation service.
In multi-forest scenarios, the domain that the AD FS servers are joined to must trust every user account
domain or forest that contains users who could authenticate to the federation service. In addition, the
AD FS service account must be trusted in every user domain that contains users who could authenticate to
the federation service.
Browser requirements
If you perform authentication to AD FS from a browser or browser control, your browser must meet the
following requirements:
For user certificate & device certificate authentication, for example workplace join functionality, the
browser must support SSL client certificate authentication.
Several key browsers and platforms have undergone validation for rendering and for functionality. These
include Internet Explorer 10 or later, Firefox 21 or later, Safari 7.0 or later, and Chrome 27 or later.
Browsers and devices not referenced could still be supported if they meet the requirements listed above.
AD FS creates session-based and persistent cookies that must be stored on client computers to provide
sign-in, sign-out, SSO, and other functionality. For this reason, one of the browser requirements is that the
client browser must be configured to accept cookies. Cookies that are used for authentication are HTTPS
session-based cookies that are written for the originating server. If the client browser is not configured to
allow these cookies, AD FS might not function properly. Persistent cookies are used to preserve user
selection of the claims provider. You can disable them with a change in the configuration file for the
AD FS sign-in pages. Support for Transport Layer Security (TLS) over SSL (TLS/SSL) is required for security
reasons.
Extranet requirements
To provide extranet access to the AD FS service, you must deploy the Web Application Proxy role service
as the extranet-facing role that proxies authentication requests in a secure manner to the AD FS service.
This provides isolation of the AD FS service endpoints in addition to isolation of all security keys (such as
token-signing certificates) from requests that originate from the internet. In addition, features such as Soft
Extranet Account Lockout require the use of the Web Application Proxy.
Network requirements
Configuring the network properly is critical for the successful deployment of AD FS in your environment.
The firewall located between the Web Application Proxy and the federation server farm, and the firewall
between the clients and the Web Application Proxy must allow TCP port 443 for inbound traffic. In
addition, if client user certificate authentication is required, AD FS in Windows Server 2012 R2 requires
that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application
Proxy. However, this is not required on the firewall between the Web Application Proxy and the federation
servers.
All clients accessing the federation service within the corporate network must be able to resolve the AD FS
service name to the load-balanced IP of the federation server farm. All clients accessing the federation
service from the Internet must be able to resolve the AD FS service name to the load-balanced IP of the
Web Application Proxy servers. For extranet access to function properly, each Web Application Proxy
server in the perimeter network must be able to resolve the AD FS service name to the load-balanced IP
of the federation server farm. This requirement might need a DNS server in the perimeter network or a
HOSTS file on the Web Application Proxy servers. For Windows Integrated authentication to work either
inside or outside the network, for a subset of endpoints exposed through the Web Application Proxy, you
must use a host (A) resource record (not a canonical name (CNAME) record) to point to the load
balancers.
Additional Reading: For more information on the complete list of attribute stores
supported by AD FS, go to: http://aka.ms/vgazki.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-23
Application requirements
AD FS supports claims-aware applications that use the following protocols:
WS-Federation
WS-Trust
SAML 2.0 protocol using IdP Lite, SP Lite, and eGov 1.5 profiles
AD FS also supports authentication and authorization for any non-claims-aware applications that are
supported by the Web Application Proxy.
Authentication requirements
In most AD FS deployments, the primary authentication method for the relying party in a federated trust
is AD DS authentication. For intranet access, the following standard authentication mechanisms for AD DS
are supported:
Windows Integrated Authentication using the Negotiate option, which include Kerberos & NTLM
Windows Integrated Authentication using Negotiate (NTLM only) for WS-Trust endpoints that accept
Windows Integrated Authentication
The most common scenario for certificate authentication is smart card authentication with PIN
protected certificates.
The GUI for the user to enter their PIN is not provided by AD FS and is required to be part of the
client operating system that is displayed when using client TLS.
The reader and cryptographic service provider (CSP) for the smart card must work on the computer
on which the browser is located.
The smart card certificate must be trusted by a root certificate on all of the AD FS servers and Web
Application Proxy servers.
The certificate must map to the user account in AD DS by either of the following methods:
o The certificate subject name corresponds to the LDAP distinguished name of a user account in
AD DS.
o The certificate SAN extension has the UPN of a user account in AD DS.
For seamless Windows Integrated Authentication using Kerberos authentication on the intranet:
The service name must be part of the Trusted Sites or the Local intranet sites.
The HOST/adfs_service_name SPN must be set on the service account that the AD FS farm runs on.
MCT USE ONLY. STUDENT USE PROHIBITED
13-24 Planning and configuring identity federation
AD FS also supports authentication using a provider model whereby you can build your own MFA adapter
that an administrator can register and use during sign in. Every MFA adapter must be built on top of
Microsoft .NET Framework 4.5. In addition, AD FS supports device authentication using certificates
provisioned by the Device Registration Service during the act of an end user workplace joining their
device.
Permissions requirements
For deployment and the initial configuration of AD FS, you must have domain administrator permissions
in the Active Directory domain, for example, the domain to which the federation server is joined.
Additional Reading: For more information about the AD FS requirements, refer to:
http://aka.ms/m2kpbf.
Although additional options are possible, these are the three optimal deployment scenarios:
All Office 365 SSO integration components deployed on-premises. This is the traditional approach. In
this scenario, you deploy directory synchronization and AD FS when you use on-premises servers.
All Office 365 SSO integration components deployed in Azure. This is the new, cloud-only approach.
In this scenario, you deploy directory synchronization and AD FS in Azure. This eliminates the need to
deploy on-premises servers.
Some Office 365 SSO integration components deployed in Azure for disaster recovery. This is the mix
of on-premises and cloud-deployed components. In this scenario, you deploy directory
synchronization and AD FS, primarily on-premises and add redundant components in Azure for
disaster recovery.
When planning to deploy these services to Windows Azure, you should consider:
Active Directory domain controllers in Windows Azure. Since AD FS requires access to AD DS, you
need to deploy AD DS to Windows Azure when you install an Active Directory domain controller on a
Windows Azure virtual machine.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-25
AD FS in Windows Azure. In the third scenario described above, you would deploy AD FS on-premises
and on a virtual machine on Azure for redundancy. In case of a disaster, the failover between the on-
premises infrastructure and the hosted infrastructure is a manual operation. The failover procedures
require changing DNS records for AD FS. Until the change is effective and DNS records are
propagated, clients are unable to access Office 365 services. As such, end users would still experience
a downtime during the failover.
Directory synchronization services in Windows Azure. In the third scenario described above, you
would deploy directory synchronization on-premises and on a Windows Azure virtual machine for
redundancy. In case of a disaster, the failover between the on-premises infrastructure and the hosted
infrastructure is a manual operation. The failover procedures require the re-installation of the Azure
Active Directory Connect tool on a standby Azure virtual machine. Because directory synchronization
is required only for directory object changes, existing users can continue to access Office 365 services
with little to no disruption until the service is restored.
VPN connection to Windows Azure. A VPN connection is required between your corporate network
and Windows Azure to support directory synchronization traffic.
MCT USE ONLY. STUDENT USE PROHIBITED
13-26 Planning and configuring identity federation
Lesson 3
Deploying AD FS for identity federation with Office 365
In this lesson, you will learn how to deploy AD FS for SSO with Office 365. Based on your planning, your
deployment may include multiple servers, with different server roles, in various logical networks. Your
deployment methodology might vary if you are implementing directory synchronization, if you are
adding a new domain to Office 365, or if you are converting an existing domain in Office 365.
Lesson Objectives
After completing this lesson, you should be able to:
Convert the Office 365 tenant to federated authentication, including the implications.
Manage the AD FS server, including the certificates, migration to another server, and troubleshooting.
Verify a successful implementation of SSO.
SQL Server
If you plan to host the configuration database for
the AD FS federation server farm in Microsoft SQL
Server, you should deploy the SQL Server instance
prior to installing the first federation server. In
Windows Server 2012 R2, AD FS supports two options for high availability of your federation server farm
using SQL Server. You should consider one of these options when preparing for the configuration
database:
SQL Server merge replication, in support for geographically distributed high availability
Additional Reading: For more information, refer to Federation Server Farm Using SQL
Server at: http://aka.ms/mok3lw.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-27
Service account
If possible, you should consider using a Group Managed Service Account (gMSA) for AD FS. During
deployment, the AD FS Installation Wizard creates and configures a gMSA automatically if you have
appropriate permissions to AD DS. Otherwise, you should create a gMSA in advance of the AD FS
federation server deployment.
If you are not able to use a gMSA, you should create a standard service account in AD DS and configure
for the password to never expire, prior to deploying the AD FS federation server. This service account
requires the following access rights on the AD FS federation server:
Log on as a service
Certificate
While you can import the certificate during AD FS installation, you will need to request the appropriate
SSL certificate required for AD FS from a publicly-trust certification authority (CA) prior to deployment.
Upon receiving the certificate from the CA, install it in the Personal certificate store on the AD FS
federation server. If you are deploying a federation server farm, the Subject name (or common name
(CN)), on the SSL certificate must match the federation service name or be a wild card SSL certificate. This
certificate should be installed in the Personal certificate store on each of the federation servers in the
farm.
DNS
In addition to AD DS, one of the primary network services that are critical to the operation of AD FS is
DNS. With DNS record sets users and other service providers can locate your federation service over the
internet and on your corporate network.
When configuring DNS to support AD FS, you should consider the following:
If you are deploying a federation server farm, you will need to create a DNS host record on your
internal DNS servers of the cluster DNS name for your NLB federation server farm.
If you are deploying a standalone federation server, you will need to create a DNS host record on
your internal DNS servers of the DNS name for your federation server.
If you are deploying a federation proxy array, you will need to create a DNS host record on your
perimeter DNS servers of the load-balanced DNS name for your AD FS proxy server or your Web
Application Proxy server array.
If you are deploying a standalone federation proxy server, you will need to create a DNS host record
on your perimeter DNS servers of the DNS name for your AD FS proxy server or your Web Application
Proxy server.
If you are not deploying a federation proxy, you will need to create a DNS host record on your
perimeter DNS servers of the cluster DNS name for your NLB federation server farm, or your
federation server, on your perimeter DNS servers.
Note: You should not use CNAME records for the federation service name.
Install AD FS
In Windows Server 2012 R2, AD FS 3.0 is installed from Server Manager as a role. The Server Manager
Configuration Wizard performs validation checks and automatically installs all the services required by
AD FS. The AD FS server role includes Windows PowerShell cmdlets that you can use to perform Windows
PowerShell–based deployment of AD FS servers and proxies.
MCT USE ONLY. STUDENT USE PROHIBITED
13-28 Planning and configuring identity federation
To install the AD FS server role, use the Server Manager Add Roles and Features Wizard, and select the
AD FS server role. The Add Roles and Features Wizard automatically selects the .NET Framework, and
AD FS Management Tools features. No other features are required.
Configure AD FS
When the AD FS role is installed, the Add Roles and Features Wizard provides you the option to start the
AD FS Configuration Wizard to configure the AD FS server. The steps for the AD FS Configuration Wizard
vary depending on whether you are creating the first federation server in a federation server farm or
adding a federation server to a federation server farm. You also can start the AD FS Configuration Wizard
from Server Manager, Tools menu, or from the Start screen.
1. In the AD FS Configuration Wizard, select the option to Create the first federation server in a
federation server farm.
2. On the Connect to AD DS page, select the account that has domain administrator permissions to
AD DS. If the account that you use to install AD FS has the appropriate permissions, then leave the
default option and proceed. Otherwise, change it to the appropriate account. The account that you
select should not be the credentials of your service account.
3. On the Specify Service Properties page, select the corresponding certificate from the SSL certificate
list (or import the SSL certificate if you did not install it prior to installation), and then specify the
Federation Service Name of the federation server farm.
4. On the Specify Service Account page, specify the credentials of the appropriate service account for
AD FS.
5. On the Specify Configuration Database page, select the option either to create a database using
WID, or to specify the location, host name, and instance of an existing SQL Server database.
6. On the Review Options page, the wizard displays your selections, including your service account
actions.
o If you chose to use a WID database, the wizard notes that this is the primary server in the farm
and that the WID database is installed.
o If you chose to use an existing SQL Server database, the wizard will note that this will be the first
server in the server farm, and will provide the connection string details for connecting to SQL
Server to retrieve the configuration.
7. On the Pre-requisite Checks page, the wizard displays the results of the prerequisite check before
proceeding to the installation of AD FS.
Note: Alternatively, you can use the Windows PowerShell cmdlet Install-AdfsFarm to
deploy the first federation server in a federation server farm.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-29
1. In the AD FS Configuration Wizard, select the Add a federation server to federation service farm
option.
2. On the Connect to AD DS page, select the account that has domain administrator permissions to
AD DS. If the account that you use to install AD FS has the appropriate permissions, then leave the
default option and proceed. Otherwise, change it to the appropriate account. The account that you
select should not be the credentials of your service account.
3. On the Specify Farm page, specify the name of the primary federation server in a farm using WID, or
specify the database host name and the instance name of an existing federation server farm using
SQL Server.
4. On the Specify SSL Certificate page, select the corresponding certificate from the SSL certificate list,
or import the SSL certificate if you did not install it prior to installation. As opposed to the other
installation option, you are not required to specify the federation service name of the federation
server farm. This is because the wizard is already aware of the federation service name based on
database information that you provided earlier.
5. On the Specify Service Account page, specify the credentials of the appropriate service account for
AD FS. The account you specify must be the same account as the one used on the primary federation
server in the farm.
o If you chose to use an existing SQL Server database, the wizard notes the connection string
details for connecting to SQL Server to retrieve the configuration.
7. On the Pre-requisite Checks page, the wizard displays the results of the prerequisite check before
proceeding to the installation of AD FS.
Note: Alternatively, you can use the Windows PowerShell cmdlet Add-AdfsFarmNode to
add a federation server to a federation server farm.
Update AD FS
To ensure your AD FS environment is reliable and stable, you should install the recommended updates for
AD FS. After installing and configuring your AD FS federation servers, you can use Microsoft Update to
check for available updates.
Additional Reading: For more information on all the available updates for AD FS, refer to:
http://aka.ms/r8x4zf.
MCT USE ONLY. STUDENT USE PROHIBITED
13-30 Planning and configuring identity federation
Certificates
The certificates that you use in the deployment should be obtained and installed into the Personal
certificate store on the AD FS Proxy computer. The CN on each certificate must match the AD FS service
name. When exporting certificates ready for use on the AD FS Proxy, it is important to ensure that the
private key is included in the export. Once imported to a local computer personal store, the certificate is
ready for binding in IIS as soon as IIS and the AD FS Proxy role are installed.
Load balancing
When you deploy two or more AD FS Proxy servers in an array, you will also need to configure them for
network load balancing. You can accomplish this with hardware, which is recommended for large
deployments, or with software, which is recommended for small to medium deployments. For software
load balancers, you can enable NLB for the AD FS Proxy array.
DNS
A DNS host records should also be configured on the DNS servers in the perimeter prior to installing
AD FS servers. Since the AD FS Proxy is typically placed in the perimeter network, it is recommended that
you:
Configure the proxy to use external DNS servers for external name resolution.
Add internal hostnames that the proxy needs to resolve, such as the internal AD FS farm, to the Hosts
file on the proxy.
Note: You should not use CNAME records for the AD FS proxy server name.
Install AD FS Proxy
In Windows Server 2012, AD FS proxies are installed from the Server Manager as a role, using the same
Server Manager Configuration wizard pages that were used to install AD FS servers. The configuration
wizard performs validation checks and automatically installs all the services required by the AD FS Proxy.
In a production environment, the AD FS proxy server should be placed in the perimeter network (also
known as screened subnet), not in the internal corporate LAN.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-31
To install the AD FS proxy role, use the Server Manager Add Roles and Features Wizard, and select the
Active Directory Federation Services server role. The Add Roles and Features Wizard automatically
selects the .NET Framework, IIS, and Windows Process Activation Service features. On the Select role
services page, clear the Federation Service check box, and select the Federation Service Proxy check
box.
IIS runs once the role is installed successfully. The next task is to assign the public certificate to the default
website on the AD FS server, in order to secure the traffic between the AD FS Proxy and client computers,
and between the AD FS Proxy and AD FS itself. In IIS Manager, edit site bindings, and in the SSL certificate
list, select the previously imported certificate for use.
Configure AD FS Proxy
When the AD FS Proxy role is installed, the AD FS Federation Services Proxy Configuration Wizard runs to
configure the AD FS Proxy server. You can run the AD FS Federation Services Proxy Configuration Wizard
from the Tools menu in Server Manager, or if you run FspConfigWizard.exe, which is located at
C:\Windows\ADFS\.
In the AD FS Federation Services Proxy Configuration Wizard, on the Specify Federation Service Name
page, verify that the correct federation service name is displayed. Click Test Connection to verify a
connection to the Federation Service, and enter credentials for the AD FS service account. These
credentials are necessary to establish a trust between this federation server proxy and the Federation
Service. By default, only the service account used by the Federation Service or a member of the local
BUILTIN\Administrators group can authorize a federation server proxy.
Update AD FS Proxy
To ensure your AD FS environment is reliable and stable, you should install the recommended updates for
AD FS Proxy server. After you install and configure your Web Application Proxy servers, you can use
Microsoft Update to check for available updates.
Note: For more information on all the available updates for AD FS, refer to:
http://aka.ms/pkvgbq.
Additional Reading: For more information on customizing the proxy forms sign-in page,
see Customizing the AD FS forms based login page at: http://aka.ms/jyk1xa.
Non-Microsoft proxy
You might prefer to use another company’s proxy to publish the AD FS federation servers rather than
employ AD FS server proxies. If you plan to deploy a non-Microsoft proxy, it must be configured to do the
following:
Send an HTTP header named x-ms-proxy. The value of this header should be the DNS name of the
proxy host.
Send an HTTP header named x-ms-endpoint-absolute-path. The value of this header should be set to
the name of the proxy endpoint that receives the request.
MCT USE ONLY. STUDENT USE PROHIBITED
13-32 Planning and configuring identity federation
If these headers are not configured, an AD FS 2.0 federation server proxy must be deployed behind the
non-Microsoft proxy.
Certificate
As you are not able to import the certificate during installation of Web Application Proxy, you need to
request the appropriate SSL certificate required for Web Application Proxy from a publicly-trust CA prior
to deployment. Upon receiving the certificate from the CA, you must install it in the Personal certificate
store on the Web Application Proxy server.
While we recommend that you use the same SSL certificate from the AD FS federation server farm for the
Web Application Proxy, it must be the same when supporting Windows Integrated Authentication
endpoints, through the Web Application Proxy, with Extended Protection Authentication enabled. If this
scenario applies to your AD FS environment, you should export the SSL certificate from one of the
federation servers in the farm, and then import it in the Personal certificate store on the Web Application
Proxy server.
With either scenario, if you deploy more than one Web Application Proxy server in support of your AD FS
environment, you need to import the appropriate SSL certificate to each of the additional Web
Application Proxy servers prior to installing Web Application Proxy. This applies to wildcard certificates as
well.
Load balancing
When you deploy two or more Web Application Proxy servers in an array, you will need to configure them
for NLB. You can accomplish this with hardware, which is recommended for large deployments, or with
software, which is recommended for small-to-medium deployments. For software load balancers, you can
enable NLB for the Web Application Proxy array.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-33
DNS
You should configure a DNS host record on the perimeter DNS servers prior to installing the Web
Application Proxy server. Because the Web Application Proxy server is typically placed in the perimeter
network, we recommend that you:
Configure the Web Application Proxy server to use external DNS servers for external name resolution.
Add an internal hostname that the Web Application Proxy server needs to resolve, such as the
internal AD FS farm, to the Hosts file on the Web Application Proxy server.
Note: You should not use CNAME records for the Web Application Proxy server name.
To install the Web Application Proxy server role service, use the Server Manager Add Roles and Features
Wizard, and select the Remote Access server role. On the Role services page, select the Web Application
Proxy role service. The Add Roles and Features Wizard automatically installs the required features,
including the Remote Access Management Console.
Note: Alternatively, you can use the Windows PowerShell cmdlet Install-WindowsFeature
Web-Application-Proxy to install the Web Application Proxy server role service.
1. In the Remote Access Management console, select the option to run the Web Application Proxy
Configuration Wizard.
2. On the Federation Server page, specify the name of the federation service farm and use credentials
of an account with local administrator permissions on the AD FS federation servers.
3. On the AD FS Proxy Certificate page, select the appropriate SSL certificate to complete the
configuration.
Note: Alternatively, you can use the Windows PowerShell cmdlet Install-
WebApplicationProxy to configure Web Application Proxy for publishing AD FS.
Note: For more information on all the available updates for AD FS, refer to:
http://aka.ms/n0uyfb.
MCT USE ONLY. STUDENT USE PROHIBITED
13-34 Planning and configuring identity federation
To mitigate some of the issues during deployment, Azure AD Connect employs strategic questions to
provide an easier deployment experience for synchronization and for sign-in. While you can choose to
deploy the tools separately, you also can use an optional part of Azure AD Connect to set up a hybrid
environment using an on-premises AD FS infrastructure. You then can use this part to address complex
deployments that include such things as domain-joined SSO, enforcement of Active Directory sign in
policy, and smart card or non-Microsoft MFA.
Configuring AD FS
The following list is of requirements that must be met before you can use Azure AD Connect to deploy
AD FS:
A Windows Server 2012 R2 server for the federation server with remote management enabled.
A Windows Server 2012 R2 server for the Web Application Proxy server with remote management
enabled.
An SSL certificate for the federation service name that you intend to use (for example,
adfs.adatum.com).
Create a new AD FS farm or use an existing AD FS farm. During deployment, you can specify an
existing AD FS farm or you can choose to create a new AD FS farm. If you choose to create a new
AD FS farm, you are required to provide the SSL certificate. If the SSL certificate is protected by a
password, you are prompted to provide the password.
Deploy one or more AD FS federation servers. You can deploy one or more AD FS federation servers
by identifying the specific servers on which you want to install AD FS. The servers must be joined to
an Active Directory domain prior to performing this configuration. You can deploy additional AD FS
federation servers when you rerun Azure AD Connect, based on your capacity planning needs.
Deploy one or more Web Application Proxy servers. You can deploy one or more Web Application
Proxy servers when you identify the specific servers on which you want to install the Web Application
Proxy. Since the Web Application Proxy is deployed in your perimeter network, the server running
Azure AD Connect requires remote access to the server. You can deploy additional Web Application
Proxy servers when you rerun Azure AD Connect, based on your capacity planning needs. If you
choose to deploy Web Application Proxy servers, you are required to provide the credentials of a
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-35
local admin on the AD FS federation server for the Web Application Proxy to request a certificate
from the AD FS federation server.
Configure the AD FS service account. You can configure the domain service account that is required
by the AD FS federation service to authenticate users and look up user information in AD DS. You can
use this feature to configure the two types of service accounts supported by AD FS:
o gMSA. This type of service account allows AD FS to use a single service account without needing
to update the account password periodically. The gMSA requires a Windows Server 2012 domain
controller in the Active Directory domain to which the AD FS servers are joined. If you are logged
in as a domain administrator Azure AD Connect will automatically create the gMSA.
o Domain User Account. Based on your company’s security policies, this type of service account
might require you to periodically update the password. This option is limited only to selecting an
existing domain user account scenario. Azure AD Connect does not create the domain user
account if the account does not exist in AD DS.
Configure the federated Azure AD domain. This configuration is used to set up the federation
relationship between your AD FS environment and Azure AD. It configures AD FS to issue security
tokens to Azure AD, and configures Azure AD to trust the tokens from AD FS federation service. While
this option limits you to configuring a single domain the first time you install Azure AD Connect, you
can configure additional domains at any time when you rerun the Azure AD Connect installation
wizard.
If you are deploying more than one AD FS server or Web Application Proxy server, ensure that you
have configured your load balancer and that the DNS records for the AD FS federation service name
point to the load balancer.
For Windows Integrated Authentication to work properly for clients using Internet Explorer on your
intranet, ensure that the AD FS federation service name is added to the intranet zone in Internet
Explorer for each client. You can manage this via Group Policy and deployed to all your domain-
joined computers.
MCT USE ONLY. STUDENT USE PROHIBITED
13-36 Planning and configuring identity federation
MFA
You can specify an authentication policy at a global scope that is applicable to all applications and
services that are secured by AD FS. You also can set authentication policies for specific applications and
services (relying party trusts) that are secured by AD FS. If either the global authentication policy or the
relying party trust authentication policy requires MFA, MFA is triggered when the user tries to
authenticate to the relying party trust.
To configure MFA in AD FS you must:
o You can require MFA for specific users and groups in the Active Directory domain to which your
federation server is joined.
o You can require MFA for either registered (workplace joined) or unregistered (not workplace
joined) devices.
o You can require MFA when the access request for the protected resources comes from either the
extranet or the intranet.
To support Workplace Join, you must enable the Device Registration Service with the following Windows
PowerShell cmdlets:
Permit All Users. When you use the Permit All Users rule template, all users will have access to the
relying party. However, you can use additional authorization rules to further restrict access.
Permit access to users with this incoming claim. When you use the Permit or Deny Users Based on an
Incoming Claim rule template to create a rule and set the condition to permit, you can permit specific
user’s access to the relying party based on the type and value of an incoming claim. For example, you
can use this rule template to create a rule that will permit only users that have a group claim with a
value of Domain Users.
Deny access to users with this incoming claim. When you use the Permit or Deny Users Based on an
Incoming Claim rule template to create a rule and set the condition to deny, you can deny user’s
access to the relying party based on the type and value of an incoming claim. For example, you can
use this rule template to create a rule that will deny all users that have a group claim with a value of
Domain Admins.
Note: If one rule permits a user to access the relying party, and another rule denies the user
access the relying party, the deny access overrides the permit access and the user is denied access
to the relying party.
Just a few of the scenarios where you might configure conditional access control include:
Block all extranet client access to Office 365, except for devices accessing Exchange Online for
Exchange ActiveSync.
Block all extranet client access to Office 365, except for members of specific Active Directory groups.
Permit access to Office 365, but only if the access request is coming from a workplace-joined device
that is registered to the user.
Permit access to Office 365, but only if the user’s identity was validated with MFA.
Permit access to Office 365, but only if the access request is coming from a workplace-joined device
that is registered to a user whose identity has been validated with MFA.
Note: For more information about limiting access to Office 365 services based on the
location of the client, refer to: http://aka.ms/gs1054.
Best practices
Consider the following best practices when installing and managing AD FS proxies:
AD FS Proxy should not be domain joined, as this would negate one of the key benefits of the AD FS
Proxy in providing a security separation between your on-premises AD DS and external clients.
AD FS Proxy should be placed in the perimeter network and not in an internal LAN, to help ensure
the integrity of the security separation between internal AD DS and external clients.
MCT USE ONLY. STUDENT USE PROHIBITED
13-38 Planning and configuring identity federation
Use the AD FS Capacity Planning Sizing spreadsheet to ensure that your AD FS Proxies are able to
support the number of external clients that require authentication against the corporate AD DS.
Design a high availability AD FS infrastructure that includes highly available proxies, to ensure that
external clients are always able to authenticate against the corporate AD DS.
Do not mix AD FS Proxy and other roles on the same server, to help ensure the availability and
security of AD FS.
Develop test cases for all browsers, and for internal and external clients, to ensure that all users can
use SSO from all supported devices.
Ensure that all hotfixes and the .NET Framework version are up to date.
Ensure that certificates are configured correctly, and are exported and backed up to include the
private key.
Additional Reading: For more information on how to download and install the cmdlets for
Azure AD Module for Windows PowerShell, refer to: http://aka.ms/lq99g4.
Note: Setting up the trust is a one-time operation, per domain. If your environment
includes a subdomain (for example, corp.adatum.com) in addition to a top-level domain (for
example, adatum.com), then you should add the top-level domain in your cloud service before
you add any subdomains. When the top-level domain is enabled for SSO, all subdomains are
automatically enabled as well.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-39
When you convert an existing domain to a federated domain, every licensed user in Office 365 becomes a
federated user. This means your users will specify their existing on-premises AD DS credentials to access
their cloud services in Office 365. You should use one of the following procedures to configure your
federated trust with Office 365, depending on whether you need to add a new SSO domain or convert an
existing domain with standard authentication to federated authentication.
When adding a new domain as a federated domain, you should use the Windows PowerShell cmdlet
New-MsolFederatedDomain to enable support for SSO. You should issue all of the following cmdlets in
the Microsoft Azure Active Directory Module for Windows PowerShell as follows:
When converting an existing domain from a domain with standard authentication to federated
authentication, you use the Windows PowerShell cmdlet Convert-MsolDomainToFederated to enable
support for SSO. You should issue all of the following cmdlets in the Microsoft Azure Active Directory
Module for Windows PowerShell as follows:
Note: If you need to support multiple top-level domains, you must use the
SupportMultipleDomain switch with the federated domain cmdlets. This includes
the New-MsolFederatedDomain cmdlet when adding a SSO domain, in addition to the
Convert-MsolDomainToFederated and Update-MsolFederatedDomain cmdlets when
converting to a SSO domain.
MCT USE ONLY. STUDENT USE PROHIBITED
13-40 Planning and configuring identity federation
Managing an AD FS deployment
Although AD FS is deployed to support SSO
without much administrative overhead, after you
deploy AD FS there are many management tasks
that you might need to perform periodically.
While there are others tasks, here are a few of the
most common tasks.
You can use the AD FS Management console to view certificate expiration dates for the service
communications, token-decrypting, and token-signing certificates. In the console tree, expand Service,
and then click Certificates. You also can use Azure AD Module for Windows PowerShell to view certificate
details, when you use the Windows PowerShell cmdlet Get-ADFSCertificate.
If you prefer to use automatic certificate rollover for managing the life cycles of your certificates, you will
need to enable the feature in AD FS and install the Microsoft Office 365 Federation Metadata Update
Automation Installation Tool. This feature is enabled in AD FS with the Set-ADFSProperties Windows
PowerShell cmdlet. After installing the tool, you can use the Update-MsolFederatedDomain Windows
PowerShell cmdlet to automatically update the Office 365 service when the AD FS token-signing
certificate renews on an annual basis. This tool should be run as a daily scheduled task on the AD FS
server; otherwise, token-signing certificate renewal on the AD FS server must be monitored manually. The
update tool script scheduled task should only be run on one AD FS server in a federation server farm.
Additional Reading: To learn more about and download the Microsoft Office 365
Federation Metadata Update Automation Installation Tool, go to: http://aka.ms/i1hw8d.
For example, if you wanted to change the primary federation server AdfsServer1 to the secondary
federation server AdfsServer2 you would use the following procedure:
1. Identify the secondary federation server (AdfsServer2) that will become the primary federation server.
2. From the secondary federation server (AdfsServer2), at the Azure AD Module for Windows PowerShell
prompt, type the following command, and then press Enter:
3. From the primary federation server (AdfsServer1), at the Azure AD Module for Windows PowerShell
prompt, type the following command, and then press Enter:
The primary federation server becomes a secondary federation server with a read-only WID database, and
the secondary federation server becomes the primary federation server with a read/write WID database
from which other secondary federation servers retrieve their database copies.
Note: Switching AD FS federation server roles does not apply if SQL Server is used as the
AD FS configuration database store. This is because all AD FS federation servers have read/write
access to the SQL Server database.
Verifying SSO
After deploying SSO, you should verify that it is
working properly. Because SSO uses multiple
layers of services, systems and applications to
provide users with an SSO experience, you might
need to leverage various tools and methods to
validate the SSO functionality, and then diagnose
issues with more tools and methods, if required.
From the different operating systems that you use in your company.
Additional Reading: For more information about the access to the Microsoft RCA tool,
refer to: http://aka.ms/bz5gll.
Upon accessing the website, select the Office 365 tab, select Microsoft Single Sign-On, and then click
Next. Follow the screen prompts to perform the test. The analyzer validates your ability to sign in to the
cloud service with your on-premises AD DS credentials, and validates some basic AD FS configuration.
You can access the Microsoft Connectivity Analyzer tool from the Microsoft Remote Connectivity Analyzer
website. Upon accessing the website, select the Client tab. The tool is available under the More Tools
section. One of the test scenarios of the tool is I can’t log on with Office Outlook. This test is equivalent
to the Microsoft Remote Connectivity Analyzer test for “Outlook Anywhere (RPC over HTTP),” and
includes an option to run the SSO test that is available on the Parameters page.
In addition, you might need to verify access to the Federation Service on the AD FS server from another
computer. Using an Internet browser from a separate computer, try to navigate to the federation
metadata website. For example, if your federation service name is fs.adatum.com, try to navigate to
https://fs.adatum.com/federationmetadata/2007-06/federationmetadata.xml.
Note: If you have not imported the root CA certificate to this computer’s trusted root
certificates store you could receive a certificate error. If you click Continue to this web site (not
recommended), you should see the AD FS metadata.
Using an Internet browser from a separate computer, try to navigate to the IdP-initiated sign-in
page. For example, if your federation service name is fs.adatum.com, try to navigate to
http://fs.adatum.com/adfs/ls/idpinitiatedsignon.htm. This should resolve the AD FS sign-in page.
Note: If you have not imported the root CA certificate to this computer’s trusted root
certificates store, you could get a certificate error. If you click Continue to this web site (not
recommended), you should be able to sign in with domain\administrator credentials with no
errors.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-43
Objectives
After completing this lab, you should be able to:
Lab Setup
Estimated Time: 75 minutes
Password: Pa$$w0rd
LON-DS1
LON-WAP1
LON-CL1
3. In the Adatumyyxxxxx.hostdomain.com zone, create a host record with a blank name using the
external IP address provided to you by the hosting partner.
4. Create another host record with a blank name using the IP address for LON-DS1 that you recorded in
Step 1.
2. Run the following command to create the Key Distribution Services root key to generate group
Managed Service Account passwords for the account that will be used later in this lab.
3. Use Server Manager to access the Add Roles and Features Wizard for installing the Active Directory
Federation Services server role.
4. After installing, in the Active Directory Federation Services Configuration Wizard, configure the
following settings:
o For the SSL Certificate, use the wild card certificate provided by the hosting provider.
2. Use Server Manager to access the Add Roles and Features Wizard for installing the Web
Application Proxy role service from the Remote Access server role.
2. In the Web Application Proxy Configuration Wizard, on the Welcome page, click Next.
4. In Internet Explorer, open the following URL, replacing adatumyyxxxxx with your unique Adatum
domain name, to verify that the federation service is available:
https://Adatumyyxxxxx.hostdomain.com/adfs/fs/federationserverservice.asmx
Note: The expected output is a display of XML with the service description document. If
this page displays, then IIS on the federation server is operational and serving pages successfully.
Results: After completing this exercise, you should have deployed the AD FS server in a federation server
farm, and deployed the Web Application Proxy server to support AD FS.
MCT USE ONLY. STUDENT USE PROHIBITED
13-46 Planning and configuring identity federation
Results: After completing this exercise, you should have enabled a federation trust between your on-
premises Active Directory domain and Office 365 through your AD FS federation server, and you should
have converted your domain for federated authentication in Office 365.
2. Type brad@adyyxxxxx.hostdomain.com, and verify that you are redirected to the Adatum sign in
page.
3. Sign in as Brad and verify that you can connect to Office 365.
o Password: Pa$$w0rd
3. Verify that you are redirected to the Adatum Corporation sign-in page.
4. Review the Office 365 page for Francisco Chaves, and then close the Web browser window.
Results: After completing this exercise, you should have verified SSO authentication to Office 365 for a
user on your corporate network and for a user on your host computer that is connected to the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
13-48 Planning and configuring identity federation
Lesson 4
Planning and implementing hybrid solutions (Optional)
After deploying your federation service to support Office 365 services, you can begin configuring your on-
premises services to integrate with Office 365. Many of the on-premises consumer service offerings can be
configured for a hybrid deployment, including Exchange Server, Skype for Business Server, and SharePoint
Server.
Lesson Objectives
After completing this lesson, you should be able to:
Describe the hybrid solution for Exchange Server, and explain how to configure it.
Describe the hybrid solution for Skype for Business Server, and explain how to configure it.
Describe the hybrid solution for SharePoint Server, and explain how to configure it.
A hybrid deployment provides you with the ability to extend the administrative control that you have
currently with your existing on-premises Microsoft Exchange organization to the cloud. A hybrid
deployment provides the same look and feel of a single Exchange Server organization, but between an
on-premises Exchange Server 2013 organization and Exchange Online in Microsoft Office 365. In addition,
a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online
organization.
Although not a requirement for hybrid deployments, we strongly recommend that you plan for SSO in
your on-premises organization to make the account authentication experience familiar for users in a
hybrid deployment. In addition to users not having to sign in multiple times and having to remember
additional passwords when accessing the Office 365 organization, SSO offers the following benefits:
Exchange Online Archiving. When you deploy SSO in Exchange 2013 organizations, on-premises
Outlook users are prompted for their credentials when accessing archived content in the Exchange
Online organization for the first time. However, users can temporarily avoid future credential
prompting when they choose Save Password, in which case they are prompted for credentials again
only when their on-premises account password changes. If SSO is not deployed in Exchange 2013
organizations and Exchange Online Archiving is enabled, the on-premises UPN must match their
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-49
Exchange Online account, and users will always be prompted for their on-premises credentials when
accessing their archive.
Policy control. You can control account policies through AD DS, which gives you the ability to
manage password policies, workstation restrictions, lockout controls, and more, without having to
perform additional tasks in the Office 365 organization.
Access control. You can restrict access to Office 365 so that the services can be accessed through the
corporate environment, through online servers, or both.
Reduced support calls. Forgotten passwords are a common source of support calls in all companies. If
users have fewer passwords to remember, they are less likely to forget them.
Security. User identities and information are protected because all the servers and services used in
SSO are administered and controlled within the on-premises organization.
Support for strong authentication. You can use strong authentication (also called two-factor
authentication) with Office 365. However, if you do use strong authentication, you users also must use
SSO. There are also some restrictions on the use of strong authentication.
o Upgrade from mixed Exchange Server 2010 and Exchange Server 2013 to Exchange Server 2016
The following deployment scenarios are available for Exchange Server 2013:
o Upgrade from mixed Exchange Server 2007 and Exchange Server 2010 to Exchange Server 2013
o Upgrade from mixed Exchange Server 2003 and Exchange Server 2007 to Exchange Server 2010
The following scenarios are available for migrating email to Exchange Online and Office 365:
Exchange migrations:
o Cutover
o Staged
o IMAP
Non-Microsoft migration
o IMAP
Exchange Server in a hybrid configuration has differing levels of compatibility with the various Office 365
tenant versions. This difference leads to specific requirements for the gateway server that provides the
connection to Exchange Online. The following table summarizes these requirements for the Exchange
Server hybrid version 15 (formerly Wave 15) tenant.
** Requires at least one on-premises Exchange Server 2010 service pack 3 (SP3) server
*** Requires at least one on-premises Exchange Server 2013 cumulative update 1 (CU1) or later
3. Configure DNS resource records. All Skype for Business clients must connect to the on-premises
Skype for Business Server environment to determine whether a user is located in an on-premises pool
or in the cloud. This means that you must configure the following DNS resource records to reference
your on-premises deployment:
o Lyncdiscover.adatum.com
o _sip._tls.adatum.com
o _sipfederationtls._tcp.adatum.com
4. Deploy an Edge Server and enable federation. You must implement external access to your on-
premises Skype for Business deployment, and configure federation with external Skype for Business
organizations. You also must enable federation with external Skype for Business organizations on
your Skype for Business Online tenant.
5. Verify that the blocked and allowed domains for federation are identical in both the on-premises
environment and the online environment.
MCT USE ONLY. STUDENT USE PROHIBITED
13-54 Planning and configuring identity federation
When you configure a Skype for Business hybrid deployment, you enable coexistence between your on-
premises deployment of Skype for Business Server and Skype for Business Online. The coexistence
includes the following features that you should consider:
Directory synchronization. For the two Skype for Business environments to share the same SIP
domains, both environments need to be aware of all users and the home Front End pool for all users.
To enable this, you must configure directory synchronization so that user information synchronizes
from on-premises AD DS to Azure AD.
User authentication. Depending on where users are located, they need to authenticate in the on-
premises Skype for Business Server environment or to the Skype for Business Online environment. To
simplify the user experience, you can configure SSO so that users’ domain credentials are used when
connecting to the Skype for Business Online environment as well. Deploying SSO requires you to
deploy some type of federation server in the on-premises environment.
Skype for Business Edge Server deployment. You must configure a Skype for Business Edge Server
deployment before you enable hybrid mode. All communication that relates to Skype for Business
traverses an Edge Server deployment.
Federation. A hybrid deployment uses federation to enable communication between the two Skype
for Business environments. You must enable an on-premises Skype for Business environment to allow
federation.
Client connectivity. In a hybrid deployment, client computers and mobile devices will always connect
first to the on-premises Skype for Business environment, and then they will redirect to Skype for
Business Online, if the users are located on Skype for Business Online. To enable client connectivity, all
DNS resource records that clients use must point to the on-premises deployment.
Cloud services such as SharePoint Online in Office 365 can be an attractive alternative to on-premises
SharePoint business solutions. However, for a variety of reasons, you might want or need to deploy
specific solutions in the cloud while maintaining your on-premises SharePoint Server 2013 farm. For
example, many enterprises must keep certain data and information systems on-premises or within their
geopolitical boundaries to satisfy compliance regulations or legal policies. Some enterprises might plan to
move their existing SharePoint Server 2013 content and services to the cloud gradually, using a staged
migration in which SharePoint Server 2013 workloads are moved to SharePoint Online one at a time.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-55
One-way inbound. This option enables SharePoint Online to request data from a SharePoint Server
2013 web application. In order for inbound data connections to occur, a web application in
SharePoint Server 2013 must be published to the Internet with an Internet-routable URL.
One-way outbound. This option supports only trusted connections from SharePoint Server 2013 to a
SharePoint Online web application. Because web applications in SharePoint Online are configured
already with an Internet-routable URL, SharePoint Server 2013 can connect directly through an
existing corporate firewall or forward proxy like any other request to an Internet server.
Two-way. This option enables SharePoint Online to make authenticated connections to the on-
premises SharePoint Server 2013 farm and lets the on-premises SharePoint Server 2013 farm make
authenticated connections to SharePoint Online.
Service Integration. Productivity service integration between SharePoint Server 2013 and SharePoint
Online services such as Search, Business Connectivity Services (BCS), and Duet Enterprise Online is
dependent on new features and integration support included in SharePoint Server 2013.
MCT USE ONLY. STUDENT USE PROHIBITED
13-56 Planning and configuring identity federation
Search.
o With outbound hybrid search, users will be able to see search results from Office 365 for
enterprises when they perform a search in SharePoint Server.
o With inbound hybrid search, users will be able to see search results from SharePoint Server 2013
when they perform a search in Office 365 for enterprises.
Sites. With hybrid sites features, you can integrate parts of your site navigation between SharePoint
Server and Office 365 for enterprises.
OneDrive for Business. With hybrid OneDrive for Business, users will be redirected to OneDrive for
Business in Office 365 when they click the OneDrive link in SharePoint Server.
Business Connectivity Services (BCS). With hybrid BCS, you can leverage your existing BCS solutions to
allow connections to your SharePoint Server data sources from SharePoint Online.
Duet Enterprise Online. With Duet Enterprise Online, users can view and change information that is
stored in third-party workflow applications from within SharePoint sites.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-57
Review Question
Question: As you might have experienced, when a user authenticates to AD FS for accessing
online services, they are required to authenticate the first time. On subsequent attempts to
the same online services, they are not required to authenticate because the client will present
the same token again – up to the lifetime of the token.
While all clients (internal/external) will eventually have to request a new token, your
organization’s security policies require that external users request a new token at least once
every 5 minutes and internal users request a new token at least once every 10 minutes.
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-1
4. For Step 1, in the Welcome, let’s get to know you page, complete the following fields. Regardless of
your location, use the following information:
o Business email address: (use your new Microsoft account that you created for this course)
o Business phone number: Your mobile phone number, including international code for your current
country
6. For Step 2, on the Create your user ID page, you have to create a unique domain for the Company
name to use in the course. Use the Adatumyyxxxxx name provided in the lab interface. For the rest of
the fields, use the following information:
o Password: Pa$$w0rd
7. Click Next.
8. For Step 3, you have to confirm your identity using your mobile phone. Under Text me from the drop-
down box, select the code for the country that you are now in.
9. In the Phone number box, enter your correct mobile phone number.
10. Ensure that the Text me option is selected, and then click Text me.
11. When you receive the confirmation text on your mobile phone, enter the code provided in the Enter
your verification code box.
13. Wait until the Office 365 tenant is provisioned, and then click You’re ready to go….
14. Click the Admin tile to go to the Office 365 admin center. If a confirm your current password page
appears, click re-enter my password, and type Pa$$w0rd.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Planning and provisioning Office 365
15. On the don’t lose access to your account! page, beside Authentication Phone is set to, verify that
your phone number is listed, and then click Verify.
16. Select your country, verify that your phone number is listed, and then click text me.
17. After receiving the text, enter the verification string, and click verify. If verify is not available, press
Enter.
18. On the don’t lose access to your account! page, beside Authentication Email is not configured,
click Set it up now.
19. Enter the Microsoft account email address that you configured for this course, and click email me.
20. Access your Microsoft account email to retrieve the verification code.
21. Enter the verification code, and then click verify. If verify is not available, press Enter, and then click
finish.
22. If a Manage Office 365 on the go page appears, close the page.
Note: If you are connected to the previous Office 365 admin center when you connect to
Office 365, click the banner at the top of the page to connect to the new admin center.
2. In the left pane, view the status of the Office 365 services. If any services are showing a status other
than health, click the service.
3. Review any service interruption records or additional information in the status page.
Note: During Microsoft testing, on rare occasions Office 365 did not create the trial tenant
properly; as a result, the tenant did not have all the services available to it. If this happens to you,
you should create a new trial tenant using a different business email (Microsoft account).
Results: After completing this exercise, you should have successfully provisioned the Office 365 tenant
account for A. Datum Corporation.
3. Click Admin.
6. In the New Domain window, in the text box, enter your domain name in the form of
Adatumyyxxxxx.hostdomain.com.
7. Click Next.
9. Write down the TXT record shown in the TXT value column. This entry will be similar to
MS=msXXXXXXXX. Record this value below:
MS=_______________________
16. On the Zone Type page, verify that Primary zone is selected. Clear the Store the zone in Active
Directory check box, and click Next.
17. On the Zone Name page, type Adatumyyxxxxx.hostdomain.com, and then click Next.
20. Expand Forward Lookup Zones, click and then right-click Adatumyyxxxxx.hostdomain.com, and
then click Other New Records.
21. Under Select a resource record type, scroll down to Text (TXT), and then click Create Record.
22. In the New Resource Record box, leave the Record name field blank.
23. In the Text field, enter MS=msXXXXXXXX that you recorded in step 9.
26. Switch back to LON-CL1 and in the Office 365 Admin center, click Verify.
2. On the Update DNS settings page, review the DNS records that you should add to the domain, select
the Skip this step check box, and click Skip.
3. Click Finish. The domain shows a warning icon because you did not verify the DNS records. You can
ignore this warning for now.
2. On the left navigation menu, scroll down to explore all available items. Expand items such as Users,
Groups, Settings, and so on.
3. On the left navigation menu, expand Users, and then click Active users.
5. On the left navigation menu, expand Health, and then click Message center, and then in the right
pane, review the messages.
3. On the left navigation menu, click each of the items, and review the results displayed on the right pane.
3. A new tab will open displaying Skype for Business admin center.
4. On the left navigation menu, click each of the items, and review the results displayed on the right pane.
2. On the left navigation menu, click Admin centers, and then click SharePoint.
4. On the left navigation menu, click each of the items, and review the results displayed on the right pane.
Results: After completing this exercise, you should have provided a high-level overview of administrative
portals of Office 365.
5. On the menu on the left side, expand Users, and then click Active Users.
6. Click the Add a user icon.
7. On the New User page, in the First name text box, type Lindsey.
12. On the User was added page, note the temporary password here: _________________
13. Click Close.
14. Repeat steps 6 to 13 to create the following users (for the User name, use the First name):
o Christie Thomas
o Amy Santiago
o Sallie McIntosh
o Francisco Chaves
3. On the Edit contact information page, expand Contact information, and in the Department text
box, type Accounts, click Save, and then click Close.
4. On the right side menu, in the Sign in status section, click Edit. Select Blocked, click Save, and then
click Close. Close the page.
5. In the Active Users list, under Display name, click Francisco Chaves.
7. Verify that the Department box displays Accounts, and then close the page.
8. Verify that Sign-in status is set to Blocked, and then close the page.
9. In the Active Users list, click the Lindsey Gates user object.
10. On the right side menu, click Delete user.
11. In the Delete user dialog box, click Yes, and then click Close.
12. In the left navigation pane, under Users, click Deleted Users.
14. In the Deleted Users list, select the Lindsey Gates check box.
15. On the toolbar, click Restore, and then on the Restore page, click Restore.
16. Note the new temporary password, and then click Close.
17. On the left navigation pane, under Users, click Active Users.
3. If you are prompted to change your password, on the Update your password page, in the Old
password text box, type Lindsey’s temporary password.
4. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click Update
password and sign in.
5. If prompted, enter your new password again, and then click Sign in.
6. Verify that you can access the Office 365 portal home page.
7. If you did not get prompted to change your password when you signed in, click the Settings icon in
the top-right corner, and click Office 365 Settings.
8. On the Settings page, click Change my password.
10. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click
Submit.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L2-7
14. On the Update password page, in the Old password text box, type the temporary password.
15. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click Update
password and sign in.
21. On the left menu, expand Users, and then click Active Users.
23. On the right side, in the Sign-in status section, click Edit.
24. On the Sign in status page, select Allowed, click Save, and then click Close.
29. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click Update
password and sign in.
30. On the Sign in again page, type Pa$$w0rd as the password and click Sign in.
31. Verify that you can access the Office 365 portal.
Results: After completing this exercise, you should have created and managed user accounts and licenses
according to business needs.
4. On the left side menu, click Settings, and then click Security.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-8 Managing Office 365 users and groups
5. Click Edit. In the Days before passwords expire text box, type 14.
Note: This setting does not correspond with a real-world scenario. Use it as a sample
scenario to verify the policy applied in the next exercise task.
6. In the Days before a user is notified about expiration box, leave the default value of 14, and then
click Save.
7. Verify that the “Password policy has been updated” message appears at the top of the page and then
click Close.
Note: You have now verified that your password policy is applied. In a real-world scenario,
after you verify that the password policy is applied, you would need to increase the number of
days before the password expires, according to your organizational policy.
Results: After completing this exercise, you should have configured and validated an Office 365 password
policy.
4. On the left side menu, expand Groups, click Groups, and then click the Add a group icon.
5. On the New Group page, in the Type drop-down box, click Security group, and in the Name text
box, type Sales.
6. In the Description text box, type Sales department users, click Add and then click Close.
7. Select the Sales check box, on the toolbar, expand the More menu, and then click Edit members.
8. On the Edit members page, in the search box, type Lindsey, wait until Lindsey Gates’s user object
appears, and then click Add.
9. In the same search text box, type Christie Thomas and then click Add.
12. On the New Group page, in the Type drop-down box, click Security group, and in the Name text
box, type Accounts.
13. In the Description text box, type Accounts Department users, click Add, and then click Close.
o Sales
o Accounts
2. In the groups list, click the Sales group.
4. In the search box, type Amy Santiago, click Add, click Save, and then click Close.
5. Ensure that Amy Santiago is now listed under the Display name list.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-10 Managing Office 365 users and groups
8. On the left side menu, click Users, and then click Active Users.
9. Confirm that Amy Santiago’s account still exists in the list of users.
Results: After completing this exercise, you should have created and managed security groups.
2. Under Microsoft Online Services Sign-In Assistant for IT Professionals RTW, click Download.
3. Select the en\msoidcl_64.msi check box, and then click Next.
5. In the Microsoft Online Services Sign-in Assistant Setup Wizard, on the License Terms page, click
I accept the terms in the License Agreement and Privacy Statement, and then click Install.
7. On the Completed the Microsoft Online Services Sign-in Assistant Setup Wizard page, click
Finish.
10. In the Microsoft Azure Active Directory Module for Windows PowerShell Setup Wizard, on the
Welcome page, click Next.
11. On the License Terms page, click I accept the terms in the License Terms, and click Next.
Task 2: Create new users and assign licenses by using Windows PowerShell
1. On LON-CL1, on the desktop, right-click the Windows Azure Active Directory Module for Windows
PowerShell shortcut, and then click Run as administrator.
3. At the command prompt, type the following command, and then press Enter:
Connect-msolservice
5. At the command prompt, type the following command, and then press Enter; yyxxxxx is your unique
Adatum number:
6. At the command prompt, type the following command, and then press Enter; yyxxxxx is your unique
Adatum number:
7. To determine which users are unlicensed, at the command prompt, type the following command, and
then press Enter:
Get-MsolUser -UnlicensedUsersOnly
8. To license Catherine Richard, at the command prompt, type the following command, and then press
Enter; replace Adatumyyxxxxx in the –AddLicenses attribute with the onmicrosoft.com domain
name provided by the hosting provider:
9. To license Tameka Reed, at the command prompt, type the following command, and then press Enter;
replace Adatumyyxxxxx in the –AddLicenses attribute with the onmicrosoft.com domain name
provided by the hosting provider:
10. To prevent a user from signing in, at the command prompt, type the following command, and then
press Enter; yyxxxxx is your unique Adatum number:
11. To delete a user, at the command prompt, type the following command, and then press Enter; yyxxxxx
is your unique Adatum number:
12. To view the Deleted Users list, at the command prompt, type the following command, and then press
Enter:
Get-MsolUser –ReturnDeletedUsers
13. Verify that Catherine Richard is in the Deleted Users list. Note that it specifies that she is still licensed.
14. To restore a deleted user, at the command prompt, type the following command, and then press Enter;
yyxxxxx is your unique Adatum number:
15. To view the Deleted Users list, at the command prompt, type the following command, and then press
Enter:
Get-MsolUser –ReturnDeletedUsers
16. Verify that Catherine Richard is no longer in the Deleted Users list.
17. To view the Active Users list, at the command prompt, type the following command, and then press
Enter:
Get-MsolUser
19. To allow a user to sign in, at the command prompt, type the following command, and then press Enter;
yyxxxxx is your unique Adatum number:
2. Navigate to C:\labfiles, right-click O365users.csv, point to Open with, and then click Notepad.
3. In Notepad, click Edit, and then click Replace.
5. In the Replace with text box, type your unique public domain name value, click Replace All.
6. In the Find what text box, type Adatumyyxxxxx:ENTERPRISEPACK.
7. In the Replace with text box, type your unique Adatumyyxxxxx value followed by :ENTERPRISEPACK,
and then click Replace All.
8. Close O365users.csv, and then in the Notepad message box, click Save.
9. To bulk import several users from a comma-separated value (CSV) file, copy and paste this code into
the Administrator: Windows Azure Active Directory Module for Windows PowerShell window on LON-
CL1, and then press Enter:
10. To view the Active Users list, at the command prompt, type the following command, and then press
Enter:
Get-MsolUser
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L2-13
15. Under recipients, click mailboxes and review the mailboxes and associated email addresses that were
created.
2. To configure a variable for the group, at the command prompt, type the following command, and then
press Enter:
3. To configure a variable for the first user account, at the command prompt, type the following
command, and then press Enter:
4. To configure a variable for the second user account, at the command prompt, type the following
command, and then press Enter:
5. To add Catherine Richard to the Marketing group, at the command prompt, type the following
command, and then press Enter:
6. To add Tameka Reed to the Marketing group, at the command prompt, type the following command,
and then press Enter:
7. To verify the members of the Marketing group, at the command prompt, type the following command,
and then press Enter:
2. At the command prompt, type the following command, and then press Enter; yyxxxxx is your unique
Adatum number:
3. At the command prompt, type the following command, and then press Enter:
Results: After completing this exercise, you should have created new users, assigned licenses, modified
existing users, and configured groups and user passwords by using the Windows PowerShell command-line
interface.
4. On the left-hand side, click USERS, click Active Users, and then double-click Francisco Chaves.
6. Under Edit user role, click Customized administrator, select Billing administrator from the list, in
the Alternate email address text box, type user@alt.none, click Save, and then click Close.
7. In the list view, double-click Tameka Reed.
9. Under Edit user role, click Customized administrator, and then select Password administrator from
the list.
10. In the Alternative email address text box, type user@alt.none, click Save, and then click Close.
12. On the Christie Thomas page, in the Roles section, click Edit.
13. Under Assign role, click Customized administrator, and then select User management
administrator from the list.
14. In the Alternative email address text box, type user@alt.none, click Save, and then click Close.
2. At the command prompt, type the following command, and then press Enter:
3. At the command prompt, type the following command, and then press Enter:
4. At the command prompt, type the following command, and then press Enter:
5. Verify that Sallie McIntosh is in the list of users who have the Service Support Administrator role.
6. At the command prompt, type the following command, and then press Enter:
7. At the command prompt, type the following command, and then press Enter:
8. Verify that Francisco Chaves is in the list of users who have the billing administrator role.
9. At the command prompt, type the following command, and then press Enter:
10. At the command prompt, type the following command, and then press Enter:
11. Verify that Nona Snider is in the list of users who have the Company Administrator role. You should
also see Holly Dickson in the list.
12. At the command prompt, type the following command, and then press Enter:
Exit
2. On the Update your password page, in the Old password text box, type Pa$$w0rd123.
3. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click Update
password and sign in.
7. If you are connected to the previous admin center, click the banner at the top of the page to connect
to the new admin center.
9. Double-click Jessica Jennings. Note that you cannot perform any administrative tasks.
12. Write down the temporary password here for future reference, and then click Close:
______________________________
13. On the user account menu in the upper-right corner, click Tameka Reed, then click Sign out.
18. On the don’t lose access to your account! page, click cancel.
19. If you are connected to the previous admin center, click the banner at the top of the page to connect
to the new admin center.
20. In the Office 365 admin center, on the Home page, click Users, and then double-click Jessica
Jennings.
21. On the Jessica Jennings page, in the Contact information section, click Edit.
22. In the Office Phone text box, type 555-1234, click Save, and then click Close.
23. In the Sign-in status section, click Edit, click Blocked, click Save, and then click Close.
27. In the User name text box, type Chris, click Save, and then click Close.
Results: After completing this exercise, you should have assigned delegated administrators in the Office
365 admin center, managed delegated administration with Windows PowerShell, and verified delegated
administration.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-17
4. In the Office 365 admin center, in the menu to the left, go to Settings, click Domains, and then review
the domain names assigned to the Adatum tenant.
5. In the Domains window, click Adatumyyxxxxx.hostdomain.com.
6. On the DNS errors page, review the records that need to be configured for your domain.
2. In Server Manager, click the Tools menu, and then click DNS.
3. In DNS Manager, expand LON-DC1, and then expand Forward Lookup Zones.
4. Click, and then right-click adatumyyxxxxx.hostdomain.com, and then click New Alias (CNAME).
5. In the Alias name text box, type autodiscover as the alias name.
6. In the Fully qualified domain name (FQDN) for target host text box, type
autodiscover.outlook.com.
7. Click OK.
9. In the Mail Exchanger (MX) dialog box, in the Fully qualified domain name (FQDN) of mail server
text box, type adatumyyxxxxx-hostdomain-com.mail.protection.outlook.com.
10. Click OK.
2. In the Resource Record Type dialog box, scroll down the list, click Service Location, and then click
Create Record.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-18 Configuring client connectivity to Microsoft Office 365
3. On the Service Location (SRV) tab, enter the following information, and then click OK:
o Service: _sip
o Protocol: _tls
o Priority: 100
o Weight: 1
5. On the Service Location (SRV) tab, enter the following information, and then click OK:
o Service: _sipfederationtls
o Protocol: _tcp
o Priority: 100
o Weight: 1
o Port number: 5061
7. On the Alias (CNAME) tab, enter the following information, and then click OK:
9. On the Alias (CNAME) tab, enter the following information, and then click OK:
11. Switch back to LON-CL1, and then in the Office 365 admin console, click Check DNS.
12. You should now see that most records are not listed anymore (you should see msoid,
enterpriseregistration, enterpriseenrollment and SPF records). Close the page.
13. In the top bar, click the Office 365 apps icon.
15. On the Outlook page, select your time zone and click Save.
20. On the Outlook page, select your time zone and click Save.
26. In the IM pop-up window, type a message, and then press Enter.
28. Reply to the IM. Note that you now can send IMs between the two users.
29. Close both the IM windows, and then close the Microsoft Edge windows on both virtual machines.
Results: After completing this exercise, you should have reviewed the recommended DNS records in the
Office 365 admin center, configured the DNS records for external clients, and configured the DNS records
for internal clients.
3. On the Microsoft Remote Connectivity Analyzer page, click the Office 365 tab.
4. On the Office 365 tab, click Office 365 Exchange Domain Name Server (DNS) Connectivity Test,
and then click Next.
5. Under Domain Name, type adatumyyxxxxx.hostdomain.com.
6. Under Verification, type the characters that you can see in the verification field, and then click Verify.
Note: If you receive a message about having performed too many tests in 60 seconds, wait
for a minute and then repeat the test.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-20 Configuring client connectivity to Microsoft Office 365
8. When you see Connectivity Test Successful, under Test Details, expand Test Steps, and then review
the checks that were made against the Exchange Online domain.
10. On the Office 365 tab, click Office 365 Lync Domain Name Server (DNS) Connectivity Test, and
then click Next.
11. In the Sign-in address text box, type Francisco@adatumyyxxxxx.hostdomain.com, and then click
Perform Test.
Note: If you receive a message about having performed too many tests in 60 seconds, wait
for a minute and then repeat the test.
12. When you see Connectivity Test Successful, under Test Details, expand Test Steps, and then review
the checks that were made against the Skype for Business Online domain.
14. Under Microsoft Office Outlook Connectivity Tests, click Outlook Connectivity, and then click
Next.
15. On the Outlook Connectivity page, in the Email Address and Microsoft Account text boxes, type
Francisco@adatumyyxxxxx.hostdomain.com.
16. In the Password and Confirm password text boxes, type Pa$$w0rd.
17. Select Use Autodiscover to detect server settings.
18. Select I understand that I must use the credentials of a working account from my Exchange
domain to be able to test connectivity to it remotely. I also acknowledge that I am responsible
for the management and security of this account.
20. When you see Connectivity Test Successful with Warnings, under Test Details, expand Test Steps,
and then review the checks that were made against Outlook Anywhere. Note in particular the
message that contains information about the Autodiscover steps that fail.
21. Under Run Test Again at the top-right corner of the window, note that you can copy this test to the
clipboard, or save it as an XML or HTML file.
2. In the Office 365 Client Performance Analyzer window, under Download and install Office 365 Client
Performance Analyzer, click here.
5. In the Microsoft Office 365 Client Performance Analyzer window, click Accept, and then click Run
Exchange Analyzer.
7. Wait until Office 365 Client Performance Analyzer generates the results.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L3-21
8. Review the results, and then click Show Trace Route Details.
4. On the Auto Account Setup page, type the following information, and then click Next:
o Your Name: Holly Dickson
o Password: Pa$$w0rd
5. In the Windows Security dialog box, type Pa$$w0rd as the password, select Remember my
credentials, and then click OK.
6. Verify that you are connected to Exchange Online, and then click Finish.
7. In the First things first dialog box, click Ask me later, and then click Accept.
o Password: Pa$$w0rd
Task 2: Verify that Skype for Business can connect to Office 365
1. On LON-CL1, start Skype for Business.
4. On the second Sign in page, type Pa$$w0rd as the password, select Save my password, and click
Sign In.
5. Click Yes. In the Help Make Skype for Business Better! dialog box, click No. Verify that you are
connected to Skype for Business Online.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-22 Configuring client connectivity to Microsoft Office 365
o Password: Pa$$w0rd
Results: After completing this exercise, you should have verified that Outlook 2016 can connect to
Office 365, verified that Skype for Business can connect to Office 365, and verified OneDrive for Business
connectivity to Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-23
2. On the Start screen, click Administrative Tools, and then double-click Active Directory Domains
and Trusts.
3. In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts,
and then click Properties.
4. Select the UPN Suffixes tab, in the Alternative UPN suffixes: box, type
Adatumyyxxxxx.hostdomain.com, and then click Add.
5. Click OK.
6. On the Start screen, right-click Windows PowerShell, and then click Run as administrator.
7. At the Windows PowerShell prompt, type the following command, and then press Enter:
CD C:\labfiles\
2. At the Windows PowerShell prompt, type the following command, and then press Enter:
Set-ExecutionPolicy Unrestricted
4. At the Windows PowerShell prompt, type the following command, and then press Enter:
.\CreateProblemUsers.ps1
Note: Wait until the script has completed before proceeding to the next step.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-24 Planning and configuring directory synchronization
5. This Windows PowerShell script will make the following changes in AD DS:
o Amr Zaki. Add the "@" character to the beginning of "adatum" for the UserPrincipalName
attribute.
o Brad Sutton. Replace the existing string with "brad@adatum.com" for the emailAddress attribute.
o Don Funk. Replace the existing string with “brad@adatum.com” for the emailAddress attribute.
o Holly Dickson. Replace the existing string with “holly@adatum.com” for the emailAddress
attribute.
o Kelly Rollins. Replace the existing string with “ “ for the emailAddress attribute.
4. In the File Explorer windows, browse to the Downloads folder, right-click IdFix.zip, and then click
Extract All....
5. In the Extract Compressed (Zipped) Folders dialog box, in the destination box, type C:\Deployment
Tools\IdFix, and then click Extract.
6. In File Explorer, in the C:\Deployment Tools\IdFix folder, right-click IdFix, and then click Run as
administrator.
10. Click the ERROR column to sort the character errors to the top of the list.
Note: Ignore topleveldomain errors, which cannot be fixed by the IdFix tool.
11. In the Amr Zaki row, in the ACTION column, select EDIT.
12. In the Holly Dickson row, in the ACTION column, select EDIT.
13. In the Kelly Rollin row, in the ACTION column, select EDIT.
15. In the Apply Pending dialog box, click Yes; note the COMPLETE status in the ACTION column
indicating successful writes.
16. Switch to File Explorer, and in the C:\Deployment Tools\IdFix folder, double-click Verbose <date>
<time>.txt to view the updated transactions in the transaction log.
19. Click in the UPDATE column to locate the Don Funk error, and replace the string with
don@adatum.com, and then in the ACTION column, select EDIT.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-25
20. Click in the UPDATE column to locate the Kelly Rollin error, and replace the string with
kelly@adatum.com, and then in the ACTION column, select EDIT.
23. On the toolbar, click Query and verify that no more errors are reported.
Note: Where there are format and duplicate errors for distinguished names, the UPDATE
column either contains the same string as the VALUE column, or the UPDATE column entry is
blank; in either case, this means that IdFix cannot suggest a remediation for the error. You can
either fix these errors outside IdFix, or manually remediate them within IdFix. You can also export
the results and use Windows PowerShell to remediate a large number of errors.
2. At the Windows PowerShell prompt, type the following command, and press Enter after each:
$msolcred = Get-Credential
4. At the Windows PowerShell prompt, type the following command, and then press Enter:
5. At the Windows PowerShell prompt, type the following command, and then press Enter:
Although you might have to wait up to 24 hours for activation to complete, you should be able to
continue.
6. At the Windows PowerShell prompt, type the following command, and then press Enter:
(Get-MsolCompanyInformation).DirectorySynchronizationEnabled
Note: It might take a few minutes to return True. Rerun the command until you see True
showing.
7. Switch to Microsoft Edge, and in the address box, type https://login.microsoftonline.com, and then
press Enter.
10. In the Office 365 admin center, click Switch back to the old admin center go to previous Office365
admin center.
11. In the left navigation pane of previous Office365 admin center, click USERS, and then click Active
users.
12. To the right of Active Directory synchronization, verify that there is a Manage link (if activation was
not yet completed this link would say “Set up”). If there is no Manage, click Set up, and verify that,
under Activate Active Directory synchronization, the Active Directory Synchronization is
activated notice appears.
13. Click Admin on the toolbar, and then click the banner at the top of the windows to go back to the new
admin center.
Results: After completing this exercise, you will have resolved issues in AD DS identified by the IdFix tool
and you will have enabled Active Directory synchronization in Office 365.
3. If a Windows Internet Explorer 10 dialog box appears, select Use recommended security and
compatibility settings, and then click OK.
4. In the Address box, type https://portal.microsoftonline.com, and then press Enter.
6. In the Password box, type Pa$$w0rd, and then click Sign in.
7. Navigate to the Office 365 admin center. If you are connected to the previous Admin center, click the
banner at the top of the window to connect to the new Admin center.
8. In the left side menu, click Users, and then click Active Users.
Note: If you see the Active Directory synchronization is being activated warning, you can
ignore it at this time, but you will not be able to run directory synchronization later in this exercise.
You must wait until directory synchronization is activated. However, you can complete the
following steps, even if you do see the warning message.
10. On the Holly Dickson page, click Edit in the Email addresses section.
11. Next to Email address, select adatumyyxxxxx.hostdomain.com from the drop-down list box, and
then click Save.
15. If a Windows Internet Explorer 10 dialog box appears, select Use recommended security and
compatibility settings, and then click OK.
16. In the Address box, type https://portal.microsoftonline.com, and then press Enter.
19. In the previous Office365 admin center, in the left side menu, click USERS, and then click Active Users.
20. To the right of Active Directory synchronization, click Manage (or if Active Directory
synchronization has not yet completed, click Set up).
Note: You will automatically be redirected to the Microsoft Azure Active Directory Connect
download page.
22. Click the Tools icon in the top-right corner, and click Internet Options.
26. On the Microsoft Azure Active Directory Connect download page in Internet Explorer, click
Download.
27. In the Internet Explorer notification bar, click Save as, browse to C:\Labfiles, and then click Save. If the
LabFiles folder does not exist, create it.
28. When the download has completed, in the Internet Explorer notification bar, click Open folder.
32. Leave the Microsoft Azure Active Directory Connect wizard open for the next task.
2. On the User Sign-in page, click Password Synchronization, and click Next.
3. On the Connect to Azure AD page, enter the following credentials, and then click Next:
o Password: Pa$$w0rd
4. On the Connect your directories page, enter the following credentials, click Add Directory, and then
click Next:
o Password: Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
L4-28 Planning and configuring directory synchronization
5. On the Domain and OU filtering page, click Sync selected domains and OUs, expand Adatum.com,
clear all check boxes for the child containers except for the IT check box, and then click Next.
7. On the Filter users and devices page, verify that Synchronize all users and devices is selected, and
then click Next.
8. On the Optional Features page, leave the default options, and then click Next.
9. On the Ready to configure page, review the features that will be installed. Ensure that Start the
synchronization process as soon as the initial configuration completes is not selected, and then
click Install.
10. Once the installation completes, on the Configuration complete page, click Exit.
11. On the Start screen, sign out of LON-DS1, and then sign back in as Adatum\Administrator with the
password Pa$$w0rd.
6. In the Credentials dialog box, enter the following credentials, and then click OK:
o Password: Pa$$w0rd
o Domain: Adatum.com
Note: Although this account is not the one used for directory synchronization, you use the
account credentials temporarily to access AD DS for configuring filtering.
7. In the Select Containers dialog box, select the Research check box, verify that IT is selected, and then
click OK.
8. Click OK to close the Properties dialog box.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-29
2. In Synchronization Rules Editor, in Rule Types, click Inbound, and then click Add new rule.
3. In the Create inbound synchronization rule dialog box, in the Name box, type In from AD – User
DoNotSyncFilter.
9. Click Next.
10. In the Create inbound synchronization rule dialog box, on the Scoping filter tab, click Add Group,
and then click Add Clause.
16. To save the rule, click Add, and then close Synchronization Rules Editor window.
17. Open Windows PowerShell from the taskbar. In Windows PowerShell, type the following command,
and then press Enter. The initial synchronization can take several minutes to complete. Leave the
Windows PowerShell window open.
4. In the Microsoft Azure Active Directory Module for Windows PowerShell Setup Wizard, on the
Welcome page, click Next.
5. On the License Terms page, click I accept the terms in the License Terms, and click Next.
8. On the Completing the Microsoft Azure Active Directory Module for Windows PowerShell Setup
page, click Finish.
9. On the Start screen, click the down arrow, and click Synchronization Service.
12. Verify the connector has a Start Time and End Time that aligns with the last time synchronization was
initiated in the previous task.
13. On the taskbar, right-click Windows PowerShell, and then select Run as Administrator.
14. At the Windows PowerShell prompt, type the following commands, and press Enter after each:
Import-Module MSOnline
Connect-MsolService
15. In the Enter Credentials dialog box, enter the following credentials, and then click OK:
o User name: holly@Adatumyyxxxxx.hostdomain.com
o Password: Pa$$w0rd
16. At the Windows PowerShell prompt, type the following command, and then press Enter:
Get-MsolCompanyInformation | fl LastDirSyncTime
17. Verify the LastDirSyncTime aligns with the last time synchronization was initiated in the previous task.
18. On the Start screen, open Internet Explorer, and then type
https://portal.office.com/admin/default.aspx in the address bar.
19. On the Sign-in page, sign in by using the following credentials:
o Password: Pa$$w0rd
20. In the Office 365 admin center, switch back to the old Office365 admin center by clicking Switch
back to the old admin center.
21. In the previous admin center, in the left navigation pane, click USERS, and then click Active Users.
22. Verify that the Last synced less than an hour ago message appears.
23. In the Active users list, note that your on-premises accounts from the selected OUs now have a status
of Synced with Active Directory.
Results: After completing this exercise, you will have installed Azure AD Connect with customized settings.
Upon completion of the installation, you will start directory synchronization to Office 365 and have verified
that synchronization was successful.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-31
2. In the console tree, expand Adatum.com, right-click Research, click New, and then click User.
5. In the User logon name box, type Perry, select your lab domain UPN (not Adatum.com), and then
click Next.
6. In the Password and Confirm password boxes, type Pa$$w0rd, clear the User must change
password at next logon check box, select the Password never expires check box, click Next, and
then click Finish.
8. In the Properties dialog box, in the E-mail box, type Perry@Adatumyyxxxxx.hostdomain.com, and
then click OK.
9. In the console tree, right-click the Research OU, click New, and then click Group.
10. In the New Object – Group window, in the Group name: box, type Project Team, click Universal, click
Distribution, and then click OK.
14. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select, type the following names, and then click Check Names:
o Chris Sells
o Lukas Keller
o Sabine Royant
3. On LON-DC1, in Active Directory Users and Computers, move Josh Bailey from the Research OU to the
Sales OU, by right-clicking Josh Bailey in the Research OU user list, and then clicking Move and
selecting Sales OU. Click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-32 Planning and configuring directory synchronization
2. In the console tree, if needed, expand Adatum.com, and then click Marketing.
4. In the Move dialog box, expand Adatum.com, click Research, and then click OK.
4. Select the following three users and click Remove. In the confirmation dialog box, click Yes.
o Allie Bellew
o Anil Elison
o Aziz Hassouneh
5. Click OK.
2. At the Windows PowerShell prompt, type the following, and then press Enter:
Note: The Delta switch is used here so that only the updates are synchronized.
3. Wait until synchronization has completed before proceeding to the next task.
o Password: Pa$$w0rd
3. If you are connected to the previous Office 365 admin center, click that banner at the top of the page
to connect to the new Office 365 admin center.
4. In the Office 365 Admin Center, in the left navigation, click Users, and then click Active Users.
5. In the Active Users list, verify that Perry Brill has a status of Synced with Active Directory.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-33
Note: You might need to wait up to 10 minutes before the account appears. Refresh the list
until you see Perry Brill’s account.
8. On the Product licenses page, in the Location drop-down menu, select United States, and then click
the icon next to Office 365 Enterprise E3.
10. Repeat steps 5-8 to assign an Office365 license for user David So.
11. To verify the new group you created, in Office 365 admin center, in the left navigation, click Groups
and then click Groups.
12. In the Groups list, verify that the Project Team appears.
Note: You might need to wait up to 10 minutes before the group appears. Refresh the list
until you see the object.
Note: In the right pane, notice that Edit Members is unavailable. This is because group
membership is maintained by Active Directory. To view the membership, you need to use
Windows PowerShell.
14. On LON-DS1, in Windows PowerShell, type the following command, and then press Enter:
Get-MsolGroup
15. Verify that you see Research and Project Team groups. Copy the ObjectID value for these two groups.
16. To verify the group you updated membership in AD DS, type the following command at the Windows
PowerShell prompt, and then press Enter:
17. Verify the membership of the group does not contain the users removed in AD DS. The users who were
removed from the group are:
o Allie Bellew
o Anil Elison
o Aziz Hassouneh
18. To verify the user you moved out of the scope of synchronization, Josh Bailey, type the following
command at the Windows PowerShell prompt, and then press Enter:
19. At the Windows PowerShell prompt, type the following command, and then press Enter:
Get-MsolAccountSku
20. Leave the virtual machines running for the next lab.
Results: After completing this exercise, you will have identified how managing user and group accounts
has changed with directory synchronization.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-35
2. In File Explorer, click Local Disk (C:) in the left navigation pane.
3. In File Explorer, click the Home tab, and then click New Folder.
5. In File Explorer, right-click Office16, click Share with, and then click Specific people.
6. In the File Sharing dialog box, click the drop-down list box, select Everyone from the list, click Add,
and then click Share.
12. In the Office 365 admin center, in the left panel, click SERVICE SETTINGS, and then click User
software.
13. Under the Manually deploy user software area, click Learn how to download and deploy
software.
14. On the How admins can download Office 365 user software to deploy to users page, click
Manage user software in Office 365.
15. In the Manually download and install the Office apps by using the Office Deployment Tool
section, click the Office Deployment Tool (Office 2016 version) link to open the Office Deployment
Tool download page.
16. On the download page, expand Details, System Requirements, and Install Instructions.
17. Read and familiarize yourself with each section. You can mark this page as a favorite to refer to later.
18. Click Download and notice the information bar at the bottom of the browser.
24. Navigate to the Office16 folder with File Explorer. You should see two files in the newly created Office
Deployment Tool folder named configuration and setup.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-36 Planning and deploying Office 365 ProPlus
b. Right-click configuration.xml, and click Copy. Right-click again and click Paste.
c. Right-click the configuration.xml file, click Open with, and then click Notepad.
2. In Notepad, edit the first Add line after <Configuration> to read
<Add SourcePath=”\\LON-CL1\Office16\” OfficeClientEdition=”32” Branch=”Current”>.
3. In Notepad, remove all the remaining comment codes (lines that start with <!-- and end with -->).
4. Comment out Microsoft Visio with the <!-- --> code to make the download quicker, by replacing this
code:
</Product>
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>
</Product>
<!--
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>
-->
7. At the command prompt, type the following command, and then press Enter:
Setup /?
9. At the command prompt, type the following command, and then press Enter:
12. Switch to File Explorer, and verify that the download has started in the Office16 folder. You can
continue with the next task and leave the download in the background.
Results: After completing this exercise, you will have downloaded a copy of Microsoft Office 365 ProPlus
for managed deployment to a shared folder. You will also have downloaded and installed the Office
Deployment Tool.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L5-37
5. Select Brad Sutton, and then next to Product licenses, click Edit.
6. Under Set user location, select United Kingdom, and then enable Office 365 Enterprise E3.
7. Set the Office 365 ProPlus option to Off, click Assign, and then click Close.
8. In the Office 365 admin center, under Active users, click Maira Wenzel.
9. Beside Product licenses, click Edit.
10. Under Location, select United Kingdom, and then enable Office 365 Enterprise E3.
14. In the Office 365 admin center, on the Settings menu, click Apps.
15. Click Software download settings.
16. In the Software for PC section, under 2016 version, turn off all options.
17. In the 2013 version section, turn off all options. Click Save, and then Close.
18. On the Admin page, click Holly Dickson’s profile photo icon in the top-right of the screen, and then
click Sign Out.
20. On the Default Landing page, click the small Gear icon in the top-right corner, and then click the
Office 365 settings option.
Note: Because this user is not licensed for Office 365 ProPlus, Office 2016 is not available for
download.
24. In the Password box, type Pa$$w0rd, and then click Sign in.
25. On the default landing page, click the small Gear icon in the top-right corner, and then click Office 365
settings.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-38 Planning and deploying Office 365 ProPlus
Note: This user has a license, but Skype for Business and Office are not available for
download.
27. Click Phone & tablet. Verify that Phone and tablet apps are available.
30. In the address bar, type https://portal.office.com, and then press Enter.
33. In the Office 365 admin center, on the Settings menu, click Apps.
37. In Microsoft Edge, on the User Software page, click Holly Dickson’s profile photo icon, and then click
Sign out.
Note: Instead of signing out your admin user every time, you can click the Microsoft Edge
browser ellipse menu (…) at the top right of the browser and open a New InPrivate window. This
will allow you to have two sessions at a time open.
40. In the address bar, type https://portal.office.com, and then press Enter.
42. In the Password box, type Pa$$w0rd, and then click Sign in.
43. On the Office 365 home page, click the small Gear icon in the top-right corner, and then click Office
365 settings.
Note: This user has a license, and Office 2016 is available for download.
45. Verify that Office and Skype for Business desktop software are available to install.
46. Do not install, but notice that this user can now install the 32-bit version of Office 365 ProPlus and
select which language he wants to install. He must click Advanced to turn on the 64-bit version option.
47. Note also that Phone and tablet apps are available from the left menu.
48. Leave this page open and continue to the next lab to perform the user-driven installation.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L5-39
Task 2: Install Office 365 ProPlus from the Office 365 portal
1. On LON-CL3, open Microsoft Edge and sign into the Office 365 portal at portal.office.com, with the
username roman@Adatumyyyxxxxx.hostdomain.com, click Office365 Settings in the upper-right
corner, and then click Software.
2. In the Language section, select the language to install from the drop-down menu.
4. Click Install.
6. If the User Account Control dialog box appears, type Adatum\Holly in the user name box, type
Pa$$w0rd in the Password box, and then click Yes.
7. On the taskbar, click the Office icon, and note the status of the download.
Note: It will take several minutes to complete, but applications are now available.
10. On the Start screen, click Word 2016. On the first things first window click Accept.
13. Click SIGN OUT, and then click Sign out next to Roman’s name.
15. At the top right, click Sign in to get the most out of Office.
16. On the Sign in page, in the E-mail address box, type holly@Adatumyyxxxxx.hostdomain.com, and
then click Next.
17. On the Sign in page, in the Password box, type Pa$$w0rd, and then click Sign in.
21. Click Sites – A. Datum and click A. Datum in the right pane.
22. Double-click the Documents folder, and then save the file with the name Meeting Agenda.
25. Switch back to Roman Miler’s Office 365 session in Microsoft Edge.
26. In the top-right corner, click the Settings icon, and then click Office 365 settings.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-40 Planning and deploying Office 365 ProPlus
Note that you now have a new section at the top of the page where you can manage Office 365
installs.
3. In the Password box, type Pa$$w0rd, and then click Sign in.
5. In the Office 365 admin center, click Users, and then click Roman Miler.
7. Under Office 365 Enterprise E3, set the Office 365 ProPlus option to Off to remove the license from
Roman’s account, click Assign, and then click Close.
8. In Microsoft Edge, at the top right, click the Profile photo icon for Holly Dickson, and then click Sign
out.
10. In the Password box, type Pa$$w0rd, and then click Sign in.
11. In the top-right corner, click the Settings icon, and then click Office 365 settings.
12. On the Settings page, click Software.
Note that the Office installation is no longer listed, as this user no longer has an active license
(although software is available).
Note: The Office 365 ProPlus applications will still be available to Roman on any machine on
which he already installed them, but within 30 days, they will drop into low-functionality mode.
This means he will only be able to read and print documents.
2. In the Password box, type Pa$$w0rd, and then click Sign in.
4. In the Office 365 admin center, click Users, and then click Roman Miler.
6. Under Office 365 Enterprise E3, set the Office 365 ProPlus option to On, click Assign, and then click
Close.
Results: After completing this exercise, you should be able to activate Office 365 ProPlus for self-service
installations and set licensing options correctly for end users so that deployment and installation is possible.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L5-41
2. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
3. In the console tree, right-click Adatum.com, point to New, and then click Organizational Unit.
4. Type Adatum_Computers, and then click OK.
6. Right-click LON-CL4, click Move, click Adatum_Computers, and then click OK.
7. In Server Manager, click Tools, and then click Group Policy Management.
8. In the Group Policy Management window, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Adatum_Computers.
9. Right-click Adatum_Computers, and then click Create a GPO in this domain, and Link it here.
10. In the New GPO dialog box, in the Name box, type DeployO365, and then click OK.
11. In Group Policy Management, click Adatum_Computers, and in the right pane, right-click
DeployO365, and then click Edit. If you see a Group Policy Management Console window, click OK.
12. In Group Policy Management Editor, expand Computer Configuration, Policies, Windows Settings,
and then double-click Scripts (Startup/Shutdown).
14. In File Explorer, click Home, click New item, click Text Document, and then press Enter to accept the
default name.
15. Double-click New Text Document.txt.
17. Save the file as DeployO365.cmd. Ensure that in Save as type, you select All Files and that the file
extension is .CMD.
21. Switch back to the Group Policy Management Editor, Startup Properties dialog box.
24. In the Browse dialog box, select DeployO365.cmd, and then click Open.
Note that you could also deploy this script by using Microsoft Intune, Microsoft System Center
Configuration Manager, or other electronic software distribution.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-42 Planning and deploying Office 365 ProPlus
3. In the User Account Control dialog box, type Adatum\Holly as the user name and Pa$$w0rd as the
password, and click Yes.
Note: If any updates have downloaded, click Update, and then restart.
7. Wait five minutes after LON-CL4 has restarted before continuing. This is to allow the Group Policy
settings to take effect on LON-CL4.
8. Sign in as ADATUM\maira with the password Pa$$w0rd. You may have to wait for Office to finish
installing.
9. Navigate to the Start screen, and note that Office 2016 is installed. You might have to wait up to 15
minutes before you see any available Office applications.
10. Click Word 2016. If you do not see it on the Start screen, type Word to bring up the icon.
11. On the Activate Office page, in the E-mail address box, type
maira@Adatumyyxxxxx.hostdomain.com, and then click Next.
12. On the Sign in page, in the Password box, type Pa$$w0rd, and then click Sign in. Click OK on the
notification window.
19. In File name, enter Meeting Report, and then click Save.
22. On the Processes tab, under Background processes, notice that Microsoft Office Click-to-Run
appears.
23. Click the Details tab, and notice officeclicktorun.exe in the task list.
24. Click the Services tab, and notice that the ClickToRunSvc service is running.
Note: Check Task Manager for your deployment. These items will all be present in a
successful install.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L5-43
Results: After completing this exercise, you will have enabled centralized managed deployment of Office
365 ProPlus and implemented a standardized Microsoft Office configuration by using one version of Office.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L6-45
7. On the Create new user account page, enter the following information, and then click Save:
o Select Let me create the password, and then type the following password in both fields:
Pa$$w0rd
o Make this user change their password when they first sign in: Not selected
o Under Product licenses select licenses for this user: Office 365 Enterprise E3
8. Click Close, and then repeat step 7 to add the following additional users:
o Olivia Emerson
o Kendra Sexton
9. In the Office 365 admin center, on the Admin centers menu, click Exchange.
Note: It might take a few minutes for the mailboxes to appear. Click the refresh icon
periodically until they do.
3. In the Distribution Group window, in the Display name box, type IT.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-46 Planning and managing Exchange Online recipients and permissions
6. In the Select Members window, click Olivia Emerson, click Add, and then click OK.
8. Repeat steps 2 through 7 to add the following additional groups and members:
Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.
3. In the Windows PowerShell window, type the following command, and then press Enter:
$credential = Get-Credential
4. In the Enter Credentials dialog box, in the User name box, type
holly@Adatumyyxxxxx.hostdomain.com.
6. In the Windows PowerShell window, type the following command, and then press Enter:
7. In the Windows PowerShell window, type the following command, and then press Enter:
8. In the Windows PowerShell window, type the following command, and then press Enter:
9. In the Windows PowerShell window, type the following command, and then press Enter:
Get-AcceptedDomain
Note: This command returns the list of accepted domains and verifies that you can connect
to your Office 365 subscription.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L6-47
2. In the Windows PowerShell window, type the following command, and then press Enter:
3. In the Windows PowerShell window, type the following command, and then press Enter:
4. In the Windows PowerShell window, type the following command, and then press Enter:
5. In the Windows PowerShell window, type the following command, and then press Enter:
Note: If you receive an error running the set-calendarprocessing cmdlet for either of these
objects, wait a few moments and repeat.
6. Switch to Microsoft Edge, and in the Exchange Admin center, click Refresh. You should be able to see
both resources.
7. In the Windows PowerShell window, type the following command, and then press Enter:
8. Switch to Microsoft Edge, and in the Exchange Admin center, click Refresh. You should be able to see
the changes you made in the details pane on the right.
4. In the Windows PowerShell window, type the following command, and then press Enter:
CD C:\Labfiles
Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.
5. In the Windows PowerShell window, type the following command, and then press Enter:
6. In the Windows PowerShell window, type the following command, and then press Enter:
7. In the Windows PowerShell window, type the following command, and then press Enter:
8. In Microsoft Edge, in the Exchange Admin center, in contacts, click Refresh. You can see the newly
created objects.
Results: After completing this exercise, you will have created and configured Microsoft Exchange Online
recipients.
4. In the Select Members window, click Olivia, click add, and then click OK.
5. In the Role Group window, click Save.
Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.
2. In the Windows PowerShell window, type the following commands, pressing Enter after each
command:
Enable-OrganizationCustomization
New-RoleGroup –Name BranchOfficeAdmins –roles “Mail Recipients”, “Distribution
Groups”, “Move Mailboxes”, “Mail Recipient Creation”
3. In the Windows PowerShell window, type the following command, and then press Enter:
4. In the Windows PowerShell window, type the following command, and then press Enter:
Get-RoleGroupMember "BranchOfficeAdmins"
5. Switch to Internet Explorer, and then in the Exchange admin center, click Refresh. Ensure that you can
see the new BranchOffice Admins role group.
Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.
3. In the Windows PowerShell window, type the following command, and then press Enter:
4. To change the default role assignment policy for new mailboxes, in the Windows PowerShell window,
type the following command, and then press Enter:
Results: After completing this exercise, you will have configured delegated administration of your
Exchange Online organization.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L7-51
Note: You might have a Windows PowerShell connection to Office 365 open from a previous
lab. If so, you can use the existing connection and skip this step.
3. In the Windows PowerShell credential request window, in the User name box, type
Holly@adatumyyxxxxx.hostdomain.com.
5. In Windows PowerShell, type the following command, and then press Enter:
Import-PSSession $Session
2. In Microsoft Edge, in the search box, type https://login.microsoftonline.com, and press Enter.
3. At the login page, sign in as Holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.
4. In the menu bar, click the Apps button, and then click Admin.
5. In the Office 365 admin center, on the menu on the left, under Admin centers, click Exchange.
6. In the Exchange admin center, click mail flow, and then click connectors.
7. Click New.
8. On the Select your mail flow scenario page, in the From box, select Office 365.
10. On the New connector page, in the Name box, type Humongous Insurance Outgoing, and then
click Next.
11. Click Only when email messages are sent to these domains, and then click Add.
12. On the add domain page, type humongousinsurance.com, click OK, and then click Next.
13. Click Use the MX record associated with the partner’s domain, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-52 Planning and configuring Exchange Online services
14. Select the Always use Transport Layer Security (TLS) to secure the connection check box, click
Issued by a trusted certificate authority (CA), and then click Next.
17. In the Send the test email to the address box, type postmaster@humongousinsurance.com, click
OK, and then click Validate.
Note: Validation of mail flow will fail because the connector is to a fictitious organization.
This is expected behavior for this lab.
21. In the Exchange admin center, on the connectors tab, click New.
22. On the Select your mail flow scenario page, in the From box, select Partner organization.
23. In the To box, select Office 365, and then click Next.
24. On the New connector page, in the Name box, type Humongous Insurance Incoming, and then
click Next.
25. Click Use the sender’s domain, and then click Next.
26. Click Add, type humongousinsurance.com, click OK, and then click Next.
27. Select the Reject email messages if they aren’t sent over TLS check box, and then click Next.
3. In the new rule window, in the Name box, type A. Datum Disclaimer.
4. In the Apply this rule if box, select The recipient is located, click Outside the organization, and
then click OK.
6. In the specify disclaimer text window, type <HR> If you are not the intended recipient of this
message, you must delete it, and then click OK.
8. In the specify fallback action window, select Wrap, and then click OK.
12. In the new rule window, in the Name box, type Moderate Managers.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L7-53
13. In the Apply the rule if box, select The recipient is a member of, in the Select Members window,
click Managers, click add, and then click OK.
14. In the Do the following box, select Forward the message for approval to, click Holly Dickson, click
add, and then click OK.
17. In Microsoft Edge, in the search box, type https://login.microsoftonline.com, and then press Enter.
21. In the To field, type alias@outlook.com, where alias@outlook.com is the Microsoft account that you
configured at the beginning of this course.
23. In the message body, type This message will have a disclaimer, and then click Send.
24. Sign in to Outlook.com, and then verify that the message has the disclaimer If you are not the
intended recipient of this message, you must delete it added at the end of the message body. If the
message is not in the Inbox, check the Junk folder.
25. In the Mail window in which you are signed is as Francisco, click New.
28. In the message body, type This message requires approval by Holly, and then click Send.
29. On LON-CL1, click Start, type Outlook, and then click Outlook 2016.
30. Type Holly@Adatumyyxxxx.hostdomain.com and Pa$$w0rd in the Windows Security dialog box.
If needed, complete the account setup wizard by clicking Next four times.
31. In Outlook, read the approval request, and then click Approve.
2. In the non-delivery reports window, click Browse, click Holly Dickson, click OK, and then click Save.
4. Click New.
5. In the new journal rule window, in the Send journal reports to box, type
journal@humongousinsurance.com.
7. In the If the message is sent to or received from box, select A specific user or group, click
Development, click add, and then click OK.
8. In the Journal the following messages box, select All messages, and then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-54 Planning and configuring Exchange Online services
3. In the Message Trace results window, double-click the message sent to alias@outlook.com.
4. Review the information in the message, including the message events that show that the disclaimer
was applied.
5. Click Close.
7. Review the information in the message, including that the message was sent for moderation.
8. Click Close.
Results: After completing the exercise, you will have configured message-transport settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L7-55
5. Select the Notify administrator about undelivered messages from internal senders check box.
7. Select the Notify administrator about undelivered messages from external senders check box.
5. In the add blocked IP address window, type 192.168.0.0/24, and then click OK.
6. Select the Enable safe list check box, and then click Save.
4. In the High confidence spam box, select Quarantine message, and then click Save.
5. Click Add.
6. In the new spam filter policy window, in the Name box, type Sales spam policy.
8. In the High confidence spam box, select Move message to Junk Email folder.
9. In the Prepend subject line with this text box, type Junk:.
10. Scroll to the bottom of the window, and under Applied To, in the If box, select The recipient is a
member of, click Sales, click add, and then click OK.
6. On LON-CL1, in the Exchange admin center, click protection, and then click quarantine.
7. Verify that the message sent to Francisco is in quarantine, but the message sent to Kendra is not.
8. Click the message sent to Francisco, click Release Message, and then click Release selected
message(s) to All recipients.
11. On LON-CL2, in Outlook on the web, verify that the message was delivered.
Results: After completing this exercise, you should have configured anti-spam and antivirus settings.
2. Click New.
3. In the new Outlook Web App mailbox policy window, in the Policy name box, type Limited features.
o Instant messaging
o Text messaging
o Unified messaging
o Journaling
5. Under Private computer or OWA for devices, clear the Direct file access check box, and then click
Save.
11. On LON-CL1, click Start, type Outlook and then click Outlook 2016. If prompted, type
Holly@Adatumyyxxxxx.hostdomain.com and Pa$$w0rd in the Windows Security dialog box.
13. In the new email window, in the To box, type Kendra@adatumyyxxxxx.hostdomain.com, and then
click Check Names.
15. In the ribbon, click Attach File, and then click Browse This PC.
16. In the Insert File window, browse to C:\Windows\Logs\DISM, click dism, and then click Insert.
18. On LON-CL2, in Outlook on the web, sign out, and then sign in again as
Kendra@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.
19. On the Outlook page, select your time zone and click Save.
22. Click OK to close the message, indicating that you do not have permission to download files.
3. In the Exchange ActiveSync access settings window, click Quarantine – Let me decide to block or
allow later.
4. Under Quarantine Notification Email Messages, click Add, click Holly Dickson, click add, and then
click OK.
5. Select the Minimum password length check box, enter a value of 4, and then click Save.
3. Your device will be placed into quarantine, and you must approve the device before you can send and
receive messages.
4. After you configure the Exchange ActiveSync account, the security settings from the mobile-device
mailbox policy will apply, and you may be prompted to create a password on your device.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-58 Planning and configuring Exchange Online services
5. When you finish your testing, you can delete the account from your mobile device.
Results: After completing this exercise, you should have configured client access policies.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-59
2. On the Skype for Business Online, Windows PowerShell Module page, click Download, and then
click Run.
3. Select I agree to the license terms and conditions, and then click Install.
2. In the search results, right-click Windows PowerShell, and then click Run as administrator.
4. At the command prompt, type the following command, and then press Enter:
$cred = Get-Credential
5. In the credentials dialog box, enter the user name Holly@adatumyyxxxxx.hostdomain.com and
the password Pa$$w0rd, and then click OK.
Import-PSSession $SfBSession
Get-CsBroadcastMeetingConfiguration
Task 3: Configure the organization settings for Skype for Business Online
1. On LON-CL1, in the Windows PowerShell command-line interface window, type the following
command to enable privacy mode, and then press Enter:
Note the warning that you receive about enabling client version checking.
2. To disable push notifications for Apple devices, type the following command, and then press Enter:
3. To verify the privacy notification settings, type the following command, and then press Enter:
Get-CSPrivacyConfiguration
o Identity: Global
o EnablePrivacyMode: True
o AutoInitiateContacts: True
o PublishLocationDataDefault: True
o DisplayPublishedPhotoDefault: True
4. To verify the push notification settings, type the following command, and then press Enter:
Get-CSPushNotificationConfiguration
5. To allow users to communicate with public Skype users, type the following command, and then press
Enter:
6. To allow users to communicate with federated partners, type the following command, and then press
Enter:
7. To enable communication with all federated partners except for litware.com, type the following
commands, and then press Enter after each command:
$AllDomains = New-CsEdgeAllowAllKnownDomains
$BlockedDomain = New-CsEdgeDomainPattern -Domain "litware.com"
Set-CsTenantFederationConfiguration -AllowedDomains $AllDomains –BlockedDomains
$BlockedDomain
Get-CsTenantFederationConfiguration
10. On the Office 365 home page, click the Admin tile.
11. In the Microsoft Office 365 admin center, in the menu to the left, click Admin centers, and then click
Skype for Business.
13. On the general page, under presence privacy mode, verify that the setting is configured as Display
presence information only to a user’s contacts.
14. Under mobile phone notifications, verify that Apple Push Notification Service is not enabled, and
then click external communications.
15. Under external access, verify that On except for blocked domains is selected.
3. In the Footer text text box, type Sample legal disclaimer. Click save.
4. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-CsMeetingConfiguration
5. Verify that the Help URL and CustomFooterText display the correct information.
2. In the Skype for Business window, type Holly@adatumyyxxxxx.hostdomain.com, and then click
Sign in.
3. Type Pa$$w0rd for password, and then click Sign in. Click Yes.
5. On the ribbon, click New Items, click Meeting, and then click Skype Meeting.
7. Create a meeting request for some time tomorrow using a subject of Test Meeting.
Results: After completing this exercise, you should have configured Skype for Business Online service
settings.
2. On the menu to the left, click Users, and then click Active users. Select Christie Thomas, and then
click Edit in the Product licenses section.
3. Turn off Skype for Business Online (Plan 2), click Assign, and then click Close.
4. On the menu to the left, select Admin centers, and then click Skype for Business.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-62 Planning and deploying Skype for Business Online
6. Verify that Christie Thomas is not listed as a Skype for Business user.
8. On the general tab, under Audio and video, clear Record conversations and meetings.
9. On the menu to the left, click external communications, clear External Skype users, and then click
Save.
10. Click the back icon, select Francisco Chaves, and then click Edit.
11. On the general tab, under Audio and video, select Audio only from the drop-down list box. Click
save.
3. On the Add an Email Account page, click Next. If the Office installation wizard launches, wait for the
installation to finish, and then continue.
4. On the Auto Account Setup page, fill in the following information, and then click Next:
o Password: Pa$$w0rd
5. In the Microsoft Outlook dialog box, type Pa$$w0rd as the password, select Remember my
credentials, and click OK.
6. Click Finish.
10. Save the sign-in information. In the Help Make Skype for Business Better! dialog box, click No.
11. On LON-CL1, ensure that you are signed in as Holly, and verify that Outlook 2016 and Skype for
Business 2016 are open.
12. In Outlook 2016, create a Skype meeting request for a meeting that will start within the next 15
minutes, and then send the request to Francisco Chaves and Maira Wenzel.
13. In Skype for Business, in the Find someone text box, type Maira.
16. On LON-CL4, verify that the IM from Holly is received and respond to it.
18. Open the meeting, and then click Join Skype Meeting.
21. On LON-CL1, open the meeting request, click Join Skype Meeting, click Don’t join audio, and then
click OK.
23. On LON-CL1, in the meeting window, click the Present icon, and then click Present Desktop.
24. In the Present Desktop window, click Present.
26. On LON-CL4, verify that Holly’s desktop is visible in the meeting window.
27. On LON-DC1, open Internet Explorer, and then connect to https://portal.office.com. Sign in as
Francisco@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.
30. Click the App launcher at the top of the window, and then click Calendar.
33. In the Skype for Business Web App window, click Sign in if you are an Office 365 user.
34. Ensure that Install the Skype for Business Web App plug-in is selected, click Join the Meeting, and
then click Run.
35. Verify that you can join the meeting and that Holly’s desktop is visible. Ignore the warning that you
need to set up an audio device.
36. Close the Internet Explorer window, and when prompted, click Leave this page.
Results: After completing this exercise, you should have configured Skype for Business Online user settings
and validated Skype for Business Online functionality.
o Duration: 1 hour
o Access: Secure
6. In the Skype Meeting Broadcast window, click Create Outlook invitation, and then click Open.
4. On the Auto Account Setup page, fill in the following information, and then click Next:
o Password: Pa$$w0rd
5. In the Microsoft Outlook dialog box, type Pa$$w0rd as the password, select Remember my
credentials, and then click OK.
6. Click Finish.
10. Save the sign-in information. In the Help Make Skype for Business Better! dialog box, click No.
11. Open PowerPoint 2016. Select the option to create a blank presentation.
12. Type a title for the presentation, and then save the presentation to the Documents folder using the
name Presentation.pptx.
14. In Outlook, click the broadcast meeting request from Holly Dickson, and then click Accept.
15. In the Reminders pop-up window, double-click the meeting request from Holly.
16. Click Join the Meeting.
17. In the Skype for Business window, sign in as Roman@adatumyyxxxxx.hostdomain.com with the
password Pa$$w0rd, and then click Join the event.
18. In the Join Meeting Audio dialog box, click Don’t join audio, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L8-65
20. In the Meeting window, click Present, and then click Present PowerPoint Files.
21. Browse to the Documents folder, click Presentation.pptx, and then click Open.
22. In the right side of the meeting window, click Content only, and then click Start Broadcast.
23. Click Start Broadcast again. Wait for the broadcast to start.
24. On LON-CL4, signed in as Maira, in Outlook 2016, accept the meeting request from Holly.
25. Open the meeting request, and then click Join the Meeting.
26. In the Skype for Business window, sign in as Maira@adatumvvxxxxx.hostdomain.com with the
password Pa$$w0rd, and then click Join the event.
27. On LON-CL3, in the broadcast window, click Stop Broadcast, and then click Stop Broadcast again.
Results: After completing this exercise, you should have configured a broadcast meeting and verified that
users can join the meeting.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L9-67
2. In LON-CL1, click the desktop, on the taskbar, click Microsoft Edge, and then browse to
https://portal.office.com.
4. In the Office 365 admin center, click Admin centers, and then click SharePoint.
10. Click Allow both external users who accept sharing invitations and anonymous guest links, and
then click OK.
3. In the Find profiles dialog box, type Brad, and then click Find.
6. Click the check names field and verify that the field displays Holly Dickson.
11. In the secondary owner list, type Holly and then click the Check names icon.
2. In the Apps for Office from the Store window, click No to disable apps from starting when documents
are opened in the browser.
Results: After completing this exercise, you should have configured SharePoint Online service settings.
2. In the Office 365 admin center, on the left side menu, click Admin centers, and then click SharePoint.
5. In the new site collection dialog box, in the Title box, type marketing, in the empty text box, type
marketing, and then in the administrator list, type Holly. Then click the Check Names icon. Leave
the other settings as suggested. To confirm, click OK.
Note: SharePoint Online provisions the new marketing site. This process can take a few
minutes.
Note: It can take a few minutes until the Sharing menu on the ribbon is active. You can
speed this up by pressing the F5 key to refresh the page.
8. In the Sharing dialog box, select Allow sharing with all external users, and by using anonymous
access links, and then click Save.
Note: The site settings changes to allow external user sharing. This process is usually done
within one minute. Now, external user sharing is enabled and you can use it for this marketing site.
2. On the SharePoint Online Management Shell download page, in the Select Language drop-down
list, select your appropriate language, and then click Download.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L9-69
3. On the Choose the download you want page, select the check box for the 64-bit version and for the
most current file. Click Next.
5. In the Internet Explorer dialog box asking whether you want to run or save the file, click Run.
6. On the SharePoint Online Management Shell Setup page, select the I accept the terms in the
License Agreement check box, and then click Install.
9. Click Start, type sharep, and right-click SharePoint Online Management Shell, and then click Run as
administrator.
11. At the command prompt, type the following command, and then press Enter (where yyxxxxx is your
unique Adatum domain name): If error: Connect-SPOService : Pour des raisons de sécurité, DTD interdite
Change DNS to 8.8.8.8. Avoid http error page from providor.
Connect-SPOService –Url https://adatumyyxxxxx-admin.sharepoint.com –credential
holly@Adatumyyxxxxx.hostdomain.com
12. In the Enter your credentials dialog box, in the Password box, type Pa$$w0rd, and then click OK.
13. At the command prompt, type the following command, and then press Enter:
2. Browse to https://portal.office.com.
4. In the Office 365 admin center, click Admin, and then click SharePoint.
8. In the Site Collection Administrators text box, type Brad, click the Check Names icon, and then click
OK.
10. In the upper-right corner, click the Settings icon (the wheel icon), and then navigate to site settings.
11. Under Users and Permissions, click Site collection administrators to open it.
2. Browse to https://adatumyyxxxxx.hostdomain.com/sites/marketing.
Note: You need permission to access this site, and you need to send an access request for
permission to view the site.
4. In the You need permission to access this site dialog box, type Please enable Maira’s access to this
site, and then click Request Access.
8. In the top-right corner, click the Settings icon (the wheel icon), and then click Site settings.
9. Under User and Permissions, click Site permissions.
16. In the text box at the top, type Perry, and then click Perry Brill.
Results: After completing this exercise, you should have created and configured SharePoint Online site
collections.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L9-71
2. Browse to https://portal.office.com.
5. On the leftmost side, click settings, and then scroll down to external sharing.
6. Click Allow both external users who accept sharing invitations and anonymous guest links, and
then click OK.
4. In the Sharing dialog box, click Allow sharing with all external users, and by using anonymous
access links.
5. Click Save.
6. Wait for the operation to complete, which might take about 5 minutes.
12. In the text box, type You can now access this shared site on Adatum Publishing.
13. Click Share.
17. In the Word Online window, type some text, and then wait to check if Saved appears in the document
title, and then click the marketing link.
18. In the document list, click the ellipsis button (…) next to the document you created, and then click
SHARE.
19. Click Get a link, and then click Edit link – no sign-in required.
20. Select the link, right-click it, and then click Copy.
22. In the SharePoint Online window, click the apps icon, and then click Mail.
23. If prompted, select your language and time zone, and then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-72 Planning and configuring SharePoint Online
25. In the To box, type the email address for your Microsoft account, and then in the Subject box, type
Shared Document.
Note: The Inbox should show two emails from Microsoft Online Services Team. If the messages are
not in the Inbox, look in the Junk folder.
3. Open the message that has the subject Holly Dickson wants to share Accounts Projects.
5. Click Microsoft Account. Verify that you can access the site.
6. Close the browser tab. In your Inbox, open the second invitation email message with the subject of
Holly Dickson wants to share the document.
Note: You are redirected directly to the Word Document. Word Online opens and shows the
document.
8. Verify that you can access the Word document, and then click Edit in Browser.
11. Leave the virtual machines running for the next lab.
Results: After completing this exercise, you should have configured a new site collection for external user
sharing, and you should have shared a site and a document with external users.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-73
3. Click the Office 365 app launcher icon, and then click Yammer.
4. On the WHO DO YOU WORK WITH? page, click the X at the top-right corner to close the page.
5. In Yammer, in the left pane beside Holly Dickson, click the Settings icon.
6. Click NETWORK ADMIN.
7. In the Yammer admin center, in the left Navigation pane, click on Usage Policy.
8. In the Usage Policy window, select the Require users to accept policy during sign up and after any
changes are made to the policy check box.
9. In the Usage Policy window, select the Display policy reminder in sidebar check box.
10. In the Custom Policy Title text box, type Adatum Acceptable Use Policy.
11. In the Enter your policy in the textbox below text box, copy and paste the following text:
14. If needed, in Yammer, in the left pane beside Holly Dickson, click the Settings icon, and then click
NETWORK ADMIN.
15. In the left side menu of the Yammer console, click Configuration.
16. In the Email Settings section, click A weekly digest of your group messages.
17. On the Enabled Features page, clear the 3rd Party Applications check box.
20. On the Data Retention Policy page, read the description of available options, click Soft Delete, and
then click Save.
21. In the left side menu of the Yammer console, click Monitor Keywords.
22. On the Monitor Keywords page, type holly@Adatumyyxxxxx.hostdomain.com in the Email Address
field.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-74 Planning and configuring an Office 365 collaboration solution
23. In the text box, type the following words, one in each line: gambling, erotic, warez.
25. In the left side menu of the Yammer console, click Success.
27. In the middle pane, in the What are you working on? text box, type Welcome to all Adatum users!,
and then click Post.
Task 2: Configure Yammer service settings, and enforce Office 365 identity
1. In Yammer, in the left pane, click the Settings icon.
3. In the Yammer admin center, in the left Navigation pane, in the Content and Security section, click
Security Settings.
7. Click Save.
5. Click Save.
8. In the Share This Conversation section, select Post in a Group, type All Company in the drop-down
box, and in the text box, type Welcome from me too.
9. Click Share.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L10-75
10. In the What are you working on text box, type free gambling here, and click Post.
15. Verify that you received a message from Yammer with a report about monitored keyword appearance
in the Roman post. Still doesn't work !!!!!
16. Close Microsoft Edge browser.
Results: After completing this exercise, you should have enabled Yammer Enterprise for A. Datum.
2. In the Word window, in the top right corner, verify that Word is licensed to Roman Miler.
4. In the Accounts dialog box, click SIGN OUT, and then click Sign out. In the Remove Account notice,
click Yes.
5. At the top right, click Sign in to get the most out of Office.
7. On the Sign in page, in the Password box, type Pa$$w0rd, and then click Sign in.
8. Verify that Word is now licensed to Roman. Close Word.
13. In the OneDrive window, click New, and then click Word document.
14. In the Word Online window, type some text, and then click Roman Miler at the top of the Window
beside Word Online.
15. In the OneDrive window, click Sync, and then click Sync now.
16. In the Did you mean to switch apps? dialog box, click Yes.
17. In the Sync the library ‘Documents’ for Roman Miler? dialog box, click Sync Now.
20. In the Microsoft OneDrive for Business dialog box, click Show my files.
21. Note that File Explorer opens and displays the location where the synchronized files will be stored.
Verify that the Word document has been synchronized to the local computer.
2. On the ribbon in File Explorer, click Home, click New folder, and then create a new folder named
Private.
3. On the ribbon, click Home, click New folder, and then create a second new folder named Project A.
4. Double-click the folder Private. Right-click in this folder, and on the context menu, click New, and
then click Microsoft Word Document. Name the document Holidays.docx.
5. Double-click Holidays.docx to open it, and then type some text. Save the changes, and then close
Microsoft Word.
6. See how the document icon in the taskbar changes from two blue arrows to a small green checkmark
icon after the synchronization process is complete. The document has been transferred to the cloud
storage automatically.
7. In the File Explorer window, navigate to OneDrive for Business in the navigation address line to move
one level up.
8. Double-click the folder Project A. Right-click in this folder, and on the context menu, click New, and
then click Microsoft Word Document. Name the document Project targets.docx.
9. Double-click Project targets.docx to open it, and then type some text. Save the changes, and then
close Microsoft Word.
10. Verify that the document synchronizes.
11. To view the files online, switch to the Microsoft Edge window. Refresh the view.
12. In the Files list, you should see your two folders, Private and Project A.
13. Navigate to the Private folder. Click the synchronized document Holidays.docx to open it in Word
Online.
14. Click Edit document, and then click Edit with Word Online. Add some text. The document is saved
automatically when Saved is displayed in the title bar.
15. In the menu bar right beside Word Online, click Roman Miler to return to OneDrive for Business.
16. The content of the Private folder changes, and you will see that you changed the document online.
The changed column shows that the document changed some seconds (or minutes) ago.
17. Switch back to File Explorer. Navigate to the folder Private, and then open Holidays.docx. You will see
that the changes you made in Word Online are synchronized back automatically.
2. Microsoft Edge opens. Open the Project A folder, right-click Project Targets.docx, and then click
Share.
SharePoint Online automatically opens a dialog box named Share Project targets.
3. The left navigation pane displays the link Invite people. In the text box, type Holly Dickson.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L10-77
4. Ensure that the drop-down list on the right has Can edit selected, add a short message in the message
text box, and then click Share.
10. When the document opens, click Edit Document, and then select Edit in Word Online. Verify that
you can open the document and edit it. All modifications are stored online in the OneDrive for Business
cloud storage. By default, SharePoint Online creates a new version when the document changes. This
can be viewed by the owner in the version history.
12. In the Microsoft Edge window, right-click Project Targets, and then click Share on the menu bar.
13. Click Shared with, and then click Stop sharing to stop sharing this document. Click Stop sharing
again, and then click Close.
Results: After completing this exercise, you should have configured OneDrive for A. Datum.
2. Open the Office 365 admin center through the app launcher by clicking the Admin icon.
3. Select Groups in the left navigation pane, click Groups, and then click Add a group.
4. In the Add a group window, verify that Office 365 group is selected in the Type drop-down list.
o Name: AdatumMarketing
o E-Mail: Adatummarketing@Adatumyyxxxxx.hostdomain.com
o Under Privacy, select Private – Only members can see group content.
6. Click Add.
7. Click Close.
9. Type Roman in the search box, and then click Roman Miler.
$cred = Get-Credential
6. To create a new public Office 365 group, type the following command, and then press Enter:
7. To add a user to the owners group, type the following command, and then press Enter:
8. To add a user to the members group, type the following command, and then press Enter:
3. Click Mail.
4. In the left pane, click Planning Group, and then click Start a group conversation.
5. In the message window, type a subject and some content, and then click Send.
6. Click Calendar on the toolbar, and then view the group calendar.
7. Click New. In the Details pane, fill out the data for the meeting, type Planning meeting for the subject,
schedule it for tomorrow, and then click Save.
8. Ensure that the calendar item synchronizes with Holly’s personal calendar.
11. Click Files on the toolbar, and then wait for the files store to be created. When you see Ready to go,
click Take me to Planning Group files.
13. Type some text, and when you see Saved in the title bar, close the Microsoft Edge tab.
14. In the Mail window, click Files, and verify that the document has been added to the group.
15. On LON-CL3, open Microsoft Edge, and then sign in to https://portal.office.com as
Roman@Adatumyyxxxxx.hostdomain.com, with the password Pa$$w0rd.
16. Click Mail. Verify that the AdatumMarketing group appears in your Groups list.
18. Click Planning Group, and then click Join. Because this is a public group, you can join the group.
19. In the left navigation pane, click Planning Group, and then click Conversations. Verify that you see
the message that Holly sent to the group.
20. Click Files, and then verify that you see the document that Holly created.
Results: After completing this exercise, you should have configured Office 365 groups at A. Datum.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L11-81
6. On the Rights Management page, click Manage Microsoft Azure Rights Management settings.
8. When prompted with Do you want to activate Rights Management?, click activate.
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication
Basic -AllowRedirection
Import-PSSession $Session
3. Type the following command, and then press Enter to set the IRM sharing location to the region you
are in.
Note: Depending on the location of your tenant, replace the link in the preceding
command with one of the following:
4. Type the following command, and then press Enter to configure Azure RMS as a trusted publishing
domain.
5. Type the following command, and then press Enter to set the IRM configuration for licensed users
only.
6. Type the following command, and then press Enter to test the configuration.
7. Type the following command, press Enter, and then close Windows PowerShell.
Remove-PSSession $Session
4. On the settings page, in the Information Rights Management (IRM) section, click Use the IRM
service specified in your configuration, and then click Refresh IRM Settings.
2. In the Word window, at the top right corner, click Switch account.
4. In the Sign in dialog box, type Holly@adatumyyxxxxx.hostdomain.com, and then click Next.
9. Type a subject, and then type some text in the message body.
10. On the Options tab, click Permission, and then click Connect to the Rights Management Server
and get templates.
16. On the Settings page, under Permissions and Management, click Information Rights
Management.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L11-83
17. On the Information Rights Management Settings page, select the Restrict permissions on this
library on download check box.
18. In the Create a permission policy title box, type Marketing Policy.
19. In the Add a permission policy description box, type Marketing policy for downloads.
25. In the Office 365 portal, in the App launcher, click Mail.
26. On the Outlook page, select your time zone and click Save.
27. Verify that you received an email from Holly that is IRM protected. Click the message.
28. Click the down arrow beside Reply all, and then verify that you do not have the option to forward or
print the message.
31. After the document opens, try to edit it in Word Online. Verify that you get a message that the
document is read-only.
32. Close Microsoft Edge.
Results: After completing this exercise, you will have configured Rights Management for Exchange Online
and SharePoint Online.
4. In the Office 365 admin center, in the left side menu, select Admin centers and then click
Compliance. If you are connected to the Compliance Center, click Check out your new Office 365
Protection Center.
8. In the Select Members window, click Brad Sutton, click add, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-84 Planning and configuring Rights Management and compliance
9. Click Save.
10. Click To assign permissions for retention policies and archiving, go to the Exchange admin
center.
18. In the Select Members window, click Christie Thomas, click add, and then click OK.
19. Click Save.
3. In the navigation pane, click Data management, and then click Archive.
4. In the Archive window, click Christie Thomas, and then Ctrl + click Jessica Jennings.
5. Under Bulk Edit, click Enable. In the warning message, click Yes, and then click Close.
6. Click Refresh, and then verify that Christie and Jessica have been enabled for an archive mailbox.
3. On the Retention Tags page, click New tag, and then select applied automatically to entire
mailbox (default).
7. Click Save.
8. On the toolbar, click New tag, and then select applied automatically to entire mailbox (default).
13. On the toolbar, click New tag, and then select applied automatically to a default folder.
15. Under Apply this tag to the following default folder, select Deleted Items.
19. On the toolbar, click New tag, and then select applied by users to items and folders (personal).
30. On the Retention page, click Manage retention policies for mailboxes.
32. On the new retention policy page, type Research MRM Policy as the name.
34. In the select retention tags window, Ctrl+click the following retention tags:
6 Month Delete
1 Year Delete
2 Year Delete
Never Delete
Never archive
38. On the Assign Retention Policies to Mailboxes page, click Christie Thomas, and then click Edit.
39. On the Assign Retention Policy to Christie Thomas page, click Research MRM Policy, and then
click Save.
40. In the warning dialog box, click Yes.
2. Verify that Brad does not have permission to configure Microsoft SharePoint Online deletion settings.
Close Microsoft Edge.
8. On the Sample Document Policy page, change the policy name to Marketing Document Policy.
10. In the New deletion rule dialog box, type Delete Messages at 7 years as the name, select
Permanently Delete as the delete action, select Created Date as the date from when the document
deletion date will be calculated, and then configure the time period after which the document will be
deleted as 7 years.
11. Select the Set as default rule check box, click Save, and then click OK.
13. On the Compliance Policy Center page, click Policy Assignments for Site Collections.
14. On the Policy Assignments for Site Collections page, click new item.
15. On the New: Site Collection Assignment page, click First choose a site collection.
16. In the Choose a site collection dialog box, type Marketing in the search box, and then click the
Search icon.
17. Select the Marketing check box, and then click Save.
18. On the New: Site Collection Assignment page, click Manage Assigned Policies.
19. In the Add and manage policies dialog box, select the Marketing Document Policy check box, and
then click Save.
20. Select the Mark Policy as Mandatory check box, and then click Save.
23. On the New preservation policy page, type Retain contract details as the policy name, and then
click Next.
24. On the Where do you want us to look? page, select both Mailboxes and SharePoint Online and
OneDrive for Business sites, and then click Next.
25. On the Which mailboxes do you want to include? page, click Add, click Francisco Chaves, click
Add, click OK, and then click Next.
26. On the Which SharePoint Online or OneDrive for Business sites do you want to include? page,
click Add.
30. Leave the End date check box cleared, and then click Next.
31. On the How long do you want to preserve the content? page, click 7 years, and then click Next.
32. On the Do you want to turn on Preservation Lock? page, click Next.
33. On the Do you want to turn on this policy after it is created? page, accept the default, and then
click Next.
5. On the What information do you want to protect? page, verify that Custom is selected, and then
click Next.
6. On the Which services do you want to protect? page, accept the default, and then click Next.
9. Click Choose a condition, and then click Content contains sensitive information.
10. Click Add, and in the Sensitive information types window, click IP address, click Add, and then
click OK.
14. Review the default actions, and then click Incident reports.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-88 Planning and configuring Rights Management and compliance
15. Select the Send an incident report to these people when this rule is matched check box, and then
click Add people.
16. Click Christie Thomas, click add, and then click OK.
18. Type IP address check as the rule name, and then click OK.
19. On the Customize rules page, click Next.
20. On the New DLP policy page, type Test DLP policy as the policy name. Select the Send
notifications and Policy Tips to end users check box, and then click Create.
3. In the Protection Center, click Security Policies, and then click Data Loss Prevention.
4. On the Data loss prevention page, click go to the Exchange admin center.
6. On the new custom DLP policy page, type Test DLP policy for email as the policy name. Click
Enforce, and then click Save.
10. On the new rule page, click Select sensitive information types.
11. On the Contains any of these sensitive information types page, click Add, click IP address, click
Add, and then click OK twice.
12. On the new rule page, click Select one, click Christie Thomas, and then click OK.
13. Click add action.
14. Click Select one, point to Modify the message security, and then click Apply rights protection.
16. Select the Activate this rule on the following date check box, and then click Save.
17. In the warning dialog box, click OK, and then click Save.
4. Click New, type your Microsoft account name on the To line, type Server IP address as the Subject,
type 10.10.10.10 as the message body, and then click Send.
5. Click the message that you receive from Outlook, and then review the message content.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L11-89
2. Click the message from Brad Sutton with the subject Server IP address.
3. Verify that the message is protected with Microsoft Information Protection and that you cannot open
the attachment in Microsoft Edge.
7. Click Mail.
10. Verify that a folder named In-Place Archive – Christie Thomas has been created.
11. Click the newest message in the mailbox, and then verify that it is a report on the message sent with
the Server IP address subject.
Results: After completing this exercise, you will have implemented the Office 365 compliance features.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L12-91
5. Enter a subject and some body text, and then click Send.
3. Select the body text of the message, including the phrase “Generating server” down to “X-
OriginatorOrg: adatumyyxxxxx.hostdomain.com” and then press Ctrl+C to copy it to the Clipboard.
4. In Microsoft Edge, press Ctrl+T to create a new tab.
6. On the Microsoft Remote Connectivity Analyzer page, click the Message Analyzer tab.
7. Under Message Header Analyzer, paste the message, and then click Analyze headers.
8. Note the diagnostic information and the time taken for the message to be rejected.
3. Enter a subject and some body text, and then click Send.
2. Note the reason for the “550 Requested action not taken: mailbox unavailable” failure.
3. Select the body text of the message including the phrase “Generating server” down to “X-
OriginatorOrg: adatumyyxxxxx.hostdomain.com” and then press Ctrl+C to copy it to the Clipboard.
5. On the Microsoft Remote Connectivity Analyzer page, ensure that you are on the Message
Analyzer tab.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-92 Monitoring and troubleshooting Microsoft Office 365
6. Under Message Header Analyzer, paste the message, and then click Analyze headers.
7. Note the diagnostic information and the time taken for the message to be rejected.
2. Access the new Office 365 admin center, click Admin centers, click Exchange, and then click mail
flow.
5. In the Select Members dialog box, click Holly, click add, and then click OK.
8. Double-click each message to view the sender, recipient, message size, ID, and IP address information.
9. Note the differences between the message processing events: Receive, Submit, Spam Diagnostics, and
Fail for the nonexistent domain, and Submit, Receive, Spam Diagnostics, and Fail for the nonexistent
user.
Results: After completing this exercise, you should have used the Message Header Analyzer to identify why
email failed to deliver.
2. On the Home page, in the left menu, select Health, and then click Service Health.
5. Click any entry in the calendar that is colored yellow to see further details about incident. Details
appear below the calendar.
Note: At the time of writing this course, reports were not available in the new Office 365
admin center.
Note: There might be little or no data shown because there is not much mailbox usage in the
lab environment.
5. On the Reports page, in the Protection section, click Sent and received mail, and then click View
table.
Note: There might be little or no data shown because there is not much mailbox usage in the
lab environment.
10. On the Reports page, in the Protection section, click Spam detections.
12. Keep the virtual machines running for the next lab.
Results: After completing this exercise, you should have monitored the health of Office 365 services and
viewed reports in the Office 365 admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L13-95
7. In the New Host dialog box, leave the Name box empty, in the IP address box, type the External IP
address provided by the hosting partner.
10. Click Add Host, and then click OK, and then click Done.
2. On the desktop task bar, right click Windows PowerShell and click Run as administrator.
3. At the command prompt, type the following command and press Enter. This command creates the
Key Distribution Services root key to generate group Managed Service Account passwords for the
account that will be used later in this lab. You should receive a Guid value as a response to this
command.
5. In Server Manager, click Manage, and then click Add Roles and Features. If you get a Server Manger
message about collecting inventory data, click OK. Wait a minute and then try this step again.
6. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
7. On the Select installation type page, click Role-based or Feature-based installation, and then
click Next.
8. On the Select destination server page, click Select a server from the server pool, verify that the
target computer is highlighted, and then click Next.
9. On the Select server roles page, click Active Directory Federation Services, and then click Next.
11. On the Active Directory Federation Service (AD FS) page, click Next.
13. When installation completes, on the Installation progress page, click Close.
14. Click the exclamation mark icon on the toolbar and then click Configure the federation service on
this server.
15. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.
o For SSL Certificate, click the wild card certificate provided by the hosting partner.
18. On the Specify Service Account page, select the option Create a Group Managed Service
Account, for Account Name type svc-ADFS, and then click Next.
19. On the Specify Configuration Database, click Create a database on this server using Windows
Internal Database, and then click Next.
21. Once the prerequisites check is complete, on the Pre-requisite Checks page, click Configure.
22. When the configuration completes, on the Results page, click Close.
4. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
5. On the Select installation type page, click Role-based or Feature-based installation, and then
click Next.
6. On the Select destination server page, click Select a server from the server pool, verify that the
target computer is highlighted, and then click Next.
7. On the Select server roles page, click Remote Access, and then click Next.
12. When the installation is complete, on the Installation progress page, click Close.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L13-97
2. In the Remote Access Management Console, in the left navigation pane, click Web Application
Proxy. In the middle navigation pane, click Run the Web Application Proxy Configuration Wizard.
3. In the Web Application Proxy Configuration Wizard, on the Welcome page, click Next.
4. On the Federation Server page, use the following settings and then click Next:
o Federation service name: adatumyyxxxxx.hostdomain.com, replacing adatumyyxxxxx with your
unique Adatum domain name.
o Password: Pa$$w0rd
5. On the AD FS Proxy Certificate page, select the *.hostdomain.com certificate, click Next.
Results: After completing this exercise, you should have deployed the AD FS server in a federation server
farm, and deployed the Web Application Proxy server to support AD FS.
5. Click Users.
6. Click Holly Dickson, and in the Email addresses section, click Edit.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-98 Planning and configuring identify federation
7. Change the email address suffix to Adatumyyxxxxx.onmicrosoft.com. In the Warning window, click
Save, and then click Close.
10. At the Windows PowerShell prompt, type the following commands, pressing Enter at the end of each
line:
Set-ExecutionPolicy
Unrestricted –force
Import-Module MSOnline
11. At the Windows PowerShell prompt, type the following command, and then press Enter:
$msolcred = Get-Credential
12. In the Windows PowerShell Credential dialog box, enter the following credentials, and then
click OK:
o Password: Pa$$w0rd
13. At the Windows PowerShell prompt, type the following command, and then press Enter:
14. At the Windows PowerShell prompt, type the following command, and then press Enter:
Get-MsolDomain
15. Verify that your lab domain, Adatumyyxxxxx.hostdomain.com, is listed as Verified and Managed.
16. At the Windows PowerShell prompt, type the following command, and then press Enter:
17. Verify that you get a Successfully updated Adatumyyxxxxx.hostdomain.com domain message.
18. At the Windows PowerShell prompt, type the following command, and then press Enter:
Results: After completing this exercise, you should have enabled a federation trust between your on-
premises Active Directory domain and Office 365 through your AD FS federation server, and you should
have converted your domain for federated authentication in Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L13-99
3. In the Windows Credential dialog box, enter the following credentials, and click Sign in:
o User name: francisco@ Adatumyyxxxxx.hostdomain.com
o Password: Pa$$w0rd
4. Verify that you are redirected to the Adatum Corporation sign-in page.
5. Review the Office 365 page for Francisco Chaves, and then close the Web browser window.
Results: After completing this exercise, you should have verified SSO authentication to Office 365 for a
user on your corporate network and for a user on your host computer that is connected to the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED