You are on page 1of 634

MCT USE ONLY.

STUDENT USE PROHIBITED


O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

20347A
Enabling and Managing Office 365
MCT USE ONLY. STUDENT USE PROHIBITED
ii Enabling and Managing Office 365

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2016 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/trademarks are trademarks of the


Microsoft group of companies. All other trademarks are property of their respective owners.

Product Number: 20347A


Part Number: X20-96881

Released: 05/2016
MCT USE ONLY. STUDENT USE PROHIBITED
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.

f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.

i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
MCT USE ONLY. STUDENT USE PROHIBITED
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
MCT USE ONLY. STUDENT USE PROHIBITED
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
MCT USE ONLY. STUDENT USE PROHIBITED
c. If you are a MPN Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:


For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.


i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
MCT USE ONLY. STUDENT USE PROHIBITED
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject


matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
MCT USE ONLY. STUDENT USE PROHIBITED
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.


a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
MCT USE ONLY. STUDENT USE PROHIBITED
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to


o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES


DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
MCT USE ONLY. STUDENT USE PROHIBITED
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.

Revised July 2013


MCT USE ONLY. STUDENT USE PROHIBITED
xi
Enabling and Managing Office 365
MCT USE ONLY. STUDENT USE PROHIBITED
xii Enabling and Managing Office 365

Acknowledgments
Microsoft Learning would like to acknowledge and thank the following individuals for their contribution
towards developing this title. Their effort at various stages in the development has ensured that you have
a good classroom experience.

Stan Reimer – Content Developer


Stan Reimer is president of S. R. Technical Services Inc., and he works as a consultant, trainer, and author.
Stan has extensive experience consulting on Microsoft Exchange Server and Active Directory deployments
for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for
Microsoft Press. For the last years, Stan has been writing courseware for Microsoft Learning, specializing in
Active Directory Domain System (AD DS) and Exchange Server courses. Stan has been a Microsoft
Certified Trainer (MCT) for 14 years.

Byron Wright – Content Developer


Byron Wright is a partner in a consulting firm where he performs network consulting, computer-systems
implementation, and technical training. Byron also is a sessional instructor for the Asper School of
Business at the University of Manitoba, where he teaches management information systems and
networking. Byron has authored and coauthored a number of books on Windows Server and Windows
client operating systems, and Exchange Server, including the Windows Server 2008 Active Directory
Resource Kit. To recognize Byron’s commitment to sharing knowledge with the technical community, he
has been awarded the Microsoft MVP Award for Exchange Server.

Andrew J. Warren – Content Developer


Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent
teaching and writing. He has been involved as a Subject Matter Expert (SME) for many of the Windows
Server 2012 courses, and the technical lead on many Windows 8 courses. He also has been involved in
developing TechNet sessions on Exchange Server. Based in the United Kingdom, Andrew runs his own IT
training and education consultancy.

Vladimir Meloski – Content Developer


Vladimir Meloski (MCT, and MVP on Exchange Server), is a consultant providing unified communications
and infrastructure solutions based on Exchange Server, Microsoft Lync Server, Windows Server, and
Microsoft System Center. Vladimir has 17 years of professional IT experience, and has been involved in
Microsoft conferences in Europe and the United States as a speaker, moderator, proctor for hands-on
labs, and technical expert. He also has been involved as a Subject Matter Expert and technical reviewer for
Microsoft Official Curriculum courses.

Clifton Leonard – Content Developer


Clifton Leonard is a content developer and Subject Matter Expert with more than 25 years of experience
in the IT industry as an engineer, architect, consultant, trainer, and author. Clifton has extensive
experience consulting on AD DS, Exchange Server, Lync Server, identity management, and Microsoft
Office 365. His clients include large energy corporations, K–12 schools, universities, technology
manufacturers, financial institutions, the United States Air Force, and the United States Department of
Defense. Clifton has been a Subject Matter Expert for multiple courses on Windows Desktop, Windows
Server, Exchange Server, Microsoft SharePoint Server, Microsoft Hyper-V, identity management, and
Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 xiii

Ron Schindler – Content Developer


Ron Schindler has over 20 years’ experience as an IT professional. He has worked as a technician, trainer,
implementer, manager, and consultant in Office 365, Microsoft SharePoint, Microsoft Lync, and Skype for
Business. He also is a trainer and consultant in Communication, Leadership Development, and
Management skills. Customers have included some of the largest private, educational, governmental, and
financial institutions. Ron has developed multiple training courses and trained many in the certification
process of many Microsoft software programs and products. He has led enterprise-wide implementations
of software throughout the world. Currently Ron works as a SharePoint administrator on contract for the
federal government.

Martina Grom – Subject Matter Expert


Martina Grom works as an IT consultant, and is the co-founder and CEO of atwork information
technology. Martina is recognized as an expert in Microsoft Online Services solutions and was one of the
first eight MVPs worldwide to receive an award in 2011 for her expertise in Office 365. Since 2015, Martina
also has been a Microsoft Regional Director. Her expertise is related to online technologies and her
specialty is in Microsoft Online Services and Office 365. She helps companies in architecture planning for
cloud solutions, provides consulting and architectural planning of cloud projects, and is one of the
organizational heads of cloudusergroup for Germany, Austria, and Switzerland. Martina has authored
numerous books, including “Office 365 fuer kleine Unternehmen,” a book focused on small business
scenarios for Office 365, and “Windows 8 Pro and Windows 8.1,” published by Microsoft Press. In addition,
Martina writes numerous articles and blogs. Her passion is online and social media, cloud computing, and
Office 365. Martina has a master degree in International Business Administration from the University of
Vienna, Austria.

Allan Jacobs – Technical Reviewer


Allan Jacobs is a trainer, consultant, and writer based in New York City, New York. While technically an
independent contractor, Allan works almost exclusively for Global Knowledge and spends much of his
time travelling to client sites and training centers throughout the United States and Canada. He has
taught many Train-the-Trainer sessions for instructional skills, in addition to Lync and System Center
sessions at Microsoft Certified Trainer summits. For the last nine years, Allan has been selected to staff the
Microsoft TechEd conference and now the Microsoft Ignite conference, and has served as a Subject Matter
Expert on several projects for Microsoft Learning. Allan also co-authored the revision of the Microsoft
course, Microsoft Office Communications Server 2007 R2 and the Lync 2013 Depth Support Engineer. In
his younger days, Allan practiced law—something he has happily avoided for the last 15 years.
MCT USE ONLY. STUDENT USE PROHIBITED
xiv Enabling and Managing Office 365

Contents
Module 1: Planning and provisioning Office 365
Module Overview 1-1 

Lesson 1: Overview of Office 365 1-2 

Lesson 2: Provisioning an Office 365 tenant 1-12 

Lesson 3: Planning a pilot deployment 1-21 

Lab: Provisioning Office 365 1-31 

Module Review and Takeaways 1-36 

Module 2: Managing Office 365 users and groups


Module Overview 2-1 
Lesson 1: Managing user accounts and licenses 2-2 

Lesson 2: Managing passwords and authentication 2-8 

Lab A: Managing Office 365 users and passwords 2-12 


Lesson 3: Managing security groups in Office 365 2-16 

Lesson 4: Managing Office 365 users and groups with Windows PowerShell 2-20 

Lesson 5: Configuring administrative access 2-33 


Lab B: Managing Office 365 groups and administration 2-39 

Module Review and Takeaways 2-46 

Module 3: Configuring client connectivity to Microsoft Office 365


Module Overview 3-1 
Lesson 1: Planning for Office 365 clients 3-2 

Lesson 2: Planning connectivity for Office 365 clients 3-8 

Lesson 3: Configuring connectivity for Office 365 clients 3-18 


Lab: Configuring client connectivity to Office 365 3-24 

Module Review and Takeaways 3-30 

Module 4: Planning and configuring directory synchronization


Module Overview 4-1 

Lesson 1: Planning and preparing for directory synchronization 4-2 

Lesson 2: Implementing directory synchronization by using Azure AD Connect 4-15 

Lesson 3: Managing Office 365 identities with directory synchronization 4-28 

Lab: Configuring directory synchronization 4-39 

Module Review and Takeaways 4-46 


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 xv

Module 5: Planning and deploying Office 365 ProPlus


Module Overview 5-1 

Lesson 1: Overview of Office 365 ProPlus 5-2 

Lesson 2: Planning and managing user-driven Office 365 ProPlus deployments 5-9 

Lesson 3: Planning and managing centralized deployments of


Office 365 ProPlus 5-12 

Lesson 4: Office Telemetry and reporting 5-17 

Lab: Managing Office 365 ProPlus installations 5-22 

Module 6: Planning and managing Exchange Online recipients


and permissions
Module Overview 6-1 

Lesson 1: Overview of Exchange Online 6-2 

Lesson 2: Managing Exchange Online recipients 6-9 

Lesson 3: Planning and configuring Exchange Online permissions 6-25 


Lab: Managing Exchange Online recipients and permissions 6-30 

Module Review and Takeaways 6-36 

Module 7: Planning and configuring Exchange Online services


Module Overview 7-1 
Lesson 1: Planning and configuring email flow in Office 365 7-2 

Lab A: Configuring message transport in Exchange Online 7-11 

Lesson 2: Planning and configuring email protection in Office 365 7-15 


Lesson 3: Planning and configuring client access policies 7-25 

Lesson 4: Migrating to Exchange Online 7-30 

Lab B: Configuring email protection and client policies 7-42 


Module Review and Takeaways 7-46 

Module 8: Planning and deploying Skype for Business Online


Module Overview 8-1 

Lesson 1: Planning and configuring Skype for Business Online service settings 8-2 

Lesson 2: Configuring Skype for Business Online users and client connectivity 8-12 

Lesson 3: Planning voice integration with Skype for Business Online 8-15 

Lab: Configuring Skype for Business Online 8-24 

Module Review and Takeaways 8-30 


MCT USE ONLY. STUDENT USE PROHIBITED
xvi Enabling and Managing Office 365

Module 9: Planning for and configuring SharePoint Online


Module Overview 9-1 

Lesson 1: Configuring SharePoint Online services 9-2 

Lesson 2: Planning and configuring SharePoint Online site collections 9-10 

Lesson 3: Planning and configuring external user sharing 9-23 

Lab: Configuring SharePoint Online 9-36 

Module Review and Takeaways 9-40 

Module 10: Planning and configuring an Office 365 collaboration solution


Module Overview 10-1 

Lesson 1: Planning and managing Yammer Enterprise 10-2 

Lesson 2: Planning and configuring OneDrive for Business 10-16 

Lesson 3: Configuring Office 365 groups 10-26 

Lab: Planning and configuring an Office 365 collaboration solution 10-33 


Module Review and Takeaways 10-39 

Module 11: Planning and configuring Rights Management and compliance


Module Overview 11-1 

Lesson 1: Overview of the compliance features in Office 365 11-2 


Lesson 2: Planning and configuring Azure Rights Management in Office 365 11-13 

Lesson 3: Managing the compliance features in Office 365 11-24 

Lab: Configuring Rights Management and compliance 11-41 


Module Review and Takeaways 11-48 

Module 12: Monitoring and troubleshooting Microsoft Office 365


Module Overview 12-1 

Lesson 1: Troubleshooting Office 365 12-2 


Lesson 2: Monitoring Office 365 service health 12-12 

Lab: Monitoring and troubleshooting Office 365 12-22

Module Review and Takeaways 12-25 

Module 13: Planning and configuring identify federation


Module Overview 13-1 

Lesson 1: Understanding identity federation 13-2 

Lesson 2: Planning an AD FS deployment 13-11 

Lesson 3: Deploy AD FS for identity federation with Office 365 13-26

Lesson 4: Planning and implementing hybrid solutions (Optional) 13-41 

Lab: Planning and configuring identity federation 13-43

Module Review and Takeaways 13-57 


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 xvii

Lab Answer Keys


Module 1 Lab: Provisioning Office 365 L1-1

Module 2 Lab A: Managing Office 365 users and passwords L2-5

Module 2 Lab B: Managing Office 365 groups and administration L2-9

Module 3 Lab: Configuring client connectivity to Office 365 L3-17

Module 4 Lab: Configuring directory synchronization L4-23

Module 5 Lab: Managing Office 365 ProPlus installations L5-35

Module 6 Lab: Managing Exchange Online recipients and permissions L6-45

Module 7 Lab A: Configuring message transport in Exchange Online L7-51


Module 7 Lab B: Configuring email protection and client policies L7-55

Module 8 Lab: Configuring Skype for Business Online L8-59

Module 9 Lab: Configuring SharePoint Online L9-67

Module 10 Lab: Planning and configuring an Office 365


collaboration solution L10-73

Module 11 Lab: Configuring Rights Management and compliance L11-81

Module 12 Lab: Monitoring and troubleshooting Office 365 L12-91

Module 13 Lab: Planning and configuring identity federation L13-95


MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xix

About This Course


This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.

Course Description
This course provides students with the knowledge and skills required to evaluate, plan, deploy, and operate
Microsoft Office 365 services, including its identities, dependencies, requirements, and supporting
technologies. Students also will learn how to set up an Office 365 tenant including federation with existing
user identities, and sustain an Office 365 tenant and its users.

Audience
This course is intended for IT professionals who are responsible for planning, configuring, and managing an
Office 365 environment. Students who attend this course are expected to have a fairly broad understanding
of several on-premises technologies such as Domain Name System (DNS) and Active Directory Domain
Services (AD DS). In addition, they should have a general understanding of Microsoft Exchange Server,
Microsoft Lync Server or Skype for Business Server, and Microsoft SharePoint Server.
This course also is intended as preparation material for IT professionals who are looking to take the exams
70-346: Managing Office 365 Identities and Requirements, and 70-347: Enabling Office 365 Services, to
obtain the MCSA: Office 365 certification.

Student Prerequisites
This course requires that you meet the following prerequisites:
 A minimum of two years of experience administering the Windows Server operating system, including
Windows Server 2012 or Windows Server 2012 R2

 A minimum of one year of experience working with AD DS


 A minimum of one year of experience working with name resolution, including DNS

 Experience working with certificates, including public key infrastructure (PKI) certificates

 Experience working with Windows PowerShell

 Experience working with Exchange Server 2013 or later, Lync Server 2013 or Skype for Business Server
2015, and SharePoint Server 2013 or later is beneficial, but not required

Course Objectives
After completing this course, students will be able to:

 Plan an Office 365 deployment, configure the Office 365 tenant, and plan a pilot deployment.
 Manage Office 365 users, groups, and licenses, and configure delegated administration.

 Plan and configure client connectivity to Office 365.

 Plan and configure directory synchronization between Microsoft Azure Active Directory (Azure AD)
and on-premises AD DS.

 Plan and implement the Office 365 ProPlus deployment.

 Plan and manage Microsoft Exchange Online recipients and permissions.

 Plan and configure Exchange Online services.

 Plan and implement the Skype for Business Online deployment.

 Plan and configure SharePoint Online.


MCT USE ONLY. STUDENT USE PROHIBITED
xx About This Course

 Plan and configure an Office 365 collaboration solution that includes Yammer Enterprise, Microsoft
OneDrive for Business, and Office 365 groups.

 Plan and configure the integration between Office 365 and Azure Rights Management, and configure
compliance features in Office 365.

 Monitor and review Office 365 services, and troubleshoot Office 365 issues.

 Plan and implement identity federation between on-premises AD DS and Azure AD.

Course Outline
The course outline is as follows:

Module 1, “Planning and provisioning Office 365" reviews the features of Office 365 and identifies recent
improvements to the service. It describes the process of provisioning an Office 365 tenant. This module also
identifies the challenges in deploying Office 365 and the benefits of the Microsoft FastTrack for Office 365
approach, as compared to the traditional plan, prepare, and migrate deployment process.

Module 2, “Managing Office 365 users and groups" explains how to manage users, groups, and licenses,
and configure administrative access by using the Office 365 console and the Windows PowerShell
command-line interface.

Module 3, “Configuring client connectivity to Microsoft Office 365” covers the different types of client
software that you can use to connect to Office 365. It also explains the infrastructure requirements that the
clients need to connect to Office 365, in addition to how to configure different types of Office 365 clients.

Module 4, “Planning and configuring directory synchronization" explains how to plan, prepare, and
implement directory synchronization as a methodology for user and group management in an Office 365
deployment. It explains how to prepare an on-premises environment, and install and configure directory
synchronization. It also explains how to manage Office 365 identities after you enable directory
synchronization.

Module 5, “Planning and deploying Office 365 ProPlus” explains how to plan for a client deployment and
ensure that users receive the tools that they need to interact with Office 365 effectively. It also explains the
planning process, how to make Office 365 ProPlus directly available to end users, and how to deploy it as a
managed package. Finally, it describes how to set up Office telemetry so that administrators can track how
users are interacting with Microsoft Office.

Module 6, “Planning and managing Exchange Online recipients and permissions” describes Exchange
Online, and explains how to create and manage recipient objects and how to manage and delegate
Exchange security.

Module 7, “Planning and configuring Exchange Online services” explains how to plan for and configure
email flow, and anti-malware and anti-spam settings in Office 365. It also explains how to plan and
configure policies for Exchange clients. Additionally, it describes how to plan and configure a migration to
Exchange Online.

Module 8, “Planning and deploying Skype for Business Online” explains how to plan and configure Skype
for Business Online service settings. It also explains how to configure Skype for Business Online user settings
and clients, and plan for voice integration with Skype for Business Online.
Module 9, “Planning for and configuring SharePoint Online” describes how to configure SharePoint Online
services. It explains how to plan and configure SharePoint site collections and external user sharing. It also
provides a brief overview of additional portals, such as the video portal.

Module 10, “Planning and configuring an Office 365 collaboration solution” describes how to enable and
configure Yammer Enterprise. It also explains how to configure OneDrive for Business and Office 365
groups.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xxi

Module 11, “Planning and configuring Rights Management and compliance” describes the compliance
features in Office 365 and how to manage them. It explains how to plan and configure Azure Rights
Management. Additionally, it explains the security features in Office 365.

Module 12, “Monitoring and troubleshooting Microsoft Office 365” explains how to troubleshoot issues
with Office 365 connectivity and services, and monitor Office 365 service health.

Module 13, “Planning and configuring identity federation” explains how identity federation works, and
how you can use Active Directory Federation Services (AD FS) to implement identity federation. It explains
how to plan an AD FS deployment to support identity federation with Office 365. It also describes how to
deploy AD FS to enable single sign-on (SSO) for Office 365. Finally, it describes hybrid solutions for
Exchange Server, Skype for Business Server, and SharePoint Server.
MCT USE ONLY. STUDENT USE PROHIBITED
xxii About This Course

Course Materials
The following materials are included with your kit:

 Course Handbook: a succinct classroom learning guide that provides the critical technical information
in a crisp, tightly focused format, which is essential for an effective in-class learning experience.

o Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.

o Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned in
the module.

o Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.

o Lab Answer Keys: provide step-by-step lab solution guidance.

Additional Reading: Course Companion Content on the


http://www.microsoft.com/learning/en/us/companion-moc.aspx Site: searchable, easy-to-
browse digital content with integrated premium online resources that supplement the Course
Handbook.

 Modules: include companion content, such as questions and answers, detailed demo steps, and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers,
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
 Resources: include well-categorized additional resources that give you immediate access to the most
current premium content on TechNet, MSDN, or Microsoft Press.

 Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.

o To provide additional comments or feedback on the course, send an email to


mcspprt@microsoft.com. To inquire about the Microsoft Certification Program,
send an email to mcphelp@microsoft.com.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xxiii

Virtual Machine Environment


This course is only available with labs that are hosted by a Microsoft authorized hosting partner. The
hosting partner provides the virtual machine environment, including a web interface for accessing the
virtual machines. Additionally, the hosting partner provides the static IP address, publicly trusted certificate,
onmicrosoft.com domain name, and public custom domain name that are required for this course.

Virtual Machine Configuration


The following table shows the role of each virtual machine that is used in this course:

Virtual machine Role

20347A-LON-DC1 Windows Server 2012 R2 domain controller in the Adatum.com domain

20347A-LON-DS1 Windows Server 2012 R2 member server in the Adatum.com domain


Used to host directory synchronization and federation services

20347A-LON-WAP1 Windows Server 2012 R2 standalone server


configured as a Web Application Proxy

20347A-LON-CL1 Windows 10 Enterprise computer

20347A-LON-CL2 Windows 10 Enterprise standalone computer

20347A-LON-CL3 Windows 10 Enterprise computer

20347A-LON-CL4 Windows 10 Enterprise computer

Software Configuration
The following software is installed on each virtual machine:

 Windows Server 2012 R2

 Windows 10

 Office 2016

Course Files
Microsoft frequently updates the features in Office 365 and the user interface that is used to manage those
features. Therefore, in some situations you might notice that the Office 365 user interface that you are
using does not match with the lab instructions. This could be because the changes in Office 365 might have
occurred either during your training session or before the courseware can be updated to address the
changes. In such situations, you have to adapt to the changes and work through them in the labs as
necessary.

One of the changes that occurred close to the end of courseware development is the change in the
Office 365 admin center. Microsoft changed the Office 365 admin center to a new portal. As much as
possible, this course uses the new Office 365 admin center for all the labs. However, at the time of writing
this course, some functionality was not available in the new portal, and therefore some lab steps instruct
you to access the previous admin center.

When this course refers to the Office 365 admin center, it means the new admin center. When there is a
need to make a distinction between the two admin centers, the course uses the terms new Office 365
admin center and previous Office 365 admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
xxiv About This Course

Classroom Setup
Learning Centers simply need to provide students with Internet access. Students can then access the
hosted-lab platform by accessing the URL provided by the hosting partner.

Note: The lab steps included in the Student Manual are for post-class reference. During the classroom
session, students will use the lab steps located in the online lab user interface. The hosting partner
dynamically updates these lab steps as changes occur in the Office 365 user interface. Therefore, the hosted
lab steps will be as up-to-date as possible for each training session.

Course Hardware Level


To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for the computers used by the trainer and students who are taking Official Microsoft
Learning Product courses. The virtual machines for this course are hosted by an authorized learning
partner. The instructor computer and student computers must meet the following minimal hardware
requirements:

 Hardware level 6 with dual monitors


MCT USE ONLY. STUDENT USE PROHIBITED
1-1

Module 1
Planning and provisioning Office 365
Contents:
Module Overview 1-1

Lesson 1: Overview of Office 365 1-2

Lesson 2: Provisioning an Office 365 tenant 1-12

Lesson 3: Planning a pilot deployment 1-21

Lab: Provisioning Office 365 1-31

Module Review and Takeaways 1-36

Module Overview
The Microsoft range of software and services includes Microsoft Exchange, Microsoft SharePoint, Microsoft
Skype for Business, and Microsoft Office. Users who are located anywhere in the world can access these
services over the Internet. Office 365 is now a major part of this suite of services, and it can be delivered on
multiple platforms to provide enterprise-grade email, conferencing, and other IT services.

To implement Office 365 effectively, organizations must ensure that they can manage identities effectively.
User accounts exist both in the cloud and potentially on-premises. Therefore, administrators and
consultants must be able to plan for and manage a wide range of factors that affect how Office 365 works.
These individuals must also be able to identify the best way to manage user accounts and services.
This module reviews the features of Office 365 and identifies recent improvements to the service. It
describes the process of provisioning an Office 365 tenant. This module also identifies the challenges in
deploying Office 365 and the benefits of the Microsoft FastTrack for Office 365 approach as compared to
the traditional plan/prepare/migrate deployment process.

Note: This course does not cover the entire Microsoft for Office 365 FastTrack process; that
content is covered in course 10968B: Designing for Office 365 Infrastructure.

Objectives
After completing this module, you will be able to:
 Describe the features and benefits of Office 365.

 Provision new tenant accounts.

 Plan a pilot deployment of Office 365.


MCT USE ONLY. STUDENT USE PROHIBITED
1-2 Planning and provisioning Office 365

Lesson 1
Overview of Office 365
Office 365 is Microsoft’s cloud-based productivity suite that delivers software as a service (SaaS) to users
around the world. Office 365 products focus in four main areas:

 Devices. Office 365 supports a wide variety of devices in which the user interface supports different
methods of interaction, including touch, pen, mouse, and keyboard.

 Cloud. Office 365 is designed for the cloud as an on-demand service that is always up to date. Office
365 is an enterprise-grade cloud productivity solution with robust security, guaranteed reliability, and
compliance with industry standards such as ISO-27001, EU Model clauses, the Health Insurance
Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA).

 Social media. Office 365 integrates social networking into the organization by providing newsfeeds
and microblogging services that can be extended with Yammer.

 Control. With features such as Data Loss Prevention (DLP), eDiscovery, archiving and data-hold
capabilities, Office 365 provides a secure and safe way for organizations to control their business data.

This lesson describes the components of Office 365, and explains the features available in the various
subscription plans. It also explains how to determine the most suitable subscription plan for your
organization.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the core components of the Office 365 service.

 Describe the additional components of Office 365.

 Describe Office 365 Business subscriptions.

 Describe Office 365 Enterprise subscriptions.

 Describe Office 365 Education and Government subscriptions.

 Plan the Office 365 subscriptions.

 Explain how you will use Office 365 in your organization.

 Describe the Office 365 administration portal.

Office 365 core components


The core services in Office 365 consist of cloud-
based equivalents of three of Microsoft’s premier
server products, along with an integrated directory
service and an install-on-demand version of Office
2013 and Office 2016. These popular productivity
applications enable organizations of all sizes to
move their entire IT infrastructure to the cloud or
to implement a range of hybrid options,
depending on their needs.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-3

Additional Reading: For more information, refer to Office 365 Service Descriptions:
http://aka.ms/iv18pg.

Azure AD
Microsoft Azure Active Directory (Azure AD) underpins all the Office 365 services. Azure AD is an online
instance of Active Directory that also provides authentication and authorization services for other Microsoft
cloud offerings, including Microsoft Azure and Windows Intune. Authentication through Azure AD can be
on a cloud-only basis, through directory synchronization (with optional password synchronization), or
include full integration with on-premises directory services through support for Microsoft Active Directory
Federation Services (AD FS) or other SSO providers.

Exchange Online
Microsoft Exchange Online in Office 365 is the latest release of this messaging and collaboration platform,
which provides one location for composing, reading, and storing email, calendar, contact, and task
information in Microsoft Outlook, Outlook Web Access, or Outlook Mobile. Exchange Online includes a
50 gigabyte (GB) mailbox (up from 25 GB) combined with unlimited storage within the archive mailbox in
the Office 365 E3 or E5 plans, or Exchange Online Plan 2. Exchange Online supports access from most
mobile devices, including BlackBerry, iPhone, Nokia, and Windows Phone.

Note: The unlimited storage available within the archive mailbox can store up to 100 GB of
Outlook data without restriction. Additional storage increments are available by contacting
Microsoft Office 365 Support.

SharePoint Online
By using Microsoft SharePoint Online, you can share important documents, insights, and status updates
with colleagues. You can keep teams in sync and manage important projects, find vital documents, and
locate people easily. Using SharePoint Online can also help you to stay up to date on company information
and news, regardless of whether you are in or out of the office. Storage space is initially set at 10 GB per
tenant and 500 MB per user, but storage upgrades are available. In addition, each user receives another
25 GB in OneDrive for Business (up from 7 GB) for additional document storage or transfer.

Skype for Business Online


Skype for Business Online provides presence and instant messaging information, so users can identify
whether people are available and then chat, call, and video-conference with each other. By using Skype for
Business Online, you also can create online meetings with audio, video, and web conferencing for up to 250
people, including anonymous users from outside the organization. You can implement multiparty high-
definition (HD) video with hardware that supports this capability. To improve productivity, Skype for
Business Online provides integration with users’ calendars in Microsoft Exchange, and also enables the
“click-to-communicate” feature in Outlook, SharePoint, and other Office applications. Furthermore, Skype
for Business Online introduces integration with on-premises PBX and video teleconferencing systems.

Office 365 ProPlus


Some Office 365 plans include Office 365 ProPlus, which is a downloadable version of the Microsoft
productivity suite of applications, including Word 2013, Excel 2013, PowerPoint 2013, Outlook 2013, Access
2013, Publisher 2013, OneNote 2013, InfoPath, and the Skype for Business 2013 client. There are also Web
App versions of Word, Excel, PowerPoint, and OneNote.

Office 365 ProPlus supports streaming deployment, which enables users to click the application installation
icon and start using the application itself while the program installs in the background. This deployment
method also enables users to run Office 365 ProPlus alongside earlier versions of Microsoft Office.
MCT USE ONLY. STUDENT USE PROHIBITED
1-4 Planning and provisioning Office 365

Office 365 additional components


Organizations can also subscribe to optional
components within Office 365 that can enhance
their use of this cloud-based service and provide
users with additional facilities to increase
productivity. These optional components include
Yammer, Project Online, Project Pro for Office 365,
and Microsoft Office Visio Pro for Office 365.

Yammer
The Microsoft enterprise social networking tool is
becoming more integrated with Office 365, and
SharePoint Online users now have the option to
replace their activity stream in SharePoint Online
with Yammer. To make this change, users click a Yammer link and sign in to this service through a separate
browser window. Future integration will include SSO between the Yammer service and Office 365, and will
use the Yammer Newsfeed instead of the SharePoint Online one.

Project Online
Project Online is the cloud version of Microsoft Project Server, and it enables organizations to get started,
prioritize project portfolio investments, and deliver projects with the intended business value. One key
value proposition with Project Online is that it enables global organizations to plan portfolios of projects in
multiple time zones.

Project Pro for Office 365


Project Pro for Office 365 provides desktop project management capabilities for small teams and
organizations. Organizations that need full project-management capabilities on the desktop and the ability
to participate online from virtually anywhere on almost any device, can combine this service with Project
Online.

Microsoft Office Visio Pro for Office 365


Office Visio Pro for Office 365 is a subscription version of Visio Professional 2013, the diagramming and
flow-charting application. Users can install it on up to five devices, and it includes Visio on Demand, which
enables a user to install the application temporarily on any PC running Windows 7 or newer versions of the
Windows operating system.

Microsoft Dynamics CRM Online


Microsoft Dynamics CRM Online is the cloud-based version of Microsoft Dynamics CRM (Customer
Relationship Management). It enables sales teams to engage more effectively with customers and use
familiar Office tools to achieve targets for sales, marketing, customer care, and social media interaction.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-5

Office 365 Business subscriptions


Office 365 Business subscriptions target small and
medium-sized organizations that need a cloud
collaboration solution and have up to 300 users.
There are three Office 365 Business Subscriptions:
Office 365 Business Essentials, Office 365 Business,
and Office 365 Business Premium.

All Office 365 Business subscriptions include online


versions of Office, including Word, Excel, and
PowerPoint, and cloud file storage and sharing
capabilities with 1 terabyte (TB) storage per user.
Office 365 Business Essentials does not include full
versions of the Office apps, but includes email with
a 50-GB mailbox per user, instant messaging, and HD video conferencing. Office 365 Business includes full
installed Office applications, but does not include email, instant messaging, or video conferencing. Office
365 Business Premium includes both full installed Office applications and email with a 50-GB mailbox per
user, instant messaging, and HD video conferencing.

The following table provides a detailed list of Office 365 Business subscription features:

Office 365 Office 365


Office 365
Select a plan Business Business
Business
Essentials Premium

Full, installed Office applications—Word, Excel,  


PowerPoint, Outlook, Publisher, and OneNote, on up to
five PCs or Macs per user.
Also includes the new Office 2016 apps for PC and Mac.

Office on tablets and phones for the full, installed Office  


experience on up to five tablets and five phones per
user.

Online versions of Office including Word, Excel, and   


PowerPoint.

File storage and sharing with 1 TB storage per user.   

Business class email, calendar, and contacts with a 50-GB  


inbox per user.

Unlimited online meetings, IM, and HD video  


conferencing. Includes the Skype for Business app.

Corporate social network to help employees collaborate  


across departments, locations, and business apps.

Professional digital storytelling tools to create interactive   


reports, presentations, and more.

User maximum 300 300 300


MCT USE ONLY. STUDENT USE PROHIBITED
1-6 Planning and provisioning Office 365

Office 365 Enterprise subscriptions


Office 365 Enterprise subscriptions target medium-
sized and enterprise organizations that need a
cloud collaboration solution, compliance tools, a
corporate social network, an intranet site and web
conferencing, and the ability to include an
unlimited number of users. There are three Office
365 Enterprise subscriptions: Office 365 Enterprise
E1, Office 365 Enterprise E3, and Office 365
Enterprise E5. Furthermore, organizations might
choose Office 365 Pro Plus.

Office 365 Enterprise E1, E3, and E5 subscriptions


include online versions of Office such as Word,
Excel, and PowerPoint, and cloud file storage and sharing capabilities with 1 TB storage per user. Office 365
Enterprise E1, E3, and E3 subscriptions also include email with 50 GB mailbox per user, unlimited instant
messaging and HD video conferencing, intranet sites, a corporate social network, Office Graph, a corporate
video portal, and meeting broadcast for up to 10,000 users. Office 365 Enterprise E1 does not include an
option to fully install Office applications. The Office 365 Enterprise E3 subscription includes all the features
of the E1 subscription, including application enterprise management, self-service business intelligence, and
compliance tools such as archiving and legal hold, rights management, data loss prevention, and email and
file encryption. The Office 365 Enterprise E5 subscription includes all the features of the E3 subscription,
including advanced security, analytic tools, public switched telephone network (PSTN) conferencing and
cloud PBX (private branch exchange) for cloud-based call management.

Office 365 Pro Plus includes online versions of Office, including Word, Excel, and PowerPoint, and cloud file
storage and sharing capabilities with 1 TB storage per user. Office 365 ProPlus also includes the option to
fully install Office applications, and it provides enterprise management of apps and self-service business
intelligence capabilities.

The following table provides a detailed list of Office 365 Enterprise subscription features:

Office 365 Office 365 Office 365 Office 365


ProPlus Enterprise E1 Enterprise E3 Enterprise E5

User maximum Unlimited Unlimited Unlimited Unlimited

Fully installed Office   


applications Word, Excel, (plus Access) (plus Access) (plus Access)
PowerPoint, Outlook,
Publisher, OneNote, and
Skype for Business on up to
five PCs or Macs per user.
Also includes the new Office
2016 apps for PC and Mac.

Office on tablets and phones   


for the fully installed Office
experience on up to five
tablets and five phones per
user.

Online versions of Office    


including Word, Excel, and
PowerPoint.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-7

Office 365 Office 365 Office 365 Office 365


ProPlus Enterprise E1 Enterprise E3 Enterprise E5

File storage and sharing with    


1 TB storage per user.

Business class email, calendar,   


and contacts with a 50-GB Unlimited Unlimited
inbox per user. email email

Unlimited online meetings,   


IM, and audio, HD video, and
web conferencing.

Intranet site with   


customizable security
settings for teams.

Corporate social network to   


help employees collaborate
across departments and
locations.

Professional digital    
storytelling tools to create
interactive reports,
presentations, and more.

Personalized search and   


discovery across Office 365
using the Office Graph.

Corporate video portal to   


upload and share corporate
videos across the company.

Meeting broadcast on the   


Internet to up to 10,000
people, who can use a
browser in nearly any device
to attend.

Enterprise management of   
apps with Group Policy,
Telemetry, and Shared
Computer Activation.

Self-service business   
intelligence to discover,
analyze, and visualize data in
Excel.

Compliance and information  


protection, including
archiving and legal hold,
rights management, data loss
prevention, and email and file
encryption.
MCT USE ONLY. STUDENT USE PROHIBITED
1-8 Planning and provisioning Office 365

Office 365 Office 365 Office 365 Office 365


ProPlus Enterprise E1 Enterprise E3 Enterprise E5

Compliance Center tools to    


support eDiscovery, including
mailbox and internal site
search, legal hold, and
predictive coding and text
analytics capabilities
depending on subscription
type.

Advanced security for your 


data, which helps protect
against unknown malware
and viruses and provides
better zero-day protection to
safeguard your messaging
system.

Analytics tools for personal 


and organizational insights
with Power BI and Delve
Analytics.

PSTN conferencing to allow 


invitees to join Skype for
Business meetings by dialing
in from a landline or mobile
phone.

Cloud PBX for cloud-based 


call management to make,
receive, and transfer calls
across a wide range of
devices.

Office 365 Education, Nonprofit, and Government subscriptions


Office 365 offers subscriptions for education,
nonprofit and government institutions, and home
users as well.

Office 365 offers free subscriptions plans for


education. Educational institutions can apply for
the Office 365 Education subscription, which
provides cloud productivity and collaboration
solutions for students and teachers. Office 365
Education includes online versions of Office,
including Word, OneNote, Excel and PowerPoint,
cloud file storage, and sharing capabilities with 1
TB storage per user. Furthermore, Office 365
Education includes email with a 50-GB mailbox per user, instant messaging and Skype connectivity, team
sites, school video portals, online classes with audio and HD video conferencing, Yammer for school social
network, and compliance tools. Exchange Online provides the email, and Skype for Business Online
provides the IM and HD video conferencing.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-9

Additional Reading: For more information, refer to Office 365 Education:


http://aka.ms/c2imoj.

Office 365 Nonprofit has four subscription options: Office 365 Nonprofit Business Essentials, Office 365
Nonprofit Business Premium, Office 365 Nonprofit E1, and Office 365 Nonprofit E3. Nonprofit organizations
can apply for the Office 365 Nonprofit Business Essentials and Office 365 Nonprofit E1 subscriptions as a
donation, whereas the Office 365 Nonprofit Business Premium and Office 365 Nonprofit E3 subscriptions
have an additional charge.

Additional Reading: For more information, refer to Office 365 Nonprofit plans and pricing:
http://aka.ms/wnd4wq.

Office 365 Government subscriptions plans include Office 365 Enterprise E1 (Government pricing) and
Office 365 Enterprise E3 (Government pricing). Both plans include online versions of Office, including Word,
Excel and PowerPoint, cloud file storage, and sharing capabilities with 1 TB storage per user. They also
include email with a 50-GB mailbox per user, unlimited instant messaging, HD video conferencing, intranet
sites, a corporate social network, and Office Graph.

Additional Reading: For more information, refer to Office 365 plans at Government pricing:
http://aka.ms/knev43.

Planning the Office 365 subscription


Office 365 can benefit many organizations, but the
scenarios in which organizations might deploy and
use Office 365 differ. For example, some
organizations might choose to move their entire
on-premises infrastructure to Microsoft Azure and
Office 365. Other organizations might choose a
hybrid solution by hosting some products on-
premises, and hosting other products such as
Exchange and Skype for Business in Office 365.

When planning to purchase an Office 365


subscription, organizations should consider
following questions:

 What business needs will drive your organization to move to Office 365? Some answers might include
better availability, industry standard security, lower cost for hardware and software maintenance, and
support for multiple devices and platforms.

 What is the organization’s current IT infrastructure? For example, if organizations have many
on-premises custom applications, the planning process of moving custom applications to the cloud
might be time-consuming. Furthermore, while transitioning infrastructure and applications to the
cloud, organizations might choose to deploy a hybrid solution, in which they move Exchange
mailboxes to Office 365, and continue to host custom applications on-premises.

 What is the organization’s change-management process? Every organization has a different change-
management process that defines the deployment process for new solutions. For example,
organizations might use Microsoft Operations Framework (MOF) 4.0, which incorporates the best
practices of the service management industry. MOF is a particularly appropriate framework to apply
MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Planning and provisioning Office 365

when implementing and operating Office 365, as it can also integrate well with the phases of the
FastTrack deployment plan and can help solve service-delivery issues.

 How many users will use Office 365, and what are the organization’s plans for growth? Some of the
Office 365 subscriptions are limited in the number of users and the types of functionalities permitted.
Therefore, organizations have to match the requirements for Office 365 functionalities with the
number of users. An organization can mix different Office 365 plans according to its business needs.
For example, one organization can purchase 200 Business Essentials seats, 200 Business Premium seats,
and 200 Enterprise E3 seats on a single tenant.

Overview of the Office 365 administrative portals


You can manage Office 365 by using a web
interface or Windows PowerShell. The web
interface includes multiple administrative portals.
Before you can manage Office 365 with Windows
PowerShell, you need to import Azure Active
Directory module for Windows PowerShell.

The Office 365 web-based administrative portals


include:

 Office 365 admin center. The Office 365 admin


center is a web-based management console
that you can use to deploy Office 365 for your
organization in the cloud. You can also create
users, manage domains and licenses, and administer all aspects of Office 365.

Note: At the time of this writing, Microsoft is transitioning from the previous Office 365
admin center to a new admin center. Most of the functionality available in the previous admin
center has been transitioned to the new admin center, but not all of it. As much as possible, this
course is based on the new admin center.
When this course refers to the Office 365 admin center, it is referring to the new admin center.
When we need to make a distinction between the two admin centers, the course uses the terms
new and previous admin centers.

 Exchange admin center. The Exchange admin center (EAC) is the web-based management console that
you can use to manage Exchange settings in Office 365. These settings include recipients, protection,
mail flow, public folders, and other settings that are not available in the default Office 365 admin
center.
 Skype for Business admin center. The Skype for Business admin center is the web-based management
console that you can use to manage Skype for Business settings in Office 365. These settings include
instant messaging, audio and video calls, persistent chat, and online meetings.

 SharePoint admin center. The SharePoint admin center is the web-based management console that
you can use to manage SharePoint settings in Office 365. These settings include site collections, user
profiles, business connectivity services, and search.

 Compliance Center. The Office 365 Compliance Center is the web-based management console that
you can use to manage compliance features across Office 365 for the organization. These features
include archiving, data loss prevention (DLP), eDiscovery, reports, retention, and search.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-11

By using the Azure Active Directory Module for Windows PowerShell, you can connect to Office 365 to
perform administrative tasks that are not practical, or even possible with the Office 365 admin center web
portal. For example, you can use the Windows Azure Active Directory Module for Windows PowerShell to
automate repetitive tasks such as creating large numbers of user accounts, adding users to groups, and
updating multiple user properties.

Discussion: How will you use Office 365 in your organization?


Based on the previous topic, discuss an Office 365
deployment with other students based on the
following questions:

 What are your organization’s business


requirements?

 How will Office 365 meet your organization’s


business requirements?

 Which Office 365 subscription would be most


suitable for your organization?

Question: What are your organization’s


business requirements?

Question: How will Office 365 meet your organization’s business requirements?

Question: Which Office 365 subscription would be most suitable for your organization?
MCT USE ONLY. STUDENT USE PROHIBITED
1-12 Planning and provisioning Office 365

Lesson 2
Provisioning an Office 365 tenant
An important part of the Office 365 provisioning process is the creation of the tenant account. This activity
was not as crucial in the traditional Office 365 deployment methodology because the pilot account
typically was not transitioned into deployment. Microsoft FastTrack for Office 365 is a service that includes
best practices, tools, and resources that help organizations move to Office 365. With the FastTrack process,
where the pilot account typically persists into the production environment, it is vital that you enter the right
information, because certain values that you specify cannot be changed later.

This lesson explains the various tenant options available for Office 365, and the process of creating a new
tenant account. It also describes how to plan the process of adding custom domains to Office 365, and how
to plan DNS zones and configure DNS records for custom domains.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the process for creating a new tenant account.

 Describe the Office 365 tenant options.

 Describe the process of planning the addition of custom domains in Office 365.

 Describe the process of adding a custom domain to Office 365.

 Explain how to plan DNS zones for custom domains in Office 365.

 Explain how to configure DNS records for custom domains in Office 365.

 Explain how to manage feature updates.

Creating an Office 365 tenant


The overall process for creating a tenant account
for Office 365 is shown below:

1. Decide which Office 365 plan you will use for a


trial.

2. Ensure that you have a valid email account


(organizational or Microsoft account will work
fine).

3. Click the trial link on the Office 365 website.

4. Enter the correct information for your


organization.

5. Complete the sign-in process by validating the text message or phone call.
Trial accounts are available for the following Office 365 plans:

 Business and Business Premium

 Enterprise (E3 and E5)

 Education
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-13

 Government

 Nonprofit (Business Premium and E3)

As mentioned previously, errors in the sign-up process commonly result from organizations selecting the
wrong Office 365 subscription for the size of their business. It is currently not possible to change to
different product families, such as from the Business plan to the Enterprise plan.

Note: The process for provisioning Office 365 Education, Government, and Nonprofit plans is
different, and this course does not cover it. This course assumes that you are selecting the
Enterprise E3 subscription.

During the trial sign-up, you have to supply a valid email address that already exists. Although the sign-up
process creates an email address in the form username@organizationname.onmicrosoft.com, you cannot
use that as the email address for the sign-up process.

If you work for or through a Microsoft partner, and you need more than 25 pilot users for an Enterprise E3
trial, you can apply for an extended trial account. When you request an extended trial tenant to support the
FastTrack Pilot, you must submit a form to fasttrackpilot@microsoft.com. This form must provide
customer information, partner information, and information about the pilot engagement. After two
business days, you should receive a unique provisioning code. This is a single-use code that you can only
use to provision the pilot tenant for the organization.

Office 365 tenant options


When you sign up for a new tenant account, you
need to supply information about the person and
the company that are signing up. Note that the
fields that you see will be different, depending on
the country you select at the beginning of the
sign-up process. For example, Switzerland includes
a Canton field.

The following table describes the standard fields:

Field Value Required Can be changed Type

Country/Region Name Yes No Drop-down list

First/Last names Tenant admin Yes Yes Text field, 50-


name character limit

Email Tenant admin Yes Yes Text field


email

Address 1, Address 2, Tenant address Yes Yes Text


Address 3 information No Yes
No Yes
MCT USE ONLY. STUDENT USE PROHIBITED
1-14 Planning and provisioning Office 365

Field Value Required Can be changed Type

City Company City Yes Yes Text

State/County Company state Yes Yes Drop-down or


text

Zip/Postal code Company Zip Yes Yes Text

Phone Contact phone Yes Yes Text

Organization name Name of the Yes Yes Text


tenant company

Note: The Tenant administrator’s name must be a real name, not “System Administrator.” It is
also important that the email address used does not become inaccessible if the person who
registered the account leaves the company.

When you enter this information, Office 365 will generate a default domain name based on the company
name you supply. The default domain name will end with .onmicrosoft.com. Again, this value cannot be
changed after creation, so it is vital that you check that this name is acceptable. If the name already exists,
then a number will be added to make the name unique, such as Adatum426.onmicrosoft.com.

You are then asked to enter a password and indicate a mechanism for validating the sign-up. Passwords
should be at least 10 characters long and contain a random mixture of uppercase and lowercase letters,
numbers, and special characters.

To validate the sign-up, you can select from either having a text message sent to you or receiving a phone
call. You should specify the country and number for your phone. If you use the text option, ensure that the
phone number is capable of receiving texts.

Once you click the Create My Account link, the confirmatory six-digit number will either be sent to your
phone or you will be called, depending on your prior selection. Enter that number into the confirmation
dialog box to complete the setup of your tenant account.

Planning for custom domains


When planning to add custom domains to Office
365, there are a number of factors you need to
consider. These factors can differ with the Office
365 subscription you select.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-15

The following table sets out these planning factors:

Factor Considerations

Multiple Domains Plan to add the main domain that your company currently uses along with any
other domain that it uses for email messages within the organization. This
scenario is common when the overall company is a business group, or the
organization has been through a merger process and some employees still have
alternative domain addresses.

Subdomains You might want to register subdomains such as content.Adatum.com within the
account for Adatum. Note that Office 365 Midsize Business and Enterprise plans
allow you to add subdomains under your root domain, whereas the Office 365
Small Business plans do not.

Domain numbers You can register up to 600 domains with Office 365.

Domain adding You must add root domains before subdomains, so you need to register
order Adatum.com before you add content.Adatum.com.

DNS record DNS records might be hosted by your organization’s DNS servers or by an
hosting external hosting provider.

Access to the DNS Check with your DNS hosting organization regarding what access you get to the
console DNS console. To configure Office 365 services, you need to be able to add the A,
CNAME, TXT, MX and SRV records. If your DNS hosting provider does not give
that level of access, you might have to send a request to the DNS hosting
provider to change DNS records needed for your Office 365 deployment.

Not registering It is rare that you would not want to register a DNS domain with Office 365, but it
DNS is a possible option—for example, if you want to have a completely separate
email and directory service for your Office 365 users. One possible scenario is a
university that might want to host its faculty members in the on-premises
environment and have the students in Office 365 with a different domain name.

Not changing all You may not want to change all the DNS records to point to Office 365. An
records upcoming topic in this lesson identifies how to handle the verification process
when you do not change all DNS records.

DNS record DNS records can take up to 72 hours to propagate. Reducing the Time to Live
propagation (TTL) value can speed up this process, but you still need to plan for the replication
timings time.
MCT USE ONLY. STUDENT USE PROHIBITED
1-16 Planning and provisioning Office 365

Adding a custom domain for Office 365


If an organization has a domain name that it needs
to add to Office 365, there is a specific process that
the administrator or Microsoft Partner must go
through. The process of adding a custom domain
to Office 365 consists of the following steps:

1. Check that you have ownership of the domain.


Domain ownership can sometimes be
problematic, particularly if a former employee
registered the domain with his or her
information and has now left the organization.
To find out who originally registered the
domain, check the WHOIS record for that
domain by using an Internet WHOIS register, such as who.is.

2. Check that you have access to the DNS console for the domain. Different DNS hosting organizations
provide varying levels of access to DNS records for a hosted domain.
3. Check that you can make changes to the DNS records for the domain.

4. Sign in to the Office 365 admin center, and go to the Domains tab on the Settings menu.

5. Confirm domain ownership for the domain:


a. Enter the domain name for which you want to confirm domain ownership.

b. Add text (TXT) or mail exchanger (MX) records to the DNS record for the domain, according to the
instructions in the Office 365 setup wizard.

c. Confirm ownership by getting Office 365 to verify that you could make that change to the DNS
records.

6. Change the default domain to the new domain, so that any new accounts use this domain value rather
than the one originally assigned when you set up Office 365.

7. Add users and assign licenses (this is part of the Office 365 setup rather than a DNS-specific operation).

8. Set the domain purpose and finish configuring DNS.

You can cancel out of the domain setup process but still verify that you own the domain. In the Office 365
admin console, you will see the message “setup in progress.”

Note: After you have verified a domain, you can delete the verification TXT record. You
should also be aware that you can only validate each domain (with any attendant subdomains) to
a single Office 365 tenant account.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-17

Planning DNS zones for custom domains


A publicly available DNS zone setup is very
important during the Office 365 deployment for
organizations that want to use custom domains.
By being able to edit records within their DNS
zone, organizations prove that they own the DNS
zone, so that the Office 365 setup wizard can
create the tenant with the organization’s custom
domain, such as Adatum.com.

Furthermore, during the setup, the Office 365


setup wizard will instruct organizations on which
DNS records they need to add to the public DNS
zone. Once the organization configures the DNS
zone according to the instructions in the Office 365 setup wizard, client software such as Outlook or Skype
for Business Client will use autodiscover services and resolve custom domain names with the IP addresses of
Office 365 servers. After this, organization’s client computers can connect to Office 365 services, such as
Exchange Online or Skype for Business Online.

Organizations use internal DNS zones configured on internal DNS servers, so that internal clients can
resolve computer names and services. Organizations also use external, public DNS zones configured on
Internet-accessible DNS servers so that clients located on the Internet are able to resolve computer names
and services.

When planning DNS zones for custom domains, organizations might choose between the following two
scenarios:

 Internal DNS zones and external DNS zones have different names. In this scenario a company might set
up its own internal DNS for its internal domain—Adatum.local, for example—and then use a DNS
forwarder on the internal DNS servers to redirect name resolution requests for external domains to an
external name server. For example, a request for mail.Adatum.local would be redirected to an internal
IP address, such as 192.168.20.10, whereas a request for mail.Adatum.com might go to 131.107.43.19,
the company’s external IP address for that host name. Internal clients that connect to Office 365
services from the internal network will submit resolution requests to the local DNS servers. Then, a local
DNS server will forward the client’s request to the external DNS server, which will resolve the request,
and return the answer to the company’s internal DNS server. Finally, the local DNS server will forward
the resolved request to internal clients.

 Internal DNS zones and external DNS zones have the same name (Split brain DNS). Split-brain DNS is a
configuration in which the internal and external DNS environments provide different IP addresses to
requests for the same host name, depending on where the request is generated. If a request for
mail.Adatum.com comes from inside the Adatum.com network, the address returned might be
192.168.20.10 on the internal network, whereas if a user directly connected to the Internet made the
same request to mail.Adatum.com, the IP address returned might be 131.107.43.19. This configuration
is achieved by creating a zone on the internal DNS server for Adatum.com. When a client on the
internal network makes a request for mail.Adatum.com, the internal DNS server responds with the IP
address for that host, using the A (Address) or CNAME (common name) records that the server
maintains for that zone. There is no requirement to forward on the name resolution request to the
external DNS servers. However, external clients who try to contact mail.Adatum.com receive a
response from the external DNS server that is authoritative for that zone. Internal clients that connect
to Office 365 services from the internal network will submit resolution requests to the local DNS
servers. For a local DNS server to be able to resolve the request to Office 365 services, the local DNS
zones and external DNS zones should both be configured with the same records requested by the
Office 365 setup wizard. Once both the internal and external DNS zones are configured with the same
MCT USE ONLY. STUDENT USE PROHIBITED
1-18 Planning and provisioning Office 365

records, clients will be able to connect to Office 365 services, irrespective of whether they connect from
inside the company or using the Internet.

Configuring DNS records for custom domains


After the Office 365 setup wizard has verified that
the organization owns the custom domain, the
administrator should add additional DNS records
to the custom DNS zone so that the organization’s
clients can locate Office 365 services. Each DNS
zone can contain a number of different DNS
record types that provide differing name
resolution services. If the organization hosts its
own external DNS server, then a DNS administrator
should add the necessary DNS records to provide
client connectivity to Office 365 services. If a DNS
provider hosts the organization’s DNS zone, then
administrators should add the necessary DNS records through the appropriate management console that
the DNS provider has created. Some DNS providers, such as GoDaddy, provide automated DNS record
configuration for Office 365, so organizations do not need to manually create their DNS records for Office
365. Furthermore, organizations might also select the option to have Office 365 configure and host the
DNS records. Office 365 uses the following subset of DNS records:

DNS records for Exchange Online include:

 MX. This record is a requirement for SMTP communication between Exchange Online in Office 365 and
mail servers on the Internet.

 CNAME. Outlook clients use this record to locate the Autodiscover service in Office 365.

 TXT. This record is a requirement for Sender Policy Framework (SPF) anti-spam protection.

 TXT. Organizations that use Exchange Federation need this record.

The following table lists the requirements for the MX and CNAME records for Exchange Online:

Type Priority Host name Points to address TTL

MX 0 @ Adatum- 1 Hour
com.mail.protection.outlook.com

CNAME - autodiscover autodiscover.outlook.com 1 Hour

The following table lists the requirements for the TXT records for Exchange Online:

Type TXT name TXT Value TTL

TXT @ v=spf1 include:spf.protection.outlook.com -all 1 Hour

TXT @ Custom-generated, domain-proof hash text 1 Hour


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-19

DNS records for Skype for Business Online include:

 SRV. This record is used for SIP federation where an Office 365 domain shares instant messaging (IM)
features with external clients.

 SRV. Skype for Business uses this record for coordinating the flow of communication between Skype for
Business clients.

 CNAME. Skype for Business clients use this record to find the Skype for Business Online service in Office
365 and sign in.

 CNAME. Skype for Business mobile clients use this record to find the Skype for Business Online service
in Office 365 and sign in.

The following table lists the requirements for the SRV records for Skype for Business Online:

Type Service Protocol Port Weight Priority TTL Name Target

SRV _sip _tls 443 1 100 1 Hour @ sipdir.online.lync.com

SRV _sipfederationtls _tcp 5061 1 100 1 Hour @ sipfed.online.lync.com

The following table lists the requirements for the CNAME records for Skype for Business Online:

Type Host name Points to address TTL

CNAME sip sipdir.online.lync.com 1 Hour

CNAME lyncdiscover webdir.online.lync.com 1 Hour

The DNS record for Office 365 Single Sign-On is:


 Host (A). This record is used where organizations need single sign-on (SSO) with Active Directory
Federation Services (AD FS). The record provides the endpoint for on-premises and external users to
connect to organization ADFS proxy servers or load-balanced virtual IP addresses.
The following table lists the requirements for the Host (A) record for Office 365 Single Sign-On:

Type Host name Points to address TTL

Host (A) sip sipdir.online.lync.com 1 Hour

The DNS records for Mobile Device Management for Office 365 are:
 CNAME manage.microsoft.com. When Office 365 users sign in on their mobile devices with an email
address, this setting is used to redirect them to enroll in MDM for Office 365.

 CNAME enterpriseregistration.windows.net. This setting is used for workplace join for mobile devices.

The following table lists the requirements for the CNAME records for Mobile Device Management for
Office 365:

Type Host name Points to address TTL

CNAME enterpriseregistration enterpriseregistration.windows.net 1 Hour

CNAME enterpriseenrollment enterpriseenrollment.manage.microsoft.com 1 Hour


MCT USE ONLY. STUDENT USE PROHIBITED
1-20 Planning and provisioning Office 365

The DNS record for Microsoft Online Services Sign-In Assistant is:

 CNAME. This record is used during the authentication process by client applications, such as Outlook,
Skype for Business Online, Windows PowerShell or Microsoft Azure Active Directory Sync tool. By using
this record, Office 365 connects clients to the appropriate authentication endpoint, depending on the
client location.

The following table lists the requirements for the CNAME record for Microsoft Online Services Sign-In
Assistant:

Type Host name Points to address TTL

CNAME msoid clientconfig.microsoftonline-p.net 1 Hour

Additional Reading: For more information, refer to External Domain Name System records
for Office 365: http://aka.ms/d67qkh.

Managing feature updates


Microsoft updates Office 365 components with
new features and capabilities so that customers
can experience the improvements in the product.
Microsoft deploys Office 365 updates to customers
after thoroughly testing them. Organizations
might choose to get Office 365 updates according
to the Microsoft default release schedule, or
choose to receive them first. Administrators can
choose the schedule of update deployments in
their organizations by choosing one of following
options in the Office 365 admin center:
 Standard release. Standard release is the
default option, in which organizations receive the latest updates per the Microsoft default release
schedule, when all Office 365 customers receive them. You may choose this option if your
organizational strategy is to prepare the support staff for upcoming updates before deploying them in
your organization.

 First release. The First release option enables organizations to get the latest updates first, and provide
early feedback to Microsoft. Administrators can choose to deploy updates only to selected individuals
in an organization, or to deploy updates to the entire organization.

To configure the first release settings for your organization, in the Office 365 admin center, select
Organization profile from the Settings menu. You can edit the release preferences for all users, or
configure specific users to receive the first release updates.

Question: What are the steps involved in the process of creating a tenant account for
Office 365?

Question: What factors should you consider when planning a custom domain?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-21

Lesson 3
Planning a pilot deployment
In this lesson, you will review the overall factors that can affect an Office 365 deployment. However, it is
important to realize that these are not necessarily complete deployment blockers, merely factors of which
you need to be aware. This is the strength of the FastTrack process—organizations can take it as far as they
want, and can reach a deployment position where they realize value from the Office 365 platform without
affecting their existing infrastructure, or compromising on the benefits of the cloud-based service.

Lesson Objectives
After completing this lesson, you will be able to:

 Compare an Office 365 pilot to the traditional deployment process.

 Describe how your organization implemented Office 365.

 List the activities within the pilot phase of the FastTrack approach, and their outcomes.
 Gather customer requirements.

 Identify customer constraints.

 Identify pilot users.

 Evaluate the pilot deployment.

 Describe the activities that happen in the production deployment after the pilot completes.

 List the deployment tools to help with the FastTrack deployment.

Comparing an Office 365 pilot to the traditional deployment process


With the traditional deployment approach, it
might take the organization several weeks or even
months to reach the migration phase. During this
time, the organization is unable to experience the
benefits of Office 365 firsthand. Even when the
pilot deployment is tested, organizations might
not gain useful operational experience from the
pilot.

The result of this approach is that it may be two or


more months until the first users migrate to their
Office 365 mailboxes, and three to four months
before the organization finally benefits from
moving to the new service.

A key message is that cloud deployments are not like traditional on-premises deployments, and they need
a new methodology to accommodate that difference. With the Office 365 FastTrack deployment approach,
customers can:
 Experience the value of Office 365 much earlier than with traditional deployment methodologies.

 Evolve into features as and when required.

 Determine how far to go with the Office 365 migration.


MCT USE ONLY. STUDENT USE PROHIBITED
1-22 Planning and provisioning Office 365

With the FastTrack approach, organizations can deliver a rich user experience and a high-productivity
solution with minimal on-premises requirements, particularly in the pilot phase. Continuing the
deployment path builds on the previous steps already performed in the pilot phase, so there is no
requirement to restart the effort from scratch. The organization also can extend and deliver new capabilities
to users as their needs change.
There are multiple data migration methods available, including user self-service and IT-driven approaches.

The organization can choose one of the following user identity models to suit its needs:

 Cloud identities

 Synchronized identities (with optional password synchronization)

 Federated identities

Finally, there is an Office 365 Deployment Portal with prescriptive step-by-step guidance and video
instructions for the FastTrack process.

Additional Reading: For more information, refer to FastTrack for Office 365:
http://aka.ms/il5z8i.

Discussion: How did your organization implement Office 365?


Based on the previous topic, if your organization
already deployed Office 365 pilot, share your
experience of the Office 365 deployment process
with other students.

Overview of the Office 365 pilot phase


It is essential that you have a thorough
understanding of the objectives of the pilot phase
and that you keep them in mind throughout the
entire phase, so that you can avoid project scope
extensions, which can last through the duration of
the pilot, raise technical issues that are best dealt
with later in the deployment process, and deter
customers from appreciating the value and
simplicity of the Office 365 service.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-23

The objectives of the Office 365 pilot phase include:

 Deliver a predictable and consistent pilot experience for the customer.

 Demonstrate expertise with Office 365.

 Gain a detailed understanding of the customer’s environment and priorities.

 Highlight next steps for deployment beyond the pilot.

 Rapidly transition to service delivery in the customer environment.

The pilot phase consists of the following activities that you must perform in consecutive order:

1. Check prerequisites. Make sure you have assessed the organization's environment correctly for the
pilot.

2. Set up pilot domains. Determine the domain policy and identify customer domains for the pilot.

3. Add users. Select users to be part of the pilot.


4. Connecting existing email accounts. Determine the available options for connecting to the existing
email system.

5. Set up collaboration sites. Establish use and requirements for SharePoint sites.
6. Prepare pilot users. Plan communications with pilot users.

7. Test the pilot. Identify success factors for testing the pilot.

8. Run the pilot. Record the results of planning decisions.

9. Complete the pilot. Feed the results into Deploy phase planning.

Successful outcomes from the pilot phase are:

 Provision the Office 365 service.

 Create the initial users in the service.

 Enable active use of mail by pilot users.

 Deploy Office 365 ProPlus to pilot users (if required).

 Enable user evaluation of Office 365 services.

 Validate the service integration into the organization landscape.

 Establish an Office 365 environment that can move into production.

You must record this information in real time during the pilot. Otherwise, you might miss important details
that might not be recordable after the fact. You will use this recorded information from the pilot for
checking planning decisions against actual outcomes, and it feeds into the Deploy phase.
MCT USE ONLY. STUDENT USE PROHIBITED
1-24 Planning and provisioning Office 365

Gathering customer requirements


The first task before starting the pilot is an initial
analysis of the environment as part of the
qualification process. The analysis does not need to
be in depth at this point. You might also find that
much of this information is already available and
documented within the organization. This analysis
is part of the Office FastTrack three-day offering.

Additional Reading: For more information,


refer to Office 365 FastTrack Planning:
http://aka.ms/se9j3a.

Industry sector
With any Office 365 pilot deployment, it is important to identify the organization's industry sector, because
this information will provide insight into the method of working and anticipated behavior. Furthermore,
business requirements for Office 365 might be similar in organizations that belong to the same industry
sector.

Types and number of IT users


Following the identification of the industry sector, you should then identify the number and types of IT
users. User types typically fall into two main categories:

 Information workers. Users who work at desks or on the move, and primarily create or process data.

 Kiosk workers. Users who do not need regular access to a computer or mobile device to carry out their
tasks.

User analysis
You also need to know how these users are distributed, and how they use their devices. Consider the
following aspects:

 Are the users in a few large offices, such as an insurance company, or in many small ones, such as a car
dealership?

 Do they work at home, either occasionally or permanently, and do they need to access data on the
move?

 What devices do the users have?

 Does the organization have a Bring Your Own Device (BYOD) policy in place, or are there local
impromptu arrangements?

Company requirements
You must take into consideration the requirements and characteristics of the organization that is deploying
the pilot, and also its workloads, by assessing the following:
 How does the company currently deliver IT? Do they have a centralized department or a distributed
arrangement?

 Is the IT in-house or outsourced?

 How does the organization view IT services, and how is the department managed?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-25

 What compliance and data retention requirements does the company need to consider? Some
organizations have strict compliance regulations in respect to data management, storage, recording,
and transmission.

 What are the company’s security requirements? Are they likely to be targeted and what level of
protection should they adopt?

 What workloads does the company have that do not need to be migrated to Office 365? Look at areas
such as custom applications, business information systems, and stock control environments, and
consider whether these applications will remain on premises.

 Finally, what is the company management team's likely attitude toward moving to the cloud? Being
aware of this attitude and having a strategy and tactics to address it are essential for a smooth
deployment.

At this point, the information does not have to be completely accurate. For example, rounding user
numbers to the nearest thousand or hundred is acceptable. If there is an established relationship with the
organization or you already work within the company, much of this information should be available.

Identifying customer constraints


It is important that organizations identify any
constraints that might lead to blocking the Office
365 deployment or that might affect whether the
organization will move forward to the pilot phase.
Organizations must make this identification as
early as possible in the deployment process.

Note that deployment blockers can often occur


because of information that customers have not
shared on time, such as the fact that they may have
some other urgent project that will allocate IT staff
responsible for Office 365 deployment.

The following table lists some potential constraints


and deployment blockers, and the steps that you can take to avoid them.

Potential constraints and deployment blockers Prevention

Lack of management support for Office 365 Clearly communicate the benefits.

Lack of IT department support for this change Fully brief the IT department on what is happening,
and how the change will affect IT department
processes.

Costs/funding Cover the financial angles with the customer.

Competition Highlight the benefits of Office 365, and emphasize


the additional flexibility of options such as hybrid
Exchange.

Data storage requirements With companies that have specific data storage
requirements in terms of where their data is
geographically located, consider choosing hybrid
options and keeping sensitive data onsite.
MCT USE ONLY. STUDENT USE PROHIBITED
1-26 Planning and provisioning Office 365

Potential constraints and deployment blockers Prevention

Bandwidth Emphasize the general productivity and cost-saving


benefits of getting branch offices Internet-
connected. Review technologies such as mesh
wireless networks and satellite links.

Results Create a list of potential constraints that might


transform to deployment blockers. Then for each
constraint, identify a mitigating approach to address
the issue.

Identifying pilot users


The process of selecting and involving pilot users
into the Office 365 FastTrack Pilot is vitally
important and has the potential to make or break
the pilot process. Therefore, it is essential to select
the right people with a balanced mix of interests,
abilities, and attitudes to help ensure the success of
the FastTrack Pilot. Keep in mind the following
points:

 Determine the number of pilot users. The first


planning decision is to define the number of
users who will participate in the pilot. As a rule
of thumb, you should consider a pilot that
employs at least five percent of the information worker user base, spread evenly throughout the
departments. Any less than this figure indicates poor preparation and buy-in from your organization.

 Plan for pre-pilot users. With larger organizations, it may be necessary to deploy some pre-pilot users.
With these larger pilot engagements, it can be useful to initially roll out Office 365 to a small subset of
users, to help identify issues, before including a wider user community.

 Select the pilot users. Pilot users typically meet the following criteria:

o Full-time employees for more than six months.

o Trained information workers.

o Representative of the overall function of the company.


o Employees are a mix of age, experience, and seniority within their department.

o Prepared to provide feedback on the pilot.

 Create and implement a pilot user communication plan. Effective communication with the pilot users is
vital and needs to start up to three weeks before the pilot itself.

 Train and support the pilot users. Microsoft does not support Office 365 pilot users, so planning user
and helpdesk training and support for the pilot phase is an important part of the experience.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-27

Evaluating the pilot deployment


When the pilot phase completes, the organization
should evaluate the pilot to make a decision about
the next steps and recommendations that they
must complete. If the organization decides that
further testing with new Office 365 capabilities is
warranted, it might choose to extend the pilot.
However, if the organization decides that it is not
willing to proceed with the pilot for any reason, it
might choose to end the pilot.

Extending the pilot


After the pilot engagement is complete, the
organization has the option to continue extending
the pilot to prepare further for future changes. The organization has the following options:

 Continue user pilot. The most basic option is simply for the organization to continue with the user pilot.
Users would continue to use Office 365 on a regular basis. The organization can collect user feedback
about Office 365 and highlight the key benefits. This information also enables the organization to plan
future deployments appropriately for each workload. Importantly, the pilot provides data points to
best plan the organization’s migration and identity needs.
 Expand the scope. The trial tenant used for the pilot service allows up to 250 users, so the organization
could add more pilot users to prove the service fit for various groups within the organization. Note that
users who are moved to the service during the pilot can be transitioned to production after a decision
for service use is reached.

Ending the pilot


Finally, you also must consider what to do if the customer does not want to move from the pilot to the
deployment phase. A key requirement is that you return their environment to how it was before the start of
the pilot, and you should also attempt to identify the reasons why the pilot was not successful. Always leave
the door open for the customer to return to Office 365 at a later date.

Planning the production deployment


Once the organization has ensured that the Office
365 pilot project has met its business
requirements, it might continue with planning the
production deployment. Planning the production
deployment includes steps for planning for the
Office 365 service and planning the organization’s
environment.
MCT USE ONLY. STUDENT USE PROHIBITED
1-28 Planning and provisioning Office 365

Planning for the Office 365 service


The pilot provides the organization with its first look at the Office 365 service. The company can take
actions to begin planning how the service will best fit its needs by considering the following options:

 Service options. The pilot has enabled users to begin using a broad range of Office 365 features. The
service provides solutions for mail, collaboration, sharing, and other scenarios. The scope of the pilot
was confined to the core service options. Therefore, the organization should determine the additional
scenarios in which Office 365 can be useful.

 Identity planning. The pilot introduced the organization to the concept of identity management in the
Office 365 service. The pilot engagement provisions users in the service through cloud identities. The
trial tenant shows how this identity management approach works for administrators and users.
However, the organization also needs to start thinking about identity management. This planning
should consider future additional service scenarios and integration requirements for streamlined
management. Further planning considerations should determine the future implementation plans for
identity management and authentication. The cloud identity approach used in the pilot engagement
uses a stand-alone set of user credentials. The organization should map a plan for the desired
authentication plans including plans for single sign-in (SSO) options.

 Mail migration planning. In the pilot, the organization has experienced mail using the Office 365
connected accounts feature. This feature enables users to access existing mail items, and continue to
send and receive mail with their existing email addresses. However, users will expect to bring existing
mail, calendar, and contacts to the new service. Office 365 provides a range of migration options to
help manage this migration. If customers begin planning early to reduce the content users currently
have in place, this migration process is considerably simplified.

Planning the organization’s environment


The pilot engagement enabled the Office 365 service and implemented the related components in the
organization’s environment. Assuming the results of the trial are acceptable, the organization can then
perform the following post-pilot activities:
 Raise awareness. The Summary Results provided at the end of the pilot help the organization share the
results with the company leadership and partner teams. These results can help the organization
develop and track action on the recommended next steps.

 Plan for transition. The pilot uses an Office 365 trial tenant that needs to be transitioned to a live
account before the trial expires.

Overview of deployment tools


Microsoft provides deployment tools and
resources that help customers deploy Office 365
solutions and migrate their current on-premises
applications to Office 365. These tools and
resources include FastTrack for Office 365, TechNet
Center for Office 365, Office Blogs, Office 365 Trust
Center, Office 365 Service Descriptions, Office 365
Roadmap, and Microsoft Planning Services.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-29

FastTrack for Office 365


Microsoft FastTrack for Office 365 is a service that helps organizations move to Office 365. FastTrack
includes several components, such as best practices, tools, resources, and remote personalized assistance by
Microsoft engineers.

Microsoft engineers from the FastTrack Center team contact organizations that purchase more than 150
Office 365 seats. FastTrack engineers assist customers through multiple project phases, such as assessing
customer environment, planning for remediation of any potential issues found during the assessment, and
helping with Office 365 deployment and migration.

Additional Reading: For more information, refer to FastTrack for Office 365:
http://aka.ms/il5z8i.

TechNet Center for Office 365


TechNet Center for Office 365 is a set of Office 365 resources located on TechNet. These resources include
technical training, documentation, downloads, and related sites. Topics include Office 365 service
description and comparison, deployment, migration, learning videos, and resources for different business
scenarios.

Additional Reading: For more information, refer to Office 365 for IT pros:
http://aka.ms/kl703e.

Office Blogs
Office Blogs is an online resource that contains the latest information about different Office products,
including Office 365. You can customize blog reading content by choosing:

 The Office product you want to read about, such as Office 365, Office Online, Exchange, or Skype for
Business.

 Office usage, such as business, public sector, or nonprofit.

 The type of information that you want to read about, such as customer stories, events, news, or
podcasts.

Additional Reading: For more information, refer to FastTrack for Office Blogs:
http://aka.ms/t1mgkg.

Office 365 Trust Center


Office 365 Trust Center provides information about different security aspects of tenant data in Office 365.
Content includes different security topics such as built-in security, privacy by design, continuous
compliance, and transparent operations.

Additional Reading: For more information, refer to Office 365 Trust Center:
http://aka.ms/j0074t.
MCT USE ONLY. STUDENT USE PROHIBITED
1-30 Planning and provisioning Office 365

Office 365 Service Descriptions


Office 365 Service Descriptions provides information about each Office 365 service, such as Exchange
Online, Skype for Business Online, and SharePoint Online. Once you choose to read about any of the Office
365 technologies, you are redirected to the appropriate TechNet resource page.

Additional Reading: For more information, refer to Office 365 Service Descriptions:
http://aka.ms/gxsbad.

Office 365 Roadmap


Office 365 Roadmap is the list of updates that are rolled out to different Office 365 customers. Office 365
Roadmap includes information about the following updates: Launched, Rolling out, In development,
Cancelled, and Previously released.

Additional Reading: For more information, refer to Office 365 Roadmap:


http://aka.ms/Kgo4ds.

Microsoft Planning Services


Microsoft Planning Services is a service that is available to Software Assurance customers. Microsoft
Planning Services help customers by offering deployment planning best practices and business value
planning information in different phases of customer projects. Planning Services are available for different
Microsoft products, including Office 365.

Additional Reading: For more information, refer to Software Assurance Planning Services:
http://aka.ms/leudft.

Question: How does an Office 365 pilot compare to the traditional deployment process?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-31

Don't use this lab!

Lab: Provisioning Office 365


Scenario
A. Datum Corporation is considering moving some of the core on-premises services such as Exchange
Server, Skype for Business Server, and SharePoint Server to Office 365. The project steering committee
needs to ensure that Office 365 can provide the required functionality, and accommodate the corporate
security and compliance requirements. To get started, A. Datum has decided to begin a pilot deployment of
Office 365 for a group of users in the London office.
As one of the most experienced IT admins at A. Datum, you are responsible for implementing the pilot
project. To start, you need to configure the Office 365 tenant, and then configure the custom domain that
your organization uses. You also need to ensure that you are comfortable with the Office 365 administrator
interfaces.

Objectives
By the end of this lab, you will be able to:
 Configure an Office 365 tenant.

 Configure a custom domain.

 Explore the Office 365 administrator interfaces.

Lab Setup
Estimated Time: 75 minutes

Virtual machines: 20347A-LON-DC1 and 20347A-LON-CL1


User name: Holly

Password: Pa$$w0rd

This course uses the new Office 365 admin center for all labs. If you are connected to the previous Office
365 admin center when you connect to Office 365, click the banner at the top of the page to connect to the
new admin center.

In all tasks:
 In references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with your unique Office 365
name displayed in the online lab portal.

 In references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com name displayed in the online lab portal.

This lab requires the following virtual machines: (use only the VMs required for your lab)

 LON-DC1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-CL1

o Sign in as Adatum\Holly using the password Pa$$w0rd


MCT USE ONLY. STUDENT USE PROHIBITED
1-32 Planning and provisioning Office 365

Exercise 1: Configuring an Office 365 tenant


Scenario
The first step in starting the pilot deployment is to configure the Office 365 tenant. You need to create a
new tenant using the Adatumyyxxxxx.onmicrosoft.com domain name.

Note: For simplicity, this lab uses an ordinary Office 365 trial account, not a FastTrack pilot
extended tenant account. Also note that you need to create an account with a unique name in the
form: Adatumyyxxxxx.onmicrosoft.com. You can use the alphanumeric value for yyxxxxx provided
for you in the lab interface.

The main tasks for this exercise are as follows:

1. Create the tenant account.

2. Verify Office 365 service health.

 Task 1: Create the tenant account


1. On LON-CL1, logged on as Adatum\Holly, open Microsoft Edge, and go to the following URL:
https://products.office.com/en-us/business/office-365-enterprise-e3-business-software.

2. Click Free trial.

3. For Step 1, in the Welcome, let’s get to know you page, complete the following fields. Regardless of
your location, use the following information:
o Country: United Kingdom

o First name: Holly

o Last name: Dickson


o Business email address: (use your new Microsoft account that you created for this course)

o Business phone number: Your mobile phone number, including international code for your current
country
o Company name: A. Datum

o Organization size: 51-150 people

4. For Step 2, you have to create a unique domain for the Company name to use in the course. Use the
Adatumyyxxxxx name provided in the lab interface. For the rest of the fields, use the following
information:

o User name: Holly

o Company name: Adatumyyxxxxx (where yyxxxxx is your unique Adatum number)

o Password: Pa$$w0rd

o Confirm password: Pa$$w0rd

5. For Step 3, you have to confirm your identity by using your mobile phone. Under Send text message,
from the drop-down box, select the code for the country that you are now in.

6. In the Phone number box, enter your correct mobile phone number.

7. Ensure that the Send text message option is selected, and then click Text me.

8. When you receive the confirmation text on your mobile phone, enter the code provided in the Enter
your verification code box.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-33

9. Click Create my account.

10. Wait until the Office 365 tenant is provisioned, and then click You’re ready to go…

11. Click the Admin tile to go to the Office 365 admin center.

12. On the don’t lose access to your account! page, provide your phone number and Microsoft account
email address to verify your account.

Note: If you are connected to the previous Office 365 admin center when you connect to
Office 365, click the banner at the top of the page to connect to the new admin center.

 Task 2: Verify Office 365 service health


1. Use Service health on the left-hand menu to display the Service health dashboard.

2. Review any service interruption records or additional information in the status page.

Note: During Microsoft testing, on rare occasions Office 365 did not create the trial tenant
properly; as a result, the tenant did not have all the services available to it. If this happens to you,
you should create a new trial tenant using a different business email (Microsoft account).

3. Close Microsoft Edge.

4. If prompted, click Close all tabs.

Results: After completing this exercise, you should have successfully provisioned the Office 365 tenant
account for A. Datum Corporation.

Exercise 2: Configuring a custom domain


Scenario
Now that you have configured the Office 365 tenant, the next step is to configure the custom
domain that you will use for the pilot deployment. You need to create a custom domain using the
Adatumyyxxxxx.hostdomain.com address, and verify the ownership for the group.

The main tasks for this exercise are as follows:

1. Add the custom domain.

2. Complete the custom domain setup.

 Task 1: Add the custom domain


1. In LON-CL1, start Microsoft Edge and then browse to login.microsoftonline.com.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com with the password Pa$$w0rd.

3. Click Admin.

4. In the left-hand navigation, select Domains, select Add domain to start the domain setup wizard.
5. In the text box on the Which domain do you want to use? page, enter your domain name in the form
of Adatumyyxxxxx.hostdomain.com.

6. Click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
1-34 Planning and provisioning Office 365

7. Use a TXT record to verify you own this domain.

8. Write down the TXT record shown in the TXT value column. This entry will be similar to
MS=msXXXXXXXX. Record this value below:

MS=_______________________

9. Switch to LON-DC1.
10. In DNS Manager, create a new forward lookup zone called Adatumyyxxxxx.hostdomain.com

11. Right-click Adatumyyxxxxx.hostdomain.com, and click Other New Records.

12. Under Select a resource record type, scroll down to Text (TXT), and click Create Record.

13. In the New Resource Record box, leave the Record name field blank.

14. In the Text field, enter MS=msXXXXXXXX that you recorded in step 8.

15. Click OK to create the record.


16. In the Resource Record type dialog box, click Done.

17. Switch back to LON-CL1 and in the Office 365 admin center, click Verify.

 Task 2: Complete the custom domain setup


1. Complete the domain setup wizard, reviewing the DNS records that you need to create for the custom
domain.

2. Select the option to skip the configuration of DNS records now. You will configure these in later labs.

Results: After completing this exercise, you should have added a custom domain and verified domain
ownership.

Exercise 3: Exploring the Office 365 administrator interfaces


Scenario
To familiarize yourself with the Office 365 administrator portals, and to get familiar with the default Office
365 configuration, you need to explore the Office 365 administrator interfaces.

The main tasks for this exercise are as follows:

1. Explore the Office 365 admin center.

2. Explore the Exchange admin center.

3. Explore the Skype for Business admin center.

4. Explore the SharePoint admin center.

 Task 1: Explore the Office 365 admin center


1. In LON-CL1, in the Admin center, click Home.

2. On the left navigation menu, scroll down to explore all available items.

3. On the left navigation menu, review the users list.

4. On the left navigation menu, in Message center, review the messages.


5. Do not close the browser window.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 1-35

 Task 2: Explore the Exchange admin center


1. On the left navigation menu, expand Admin centers, and then click Exchange.

2. A new tab will open displaying Exchange admin center.

3. On the left navigation menu, click each of the items, and review the results displayed on the right pane.

 Task 3: Explore the Skype for Business admin center


1. Click the portal.office.com tab.

2. On the left navigation menu, under Admin centers, click Skype for Business.

3. A new tab will open displaying Skype for Business admin center.

4. On the left navigation menu, click each of the items, and review the results displayed on the right pane.

 Task 4: Explore the SharePoint admin center


1. Click the portal.office.com tab.
2. On the left navigation menu, click Admin centers, and then click SharePoint.

3. A new tab will open displaying SharePoint admin center.

4. On the left navigation menu, click each of the items, and review the results displayed in the right pane.
5. Close Microsoft Edge.

Results: After completing this exercise, you should have provided a high-level overview of administrative
portals of Office 365.

 To prepare for the next module


Keep the virtual machines running for the lab in the next module.
MCT USE ONLY. STUDENT USE PROHIBITED
1-36 Planning and provisioning Office 365

Module Review and Takeaways


Having completed this module, you can now describe the features and benefits of Office 365, provision
new tenant accounts, and plan a pilot deployment of Office 365.

Best Practices
Best practices for this stage of the Office 365 deployment process are:

 Ensure that you understand the organization’s need for Office 365.

 Identify any in-house services that are not going to transition to Office 365.
 Recruit the right people to be pilot users.

 Check that you have suitable infrastructure to support a connection to Office 365.

Review Question
Question: If you are selected to lead the Pilot at A. Datum Corporation, what personal
qualities, skills, and experience would you need to demonstrate to maximize the probability of
the organization moving to Office 365?
MCT USE ONLY. STUDENT USE PROHIBITED
2-1

Module 2
Managing Office 365 users and groups
Contents:
Module Overview 2-1 

Lesson 1: Managing user accounts and licenses 2-2 

Lesson 2: Managing passwords and authentication 2-8 

Lab A: Managing Office 365 users and passwords 2-12 

Lesson 3: Managing security groups in Office 365 2-16 

Lesson 4: Managing Office 365 users and groups with Windows PowerShell 2-20 

Lesson 5: Configuring administrative access 2-33 


Lab B: Managing Office 365 groups and administration 2-39 

Module Review and Takeaways 2-46 

Module Overview
After provisioning and configuring the Microsoft Office 365 tenant, the tenant administrator should create
users and groups so that the organization’s employees can start working with Office 365. Furthermore, the
tenant administrator should assign administrative roles to the members of the IT team who will be
responsible for managing the Office 365 tenant for the organization.

In this module, you will learn about managing users, groups, and licenses and configuring administrative
access by using the Office 365 console and the Windows PowerShell command-line interface.

Objectives
After completing this module, you should be able to:

 Manage user accounts and licenses by using the Office 365 admin center.

 Manage passwords and authentication.

 Manage security and distribution groups by using the Office 365 admin center.

 Manage Office 365 users and groups by using Windows PowerShell.

 Configure administrative access.


MCT USE ONLY. STUDENT USE PROHIBITED
2-2 Managing Office 365 users and groups

Lesson 1
Managing user accounts and licenses
As the administrator of your organization’s Office 365 environment, you will be responsible for creating and
managing user accounts for all of its users. Administrative tasks for a user account includes creating and
managing user objects, creating and configuring password policies, configuring self-service password
management, and configuring multi-factor authentication.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the user account types.

 Explain how to create user accounts by using the Office 365 admin center.

 Explain how to manage user licenses by using the Office 365 admin center.

 Explain how to manage user accounts by using the Office 365 admin center.
 Explain how to delete and restore user accounts by using the Office 365 admin center.

User account types


You can create and manage users in three ways:

 Cloud identities. When using cloud identities,


you create and manage users in Office 365
only.

 Directory synchronized identities by using an


on-premises directory service to synchronize
with Office 365. This method has the added
complexity of installing and configuring
synchronization software to ensure that
directory objects synchronize successfully with
Office 365.

 Federated identities by using Active Directory Federation Services (AD FS). When using federated
identities, administrators manage on-premises users and synchronize on-premises directory objects
with Office 365. The users’ passwords are the same password both locally and in the cloud, therefore,
users sign in only once to use on-premises and Office 365 applications. The process of users signing in
only once is referred to as single sign-on (SSO).

When designing an Office 365 solution, administrators should consider which identity model is best for
their organization. Some models such as AD FS federated identity might entail more complexity and cost.
Moreover, organizations might switch from one identity model to another if needed in the future.

Note: Subsequent modules will cover federated identities that use AD FS for SSO. This
method involves installing identity federation software to extend directory synchronization, such
as in the second method above, but a directory synchronization tool performs the user
management process.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-3

Creating user accounts


Depending on your needs, skills, and environment,
you can use several methods to provision user
accounts:

 Office 365 admin center. This is a simple web


interface for individually creating and
managing users.
 Bulk add. This option provides a method for
the bulk importation of multiple users into the
Office 365 admin center through a comma-
separated value (CSV) file.

 Windows PowerShell. You can use this cmdlet-


based and script-based interface to create and manage single and multiple users.

 Directory synchronization. This option allows you to provision and manage users by synchronizing
Office 365 with an on-premises directory service. You can use the Azure Active Directory (Azure AD)
Connect tool to synchronize on-premises Active Directory objects with Azure AD objects in Office 365.
Module 4 covers directory synchronization in more detail.

Note: A later lesson in this module covers provisioning users with Windows PowerShell.
Provisioning users with directory synchronization is outside the scope of this module; Module 4 of
this course covers this.

Creating users with the Office 365 admin center


Using the Office 365 admin center is the simplest method for creating a single user account or a small
number of user accounts.

To create a single user:

1. Sign in to Office 365 admin center.

2. On the Office 365 admin center Home page, click Users to display the Active users list. You also can
access the Active users list by pointing to the Users menu in the left pane, and then clicking Active
users.

3. Click Add a user.

4. Fill in the user information.

5. Specify whether the user is an administrator or not.

6. Specify the user’s location.

7. Select which user licenses to assign.

8. Specify whether to send a confirmation email that contains a temporary password.

9. Create the user.

Note: The password is sent as plaintext in the email. If this is a concern, you need to use
another method to inform the user of their temporary password, such as in person, or through a
phone call or instant message.
MCT USE ONLY. STUDENT USE PROHIBITED
2-4 Managing Office 365 users and groups

Creating users with bulk add


You can use the bulk add option in the Office 365 admin center to import large numbers of users in one
operation by using a CSV file. A CSV file is a plain text file that you can use for storing a large amount of
record information in a specific format. Office 365 provides an empty template and a sample CSV file to
make the process easier. You can use a simple text-editing tool such as Notepad to edit these files.

Note: At the time of writing this course, the bulk add functionality is only available in the
previous Office 365 admin center.

To create users by using bulk import:

1. In the previous Office 365 admin center, click Users, click Active Users, and then click the bulk add
icon.

2. Browse to the CSV file that contains your users.

3. The verification result informs you if any errors are in your file; you can view the results in the linked
log file.
4. On the Settings page, set the new users’ sign-in status and location.

5. On the Assign Licenses page, specify which licenses the new users should have assigned to them.

6. Specify who should receive the email of the results. We recommend that you include your own email
address so that you can provide the temporary passwords to your new users.

Managing user licenses


Your organization’s users need licenses to use
Office 365 services such as Microsoft Outlook,
Microsoft SharePoint Online, and Microsoft Lync
Online. When you assign a license to a user, the
service automatically sets up for that user. For
example, when you assign a license for SharePoint
Online, the user is assigned edit permissions on the
default team site.

Assigning licenses to users


Only members of the global admin and user
management admin roles can assign or remove
licenses. You can assign or remove a license for
single or multiple users. To do this, you can use the Office 365 admin center or Windows PowerShell. To
assign or remove licenses for multiple users in the Office 365 admin center:

1. On the Office 365 admin center Home page, click Users.

2. Select the users that you want to assign or remove licenses, and in the More list, click Edit product
licenses.

3. On the Assign products page, you can change the user location, specify whether to replace or add to
existing licenses, and then select the services that you want to modify.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-5

Note: When you remove a license from one of your users, any service data that is associated
with that user is deleted. You then have a 30-day grace period in which you can recover that data,
but after the grace period, the data is not recoverable at all.

Viewing license information


You can use the Office 365 admin center to view important information about your users’ license usage,
such as how many licenses you have used, how many are remaining, and which users are currently
unlicensed.

To view the number of licenses remaining:

1. In the Office 365 admin center, on the left navigation pane, on the Billing menu, click Licenses.

2. Note how many licenses are valid and how many licenses have been assigned.

To view any unlicensed users:


1. On the Office 365 admin center Home page, click Users.

2. Click the Filters drop-down list.

3. In the drop-down list box, click Unlicensed users.

Managing user accounts


You need to manage several account settings, such
as assigning administrator roles, setting users’
sign-in status, specifying user location settings,
and assigning licenses, regardless of the method
that you use to provision user accounts. You can
manage these user settings by using the Office 365
admin center or Windows PowerShell cmdlets;
however, this lesson only discusses the Office 365
admin center method to manage users and their
licenses.

Editing users
You can use the Office 365 admin center to edit
single or multiple users. To edit multiple users:

1. On the Office 365 admin center Home page, click Users.

2. Click the user account that you want to edit to open the user properties page.

3. In the Contact information section, you can make changes to the selected user’s name and to
organizational information such as department and organizational contact information.

4. In the Email address section, you can change the user email addresses.

5. In the Sign-in status section, you can specify the sign-in status of the selected users. You can set this to
Allowed or Blocked. If you set it to Blocked, the user cannot sign in to Office 365. The user is not
immediately blocked from accessing services, but they will be blocked at the next sign-in attempt.
Typical reasons for blocking a user might be that they are a contract worker or that they have left the
organization but you want to retain their email information.

6. In the Roles section, you can specify whether the selected users should have Administrator
permissions. The last lesson in this module discusses the different administrator roles.
MCT USE ONLY. STUDENT USE PROHIBITED
2-6 Managing Office 365 users and groups

7. In the Product licenses section, you can set the user location. Because certain countries do not allow
some services, Microsoft needs to know the location of each user who utilizes its Office 365 services so
that it only offers permitted services to that user. You also can leave assigned licenses as they are,
replace existing license assignments with new ones, or add new licenses to existing license assignments.

8. In the Mailbox permissions section, you can assign permissions to the user mailbox.

To ensure that you create and manage your Office 365 users correctly, follow these best practices:

 Design your user account plan with the future in mind.

 Standardize your organizational user naming convention.


 Ensure that you enter the correct names for the display name when creating accounts.

 If you decide to start using directory synchronization in the future, ensure that you look for potential
duplicate names and account details before you synchronize.

Deleting and recovering user accounts


When users leave your organization, they no
longer require a user account in Office 365. You
must delete their user accounts to ensure that they
can no longer access Office 365. When you delete
a user account, the assigned Office 365 license for
that user becomes available, which you can assign
to another user.

To delete one or more users:

1. In the Office 365 admin center Home page,


click Users.
2. Select the users that you want to delete, click
the More drop-down list, and then click Delete Users.

3. In the message box, click Yes to delete the selected users.


4. When they have successfully deleted, click Close.

You can also use Windows PowerShell to delete user accounts by using the Remove-MsolUser command
with the –ObjectId Guid or the –UserPrincipalName string parameters.

When you delete a user account, the account becomes inactive and the user cannot sign in to access
Office 365 services. However, you might need to restore a user’s account after deletion. Office 365 retains
the account as a soft deleted inactive account for 30 days after deletion; this enables you to restore the
account in such situations.

To restore a user:

1. In the Office 365 admin center, on the Users menu click Deleted Users.

2. Select the user that you want to restore, and then click Restore.

3. Select how you want to assign the user password, and then click Restore.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-7

You can also use Windows PowerShell to restore deleted user accounts by using the Restore-MsolUser
cmdlet. A later lesson in this module covers this.

Additional Reading:
 For more information, refer to How to troubleshoot deleted user accounts in Office 365,
Azure, and Intune: http://aka.ms/prede5.
 For more information, refer to Manage inactive mailboxes in Exchange Online:
http://aka.ms/qlb3b1.

Question: What types of user accounts are available in Office 365?


MCT USE ONLY. STUDENT USE PROHIBITED
2-8 Managing Office 365 users and groups

Lesson 2
Managing passwords and authentication
Organizations have to provide secure access to Office 365 for their employees and to protect data from
unauthorized access. One of the most important actions when securing access to Office 365 is to configure
secure password policies. Password policies require users to perform actions that increase password
protection, such as changing passwords at specified intervals, creating complex passwords, resetting their
own passwords, and signing in with multi-factor authentication.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe password policy options.

 Describe self-service password management.

 Describe the concept of multi-factor authentication.


 Explain how to plan password policies and authentication.

Password policy options


Office 365 helps provides secure access by
requiring users to sign in with a password. You
need to perform various tasks in managing these
passwords for your organization’s users. These
tasks might include changing passwords, setting
password expiration, and resetting passwords.

Setting password expiration


By default, in Office 365, users’ passwords do not
expire until 90 days have passed, and users receive
notification of impending password expiration 14
days before it occurs.

You can use the Office 365 admin center to change this setting for your organization. To change the
password expiration policy, perform the following steps:

1. In the Office 365 admin center, on the Settings menu, click Security, and then click Edit.

2. Specify a number of days between 14 and 730 for password expiration.

3. Specify a number of days between 1 and 30 for the notification warning of password expiration.

4. Save your settings.

Note: If you want to change the setting for a user or users so that their password never
expires, you need to use the Microsoft Azure AD module for Windows PowerShell. This module will
cover this later.

If a user does not change their password before the expiration time has elapsed, they can still change it by
using the Password Update page that appears the next time they sign in. Alternatively, you can reset their
password for them.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-9

Resetting user passwords


If necessary, you can reset a password for one or more users on the Active Users page. The selected users
will receive a new temporary password, which they will need to change the next time they sign in.

Resetting admin passwords


If you forget your own administrator password, the two available options are:

 Ask another administrator to reset it for you. In this case, the other administrator must be a global
admin, a user management admin, or a password admin. However, if your account is a global admin
account, you must get another administrator with a global admin account to reset it for you.

 Reset the password yourself. In this case, as an administrator of the Office 365 cloud service, perform
the following steps to reset your password by using the Reset your password now option:

a. On the Office 365 sign-in page, click the Can’t access your account? link.

b. On the User verification page, provide your user ID and the required verification string.

c. Open your email inbox and look for an email message from Microsoft Online Services Team.

d. Click the Reset your password now link in the email.


e. On the Create a new password page, type in and then confirm a new password.

f. When the password resets, click the provided link to return to the sign-in page.

You must have already supplied an alternative email address in your account settings for this to work;
this must not be your Office 365 email address. Additionally, if you use a custom domain name or you
are using directory synchronization, you must have also supplied a phone number in your account
details that is capable of receiving text notifications. In this case, a code will generate automatically and
send as a text message to your mobile phone, and you will need to enter this code on the mobile
phone verification page.

Note: If resetting the password yourself, you must complete the entire admin password reset
process within 10 minutes; otherwise, you will need to start the process again.

Self-service password management


With Office 365 self-service password reset
functionality, users enter their alternate personal
information, and they can reset their forgotten
passwords. The tenant administrator has to enable
self-service password reset functionality for the
tenant, and each user has to enter alternate
personal information in the Office 365 admin
center.

If users forget their passwords, they can reset them


by clicking the Can’t access your account? link on
the Office 365 Sign in page. However, if the users
have not entered their alternate personal
information, they will not be able to reset their password and they will have to contact the tenant
administrator to reset their password. Microsoft support cannot reset forgotten passwords.
MCT USE ONLY. STUDENT USE PROHIBITED
2-10 Managing Office 365 users and groups

Self-service password reset functionality is available for Office 365 users who have cloud-based identities
only. However, some organizations have on-premises managed users who require write back of an updated
password to an on-premises Active Directory server. Write-back functionality is available in Microsoft Azure
Active Directory Premium (Azure AD Premium) or in the Enterprise Mobility Suite (EMS) subscription. If an
organization does not have an Azure AD Premium or EMS subscription, users who forget their passwords
must contact the tenant administrator to reset them.

Multi-factor authentication
Multi-factor authentication in Office 365 helps
increase security by requesting users to provide a
user name and a password while signing in and to
use a second authentication method. The second
authentication method might be acknowledging a
phone call, text message, or an app notification on
their smartphone. If the user names, passwords,
and second authentication method are verified,
the users can sign in to Office 365. You can also
enable users who authenticate from a federated,
on-premises directory for multi-factor
authentication.
The tenant administrator enables multi-factor authentication in the Office 365 admin center by performing
the following steps: NOT Security!
1. In the Office 365 admin center, on the Settings menu, click Apps. Now services ans add-ins
2. On the Apps page, click Azure multi-factor authentication.

3. On the Azure multi-factor authentication page, click Manage Azure multi-factor authentication.

4. On the multi-factor authentication page, select the users that you need to enable for multi-factor
authentication, and then click Enable.

After the administrator enables users for multi-factor authentication, users have to configure their second
authentication factor at their next sign-in. You can use the following options as the second authentication
factor:

 Call my mobile phone. Users receive a phone call with instructions for the users to press the pound
key. After they press the pound key, users are signed in.

 Text code to my mobile phone. Users receive a text message containing a six-digit code that they
must enter into the Office 365 portal.

 Call my office phone. This option is the same as the Call my mobile phone option, but it enables the
user to use their office phone.

 Notify me through app. Users configure a smartphone app that receives a notification that users
need to confirm to sign in to Office 365. Smartphone apps are available for Windows phone, iPhone,
and Android devices.

 Show one-time code in app. Users configure a smartphone app and enter the six-digit code from the
app into the portal.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-11

Planning password policies and authentication


To ensure that you manage Office 365 passwords
and password policies correctly, we recommend
that you adhere to the following best practices:

 Ensure that you correctly define the


administrator roles. An organization should
create a plan about who will administer its
Office 365 tenant, how many people to
include in the administrators’ team, and what
permissions to assign to each of the
administrator teams. Each team should be
assigned the exact security permissions that
are necessary to perform their administrative
tasks.

 Document and standardize password policies. Password policies should be well documented and
standardized according to an organization’s security strategy.
 Enforce the use of strong passwords. Strong passwords increase an organization’s security because
they are more difficult for an unauthorized user to guess.

 Use multi-factor authentication. Multi-factor authentication enhances an organization’s security by


protecting the organization from unauthorized users who might steal employees’ user names and
passwords.

 Ensure that users are educated on organizational security policies. Educate users about organizational
security procedures, especially regarding creating complex passwords, securing their passwords
against potential security threats, and resetting their forgotten passwords.

Question: What password policy options are available in Office 365?


Question: How can you enable multi-factor authentication in Office 365 and what multi-
authentication options are available?
MCT USE ONLY. STUDENT USE PROHIBITED
2-12 Managing Office 365 users and groups

Lab A: Managing Office 365 users and passwords


Scenario
After configuring an Office 365 tenant and preparing it for pilot deployment, you are now ready to start
creating user and group accounts in Office 365. You and your team need to be familiar with how to
configure these accounts by using the Office 365 admin center because this will be your primary tool for
managing the environment after the deployment is fully functional. Additionally, you need to make sure
that the password policy for Office 365 users matches the password policy for on-premises users.

Objectives
After completing this lab, you will be able to:

 Manage Office 365 users and licenses by using the Office 365 admin center.

 Manage Office 365 password policies.

Lab Setup
Estimated Time: 35 minutes
Virtual machine: 20347A-LON-DC1, 20347A-LON-CL1

User names: Adatum\Administrator for LON-DC1 and Adatum\Holly for LON-CL1

Password: Pa$$w0rd
In all tasks:

 In references to Adatumyyxxxxx.onmicrosoft.com, replace yyxxxxx with your unique Office 365 name
that displays on the online lab portal.

 In references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com name that displays on the online lab portal.

This lab requires the following virtual machines:

 LON-DC1:

o Sign in as Adatum\Administrator with the password Pa$$w0rd

 LON-CL1:
o Sign in as Adatum\Holly with the password Pa$$w0rd

Exercise 1: Managing Office 365 users and licenses by using the Office 365
admin center
Scenario
The Office 365 tenant for A. Datum is now configured, and you need to start creating Office 365 users and
then managing the user licenses.

The main tasks for this exercise are as follows:

1. Create Office 365 users.

2. Edit Office 365 users.

3. Verify user settings.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-13

 Task 1: Create Office 365 users


1. On LON-CL1, verify that you signed in as Adatum\Holly.

2. On LON-CL1, open Microsoft Edge, and then browse to https://portal.office.com/.

3. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com, where yyxxxxx is your unique Adatum number,


with the password Pa$$w0rd.

4. In the Office 365 admin center, create a new Lindsey Gates user account with user name Lindsey.
5. On the Create new user account results page, view the temporary password, and then note the
temporary password here: ____________

6. Repeat steps 4 and 5 to create the following users:

o Christie Thomas

o Amy Santiago

o Sallie McIntosh
o Francisco Chaves

7. Note their temporary passwords here:

o Christie Thomas _____________

o Amy Santiago _______________

o Sallie McIntosh _____________

o Francisco Chaves ___________

 Task 2: Edit Office 365 users


1. In the Office 365 admin center, in the Active Users list, select user Francisco Chaves, and then change
his Department attribute to Accounts.

2. In the Set sign-in status section, select Blocked.


3. In the Active Users list, under Display name, click Francisco Chaves.

4. Verify that the Department box displays Accounts.

5. Verify that Sign-in status is set to Blocked.

6. In the Active Users list, select Lindsey Gates, and then delete the user.

7. Under Users, click Deleted Users.

8. Verify that Lindsey Gates is in this list.

9. In the Deleted Users list, select the Lindsey Gates check box.

10. On the toolbar, click Restore. Note the new temporary password for the user.

11. Click Close.

12. Click Active Users.

13. Verify that Lindsey Gates is in this list.

 Task 3: Verify user settings


1. On LON-CL1, open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

2. Sign in as Lindsey@Adatumyyxxxxx.hostdomain.com, where yyxxxxx is your unique Adatum


number, with the temporary password that you noted in the previous task.
MCT USE ONLY. STUDENT USE PROHIBITED
2-14 Managing Office 365 users and groups

3. If prompted, update Lindsey’s password to Pa$$w0rd.

4. If prompted, enter your new password again, and then click Sign in.

5. If you were not prompted to change your password at sign in, access the Office 365 settings page and
reset Lindsey’s password to Pa$$w0rd.

6. Verify that you can access the Office 365 portal home page.
7. Close and reopen Microsoft Edge, and then browse to https://login.microsoftonline.com/.

8. Sign in as Francisco@Adatumyyxxxxx. hostdomain.com, where yyxxxxx is your unique Adatum


number, with the temporary password that you noted in the previous task. Update the password for
Francisco to Pa$$w0rd.

9. Verify that you cannot sign in and that the message states that your account has been blocked.

10. Close Microsoft Edge.

11. Open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

12. Sign in as holly@Adatumyyxxxxx.onmicrosoft.com, where yyxxxxx is your unique Adatum number,


with the password Pa$$w0rd.

13. In the Office 365 admin center, edit the user account for Francisco Chaves by configuring the Sign-in
status section to Allowed.

14. Sign out of Office 365.

15. Open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

16. Sign in as Francisco@Adatumyyxxxxx. hostdomain.com, where yyxxxxx is your unique Adatum


number and using the temporary password.

17. Update the password for Francisco to Pa$$w0rd.

18. Verify that you can access the Office 365 portal.

19. Close Microsoft Edge.

Results: After completing this exercise, you should have created and managed user accounts and licenses
according to business needs.

Exercise 2: Managing Office 365 password policies


Scenario
Your organization has configured a password policy for on-premises users that requires a complex
password, and it requires users to change their passwords every 60 days. You need to ensure that the
password policy for the pilot users on Office 365 matches the policy for on-premises users, and you need to
report any settings that you cannot configure to match.

The main tasks for this exercise are as follows:

1. Configure the Office 365 password policy.

2. Validate the password policy.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-15

 Task 1: Configure the Office 365 password policy


1. Open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com with the password Pa$$w0rd.

3. In the Office 365 admin center, set the password expiration policy to 14 days before the passwords
expire.

Note: This setting does not correspond with a real-world scenario. Use it as a sample
scenario to verify the policy applied in the next exercise task.

4. In the Days before a user is notified about expiration box, leave the default value of 14.

5. Verify that the “Password policy has been updated” message appears at the top of the page.

 Task 2: Validate the password policy


1. In the Office 365 admin center, sign out as Holly, and then sign in as Lindsey@Adatumyyxxxxx.
hostdomain.com, where yyxxxxx is your unique Adatum number, with the password Pa$$w0rd.

2. On the upper-right side of the window, verify that the notification appears with the following
information: “Time to change your password. Your password will expire in 13 days.”

Note: You have now verified that your password policy is applied. In a real-world scenario,
after you verify that the password policy is applied, you would need to increase the number of
days before the password expires, according to your organizational policy.

3. Close Microsoft Edge.

Results: After completing this exercise, you should have configured and validated an Office 365 password
policy.

 To prepare for the next lab


Keep the virtual machines running for the next lab in this module.
MCT USE ONLY. STUDENT USE PROHIBITED
2-16 Managing Office 365 users and groups

Lesson 3
Managing security groups in Office 365
After all users for the Office 365 tenant have been created, administrators should create the necessary
groups for distributing email to multiple users with Exchange Online. Administrators also configure security
permissions with SharePoint Online so that users can collaborate and share documents with each other by
having assigned rights and access to SharePoint sites and documents according to organization’s security
policies.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe groups in Office 365.

 Explain how to create and configure security groups by using the Office 365 admin center.

 Explain how to delete security groups by using the Office 365 admin center.

Overview of groups in Office 365


While the Office 365 admin center uses security
groups to organize users, Office 365 includes the
following groups:

 Office 365 groups. Office 365 groups are


similar to distribution groups. An Office 365
group has its own mailbox, and its members
receive email messages that are sent to the
group. In addition, the Office 365 group
provides a shared workspace for email,
conversations, files, and calendar events. This
shared workspace allows members to
collaborate on a project. All conversations are
stored in the group; a dedicated calendar is available to the group; and a dedicated OneDrive for
Business storage is available for group documents.

 Exchange Online groups. Use these groups to send email messages or assign permissions to a group of
users.
 SharePoint Online groups. Use these groups to grant users permissions to access sites and site
resources.

Exchange Online groups


You can create and manage the following three types of mail-enabled groups in the Exchange admin
center:

 Distribution groups. Use these groups only to distribute messages to a set of recipients.

 Mail-enabled security groups. Use these groups to distribute messages and to provide access to
resources.

 Dynamic distribution groups. These groups do not have a predefined member list, because they use
recipient filters and conditions that you define to determine membership dynamically at the time that
messages are sent.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-17

In the previous Office 365 admin center, you cannot edit groups that you create in Exchange admin center,
even though the groups appear in the Security Groups list of the GROUPS section. You can edit
distribution groups in the new Office 365 admin center.

Note: Only Exchange Online distribution groups and mail-enabled security groups appear in
the Office 365 admin center. Dynamic distribution groups do not appear in the Office 365 admin
center.

SharePoint Online groups


SharePoint Online groups are collections of users who have the same permission level, allowing you to
grant access to your SharePoint Online sites to multiple users. SharePoint Online groups greatly enhance
and simplify the permissions-management process for administrators. Although SharePoint Online groups
can contain individual users, it is better to populate them with security groups from Office 365.

Note: SharePoint Online groups cannot contain distribution groups.

Several built-in groups are created when you create a site collection in SharePoint Online. These are
referred to as default SharePoint Online groups. Which default SharePoint Online groups are created
depends on the site template that is used to create the site. For example, the Team Site template contains
three different SharePoint Online groups: Visitors, Members, and Owners.

Determining group types


You can determine the different types of groups by using the Office 365 admin center. When you view
groups in the Office 365 admin center, the Type column displays the group type for your reference. You
can also use the Get-MsolGroup | Select DisplayName, GroupType command in the Azure AD module
for Windows PowerShell to display group type information.

To ensure that you create and manage your Office 365 security groups correctly, we recommend the
following best practices:

 Organize users into logical groups that have similar access needs.

 Add users to security groups and then add those security groups to SharePoint Online default groups
rather than adding individual users to the groups.

 Keep your group naming convention simple but clear.

 Maintain a consistent and well-defined account provisioning process.

 Create policies and procedures for ongoing group maintenance.


MCT USE ONLY. STUDENT USE PROHIBITED
2-18 Managing Office 365 users and groups

Creating and configuring groups

Creating Office 365 security groups


You can use the Office 365 admin center to
organize users into logical groupings to which you
can assign permissions in SharePoint Online. For
example, you could create a security group will all
users from the Sales department to allow them Full
Control access to a sales SharePoint site collection.

You can add and grant permissions to individual


users or security groups, and you can add them
directly to the default SharePoint Online groups
that already have predefined permissions.
However, we recommend adding users into Office 365 security groups and then assigning SharePoint site
permissions to the groups rather than individual users. After you set up your security group structure in
Office 365 and grant permissions to those security groups to sites in SharePoint Online, you can add users
to the appropriate security groups in Office 365. This provides users the necessary rights to the SharePoint
sites.

To create a security group in the Office 365 admin center:


1. In the Office 365 admin center, on the left navigation pane, click Groups.

2. Click Add a group, and on the Add a group page, select security group, provide a group name and
description for the group, and then click Add.
3. On the group property page, add the users that you want to add to the security group.

You can also use Windows PowerShell to create security groups for Office 365 by using the New-
MsolGroup cmdlet; a later lesson in this module covers this.

Note: Later modules in this course cover the management of Office 365 groups and
distribution groups.

Nesting security groups


In the previous Office 365 admin center, you can nest security groups by adding one security group to
another. To do this, when adding group members in the previous Office 365 admin center, click the Filter
icon, and then select Groups from the drop-down list box. You can also nest security groups by using
Windows PowerShell, but this option is not available in the new Office 365 admin center.

Editing security groups


The items that you can edit in an existing security group are its name, description, and members.

Note: You cannot use the Office 365 admin center to edit security groups if they are
synchronized with your on-premises Active Directory; you must use local Active Directory
management tools for this purpose.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-19

Deleting groups
When you no longer need a security group, you
can delete it by using the Office 365 admin center
or Windows PowerShell. Unlike user accounts,
when you delete a security group, it is permanently
deleted and cannot be restored. User accounts that
were members of the deleted security group
remain intact.

To delete a security group in the Office 365 admin


center:
1. In the Office 365 admin center, on the Groups
menu, click Groups.

2. Select the security group or groups that you want to delete.


3. In the details pane on the right, click Delete Group.

4. Confirm that you want to delete the group.

Question: List the three types of mail-enabled groups in Exchange Online in Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Managing Office 365 users and groups

Lesson 4
Managing Office 365 users and groups with Windows
PowerShell
By using the Azure AD module for Windows PowerShell, you can connect to Office 365 to perform
administrative tasks that are not practical, or even possible, by using the Office 365 admin center. For
example, you can use the Azure AD module for Windows PowerShell to automate mundane, repetitive
tasks such as creating large numbers of user accounts, adding users to groups, and updating multiple user
properties.

In this lesson, you will learn how to use Windows PowerShell to configure multiple user settings, how to
carry out a bulk update of user properties, how to create users in bulk by using the Azure AD module for
Windows PowerShell cmdlets with bulk users’ license management, and how to delete users.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe how to manage Office 365 by using Windows PowerShell.


 Explain how to manage users and licenses by using Windows PowerShell.

 Explain how to manage security groups by using Windows PowerShell.

 Explain how to import users and groups by using Windows PowerShell.


 Explain how to manage users and groups by using Windows PowerShell scripts.

 Explain how to configure password policies by using Windows PowerShell.

Overview of managing Office 365 by using Windows PowerShell


By using Azure AD module for Windows
PowerShell cmdlets along with powerful scripts,
you can drastically reduce the time and effort that
are required to perform repetitive administrative
tasks. The following is a list of typical management
tasks that you can perform by using the Azure AD
module for Windows PowerShell with Office 365:

 User management
 License assignment

 Security group management

 Password management

 Domain management

 Admin role assignments

Azure AD module for Windows PowerShell requirements


You must meet the following prerequisites to run the Azure AD module:

 Your computer must be running Windows 8, Windows 7, Windows Server 2012, or


Windows Server 2008 R2.

 You must install the Microsoft .NET Framework 3.5.1 feature.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-21

 You must install all software updates that the Microsoft cloud services to which you have subscribed
require.

 You must install the appropriate version of the Microsoft Online Services Sign-in Assistant for your
operating system from the Microsoft Download Center.

Installing the Azure AD module for Windows PowerShell and connecting to Azure AD
To take advantage of Azure cmdlets for Windows PowerShell, you need to download and install the
relevant Windows PowerShell module for Azure for your operating system.

Note: You can download the 64-bit version of the Azure AD module for Windows
PowerShell from the Microsoft Download Center at http://aka.ms/siqtee, and you can download
the 32-bit version at http://aka.ms/fohrds.

After you install the Windows PowerShell module for Azure, you need to connect to your online service
through your subscription. To connect to your online service:

1. Open the new Azure AD module for Windows PowerShell console by using the desktop shortcut.

2. At the command prompt, type the following command, and then press Enter:

connect-msolservice

3. You will be prompted for your credentials.

Getting help on cmdlets


Numerous Azure PowerShell cmdlets can do a multitude of actions to different object types, such as users,
groups, licenses, passwords, and domains.

Additional Reading: For a detailed list of Azure management cmdlets, refer to


AzureADHelp: http://aka.ms/rlunlo.

For basic help on a specific cmdlet:

1. Open the Azure AD module for Windows PowerShell.

2. At the command prompt, type the following command, and then press Enter:

Get-Help cmdletname

For example, Get-Help set-msoluser.

For more detailed help on a specific cmdlet, at the command prompt, type one of the following commands,
and then press Enter:

Get-Help cmdletname –examples


Get-Help cmdletname –detailed
Get-Help cmdletname -full

For example, Get-Help set-msoluser-detailed.


MCT USE ONLY. STUDENT USE PROHIBITED
2-22 Managing Office 365 users and groups

Managing users and licenses by using Windows PowerShell


You can use several Windows PowerShell cmdlets
to perform tasks that relate to user management
and license management in Office 365.

Adding users and licenses


When a new user joins your organization, you can
use the New-MsolUser cmdlet to create an
account in Office 365. This cmdlet can also assign a
user license at the same time so that the user can
start accessing online services.
To create a user without a license:

1. Open the Azure AD module for Windows


PowerShell.
2. At the command prompt, type the following command, and then press Enter:

New-MsolUser -UserPrincipalName username@domainname –DisplayName “Firstname Lastname”


–FirstName “Firstname” –LastName “Lastname”

For example:

New-MsolUser –UserPrincipalName melissa@Adatum.onmicrosoft.com –DisplayName “Melissa


MacBeth” – FirstName “Melissa” –LastName “MacBeth”

To create a user and assign them a license, at the command prompt, type the following command, and
then press Enter:

New-MsolUser -UserPrincipalName username@domainname –DisplayName “Firstname Lastname”


–FirstName “Firstname” –LastName “Lastname” –UsageLocation “2-letter location code”
–LicenseAssignment “license”

For example:

New-MsolUser –UserPrincipalName melissa@Adatum.onmicrosoft.com –DisplayName “Melissa


MacBeth” – FirstName “Melissa” –LastName “MacBeth” –UsageLocation “US” –LicenseAssignment
“Adatum:ENTERPRISEPACK”

Managing user licenses


You can use the Get-MsolAccountSku cmdlet to view the current licensing information for your Office 365
tenant, which includes the number of licenses that are currently available and how many are in use. You can
use the Get-MsolUser cmdlet with the -UnlicensedUsersOnly switch to view a list of users who currently
do not have a license.

Additionally, in the Office 365 admin center, you can view how many licenses your organization has
purchased and how many remain that you can use. However, in the Office 365 admin center, you cannot
easily ascertain which licenses are assigned to which users.

Instead, you can use Windows PowerShell to get a list of all of your Office 365 tenant users with the licenses
that are assigned to each of them, and you can save the results to a CSV file. To get a list of users and their
licenses, at the command prompt, type the following command, and then press Enter:

Get-MsolUser –All | ft displayname , Licenses | Out-File “filelocation”


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-23

For example:

Get-MsolUser –All | ft displayname , Licenses | Out-File “c:\userlicenses.csv”

The Set-MsolUserLicense cmdlet enables you to add user licenses, remove user licenses, and update
licensing options. To add a license to a user, at the command prompt, type the following command, and
then press Enter:

Set-MsolUserLicense -UserPrincipalName username@domainname –AddLicenses “license”

For example:

Set-MsolUserLicense –UserPrincipalName melissa@Adatum.onmicrosoft.com –AddLicenses


“Adatum:ENTERPRISEPACK”

To remove a license from a user, at the command prompt, type the following command, and then press
Enter:

Set-MsolUserLicense -UserPrincipalName username@domainname –RemoveLicenses “license”

For example:

Set-MsolUserLicense –UserPrincipalName melissa@Adatum.onmicrosoft.com –RemoveLicenses


“Adatum:ENTERPRISEPACK”

If you want to replace one license with another, you can do this as a single operation so that the user does
not remain in an intermediate state. For example, you might want to change from a deskless license to an
enterprise license, or you might want to upgrade from a standard license (E1) to an enterprise license (E3).

To add and remove licenses in one operation, at the command prompt, type the following command, and
then press Enter:

Set-MsolUserLicense -UserPrincipalName username@domainname -AddLicenses “newlicense”


–RemoveLicenses “oldlicense”

For example:

Set-MsolUserLicense –UserPrincipalName melissa@Adatum.onmicrosoft.com –AddLicenses


“Adatum:ENTERPRISEPACK” –RemoveLicenses “Adatum:STANDARDPACK”

This would upgrade the user’s license from an E1 plan to an E3 plan.

Bulk license updates


If you need to update licenses for a large number of users, you can use a Windows PowerShell script to add
and remove licenses in one operation. If you need to upgrade users from an E1 license to an E3 license, you
must first generate a CSV file with the list of users who currently have an E1 license, and then you import
that CSV file by using the Import-Csv cmdlet. You will also need to include a script that will add and
remove the required licenses for each user identified by its UserPrincipalName property in the imported
CSV file.

Note: Writing these scripts is outside the scope of this course.


MCT USE ONLY. STUDENT USE PROHIBITED
2-24 Managing Office 365 users and groups

Assigning a subset of licenses


If you only want to assign a subset of service plans from an enterprise license to a user, you can use the
Set-MsolUserLicense cmdlet with the -LicenseOptions switch. To do this, you first need to determine the
individual names of each of the service plans in the enterprise license pack.

To view the individual service plans, at the command prompt, type the following command, and then press
Enter:

Get-MsolAccountSku | Where-Object {$_.SkuPartNumber -eq 'ENTERPRISEPACK'} |


ForEach-Object {$_.ServiceStatus})

The above command returns a list of the individual service plans; however, a number of the service plan
names are difficult to interpret. The following table provides a description of each abbreviated service plan
name.

Service plan name Description

YAMMER_ENTERPRISE Yammer

RMS_S_ENTERPRISE Rights Management Services

OFFICESUBSCRIPTION Office Professional Plus

MCOSTANDARD Lync Online

SHAREPOINTWAC Microsoft Office Online

SHAREPOINTENTERPRISE SharePoint Online

EXCHANGE_S_ENTERPRISE Exchange Online

Now that you know what the service plans are called, you can use the Get-MsolUserLicense cmdlet with
the –LicenseOptions switch to assign a subset of service plans from the enterprise license pack. You must
specify the tenant account SKU ID and then disable the service plans that you do not want to include.

For example, to assign only the Office Professional Plus, Lync Online, and SharePoint Online licenses to a
user:

1. At the command prompt, type the following command, and then press Enter:

$options = New-MsolLicenseOptions –AccountSkuId tenantname:ENTERPRISEPACK


-DisabledPlans YAMMER_ENTERPRISE, RMS_S_ENTERPRISE, SHAREPOINTWAC,
EXCHANGE_S_ENTERPRISE

This saves the resulting license options to the $options variable, which you can then assign to the
–LicenseOptions switch when assigning licenses to the user.

2. At the command prompt, type the following command, and then press Enter:

Set-MsolUserLicense –UserPrincipalName username@domainname -LicenseOptions $options

For example:

Set-MsolUserLicense –UserPrincipalName melissa@Adatum.onmicrosoft.com –LicenseOptions


$options
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-25

Deleting users
When a user leaves the organization, you can use the Remove-MsolUser cmdlet to detach the user from
Office 365. This cmdlet deletes the user, the user’s licenses, and any other associated data. This type of
deletion is also known as a soft delete.

To delete a user without confirming the operation, at the command prompt, type the following command,
and then press Enter:

Remove-MsolUser -UserPrincipalName username@domainname –Force

For example:

Remove-MsolUser –UserPrincipalName melissa@Adatum.onmicrosoft.com –Force

Note: The –Force switch performs the deletion without requiring you to confirm the
operation at the command prompt. While this speeds up the operation, it does create the
possibility of human error.

Similar to Office 365 admin center, when you delete a user, by default, his or her account remains in the
Deleted Users view (the recycle bin) for 30 days before it permanently deletes. This allows you some time to
retrieve accounts that perhaps have deleted in error. However, if you wish to remove an already deleted
account permanently from the recycle bin, you can use the –RemoveFromRecycleBin switch. This type of
deletion is also known as a hard delete.

To delete a user from the recycle bin permanently, at the command prompt, type the following command,
and then press Enter:

Remove-MsolUser -UserPrincipalName username@domainname –RemoveFromRecycleBin

For example:

Remove-MsolUser –UserPrincipalName melissa@Adatum.onmicrosoft.com –RemoveFromRecycleBin

Restoring users
If you accidentally delete a user, you can use the Restore-MsolUser cmdlet to restore the user account
from the recycle bin back to its original state, as long as you do this within 30 days of the deletion.

To restore a user account from the recycle bin:

1. At the command prompt, type the following command, and then press Enter:

Get-MsolUser -ReturnDeletedUsers

2. Note the UserPrincipalName of the user you want to restore, and at the command prompt, type the
following command, and then press Enter:

Restore-MsolUser –UserPrincipalName userprincipalnameofusertorestore

Additional Reading: For more information, refer to How to troubleshoot deleted user
accounts in Office 365, Azure, and Intune: http://aka.ms/g5rx76.
MCT USE ONLY. STUDENT USE PROHIBITED
2-26 Managing Office 365 users and groups

Managing groups by using Windows PowerShell


You can use several Windows PowerShell cmdlets
to perform tasks that relate to security group
management in Office 365.

Creating security groups


You use security groups in Office 365 to organize
users logically. You can use the Get-MsolGroup
cmdlet to return a detailed list of all the security
groups that exist for your tenant, up to a maximum
of 250 groups. The information in the returned list
includes the following:

 ObjectId, which is useful when running other


cmdlets
 Display name

 Group type

 Description

To create a security group:

1. Open the Azure AD module for Windows PowerShell.

2. At the command prompt, type the following command, and then press Enter:

New-MsolGroup -DisplayName “displayname” -Description “description”

For example:

New-MsolGroup –DisplayName “Sales” –Description “Sales Team”

Deleting security groups


Use the Remove-MsolGroup cmdlet to delete a security group from your Office 365 tenant.
To delete a security group, at the command prompt, type the following command, and then press Enter:

Remove-MsolGroup -ObjectId objectid -Force

For example:

Remove-MsolGroup –ObjectId 6146df44-dfec-4a88-958b-f5627deb0b1a –Force

Note: Rather than determining and using the –ObjectId parameter when deleting a group,
you can use a variable such as $groupId and the Get-MsolGroup cmdlet with the –searchString
parameter.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-27

Adding and removing users from a security group


Use the Add-MsolGroupMember cmdlet to add members to a security group. The new members can be
users or other security groups, if you nest your security groups.

To determine a user’s ObjectId, at the command prompt, type the following command, and then press
Enter:

Get-MsolUser –All | Select UserPrincipalName, ObjectId

This returns a list of all users with their UserPrincipalName and objectId, which you can use in the next
series of commands.

To add a user to a security group, at the command prompt, type the following command, and then press
Enter:

Add-MsolGroupMember -GroupMemberObjectId groupmemberobjectid –GroupObjectId groupobjectid

For example:

Add-MsolGroupMember –GroupMemberObjectId f62298ad-6ec1-4da3-8b47-4b84d1cc5941


–GroupObjectId 6146df44-dfec-4a88-958b-f5627deb0b1a

To remove a user from a security group, at the command prompt, type the following command, and then
press Enter:

Remove-MsolGroupMember -GroupMemberObjectId groupmemberobjectid –GroupObjectId


groupobjectid

For example:

Remove-MsolGroupMember -GroupMemberObjectId f62298ad-6ec1-4da3-8b47-4b84d1cc5941


–GroupObjectId 6146df44-dfec-4a88-958b-f5627deb0b1a

Importing users and groups by using Windows PowerShell


If you need to provision multiple accounts in Office
365, you can use the Import-Csv cmdlet with a
CSV file. This CSV file should contain a list of all the
user accounts that you want to create, in addition
to a column for each of the following user
properties:

 FirstName

 LastName
 DisplayName

 UserPrincipalName

 LicenseAssignment, if you want to assign licenses at the same time


 UsageLocation

The Import-Csv cmdlet will read the CSV file and then create and license an Office 365 user for each user in
the list.
MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Managing Office 365 users and groups

For example:

Import-Csv -Path c:\users.csv | ForEach-Object {


New-MsolUser -FirstName $_.FirstName -LastName $_.LastName `
-UserPrincipalName $_.UserPrincipalName `
-DisplayName "$($_.FirstName) $($_.LastName)" `
-LicenseAssignment 'AdatumPublishing:ENTERPRISEPACK' `
-UsageLocation US
}

Note: This cmdlet will generate random passwords for each user; if you want to predefine
your own passwords, you could add an extra column to the CSV file with the passwords in it and
then update the script to include the -Password parameter.

If you need to provision multiple group objects in Office 365, similar to provisioning multiple user accounts,
you can use the Import-Csv cmdlet with a CSV file. The CSV file should contain a list of all the group
accounts that you want to create, in addition to a column for each of the group properties, such as:

 DisplayName

 Description

 TenantID

For example:

Import-Csv -Path c:\groups.csv | ForEach-Object {


New-MsolGroup -DisplayName $_.DisplayName `
-Description $_.Description
-TenantID $_.TenantID
}

Managing users and groups by using Windows PowerShell scripts


If you need to manage multiple users, for example,
to update attributes for a large number of users or
groups, you can use Windows PowerShell scripts to
perform management tasks. Windows PowerShell
scripts are executable files that include multiple
cmdlets, and these cmdlets subsequently run in the
order specified in the script file. Because you use
Windows PowerShell scripts for managing multiple
objects, we recommend careful planning and
testing in a non-production tenant before running
the scripts. Furthermore, you only should run
scripts that you understand and know what they
do. Do not apply scripts in your production environment that you download from third-party sites if you do
not thoroughly understand the cmdlets in these scripts.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-29

Using scripts for connecting to Office 365


You might create a script that will connect to specific services of an Office 365 tenant. The script should
include your credentials, a cmdlet that will import an appropriate module for managing Office 365, and a
cmdlet that will import a remote Windows PowerShell session. The following is an example of the cmdlets
that you might include in a script that will connect to an Office 365 tenant:

$credential=get-credential
Import-Module MSOnline
Connect-MsolService –Credential $credential

If you want to administer Skype for Business Online in Office 365, you should add the following cmdlets to
the script:

Import-Module LyncOnlineConnector
$lyncSession = New-CsOnlineSession -Credential $credential
Import-PSSession $lyncSession

If you also want to administer Exchange Online in Office 365, you should add the following cmdlets to the
script:

ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri


"https://outlook.office365.com/powershell-liveid/" -Credential $credential
-Authentication "Basic" -AllowRedirection
Import-PSSession $ExchangeSession

If you also want to administer SharePoint Online in Office 365, you should add the following cmdlets to the
script:

Import-Module Microsoft.Online.Sharepoint.PowerShell
Connect-SPOService -url https://contoso-admin.sharepoint.com -Credential $credential

If you want to manage users and groups, you can add the cmdlets for Office 365 users and groups to the
script. For example, if you want to add user Amy to the Marketing distribution group, add the following
cmdlet to the script:

Add-DistributionGroupMember -Identity "Marketing" -Member Amy@contoso.com

The earlier topics in this lesson include examples of Windows PowerShell cmdlets that you can include in a
script for managing users, groups, and licenses.

Configuring password policies by using Windows PowerShell


While you can manage password policies by using
the Office 365 admin center, Windows PowerShell
provides more functionality than is available in the
Office 365 admin center. You can use the Azure AD
module for Windows PowerShell to accomplish the
following tasks:

 Change a user’s password.

 Set the password policy for the tenant.

 Configure user passwords to never expire.

 Remove the Password Never Expires setting.


MCT USE ONLY. STUDENT USE PROHIBITED
2-30 Managing Office 365 users and groups

 View which user passwords are set to never expire.

 Remove strong password complexity requirements on a per-user basis.

Change a user’s password


Users receive a temporary password automatically when their user account is created. When they first sign
in, they are required to change their temporary password to a new one that conforms to the Office 365
password policy.

You can also reset a user password in the Office 365 admin center or by using a Windows PowerShell
cmdlet. To change a user’s password in Windows PowerShell, at the command prompt, type the following
command, and then press Enter:

Set-MsolUserPassword –UserPrincipalName “userprincipalname” –NewPassword “newpassword”

Note: If you omit the –NewPassword switch, then it is considered a password reset rather
than a password change; in this case, the user will receive a random password, and they must
change it themselves at the next sign-in attempt.

Setting the password policy for a tenant


You can use the Set-MsolPasswordPolicy cmdlet to set the same password policy settings as you can in
the Office 365 admin center. Use this cmdlet to specify the notification warning time of the user password
and the settings for the password expiration notification.

To configure the password policy for a tenant in Windows PowerShell, at the command prompt, type the
following command, and then press Enter:

Set-MsolPasswordPolicy -DomainName “domainname” –ValidityPeriod “numberofdays”


-NotificationDays “numberofdays”

You can also view the current password policy settings by using the Get-MsolPasswordPolicy cmdlet.

Configuring passwords to never expire


You can use Azure AD module for Windows PowerShell commands to configure one or all users so that
their passwords do not expire.

To configure a password to never expire for a single user, at the command prompt, type the following
command, and then press Enter:

Set-MsolUser -UserPrincipalName “userprincipalname” –PasswordNeverExpires $true

To configure passwords to never expire for all users, at the command prompt, type the following command,
and then press Enter:

Get-MsolUser | Set-MsolUser –PasswordNeverExpires $true

Removing the Password Never Expires setting


You can also turn off the Password Never Expires setting for individual users or all users with the Azure AD
module for Windows PowerShell.

To configure a password to expire for a single user, at the command prompt, type the following command,
and then press Enter:

Set-MsolUser -UserPrincipalName “userprincipalname” –PasswordNeverExpires $false


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-31

To configure passwords to expire for all users, at the command prompt, type the following command, and
then press Enter:

Get-MsolUser | Set-MsolUser –PasswordNeverExpires $false

Viewing passwords that are set to never expire


You can use Windows PowerShell to determine which users have their passwords set to never expire.

To view if a single user password is set to never expire, at the command prompt, type the following
command, and then press Enter:

Get-MsolUser -UserPrincipalName “userprincipalname” | Select PasswordNeverExpires

To view the Password Never Expires setting for all users, at the command prompt, type the following
command, and then press Enter:

Get-MsolUser | Select UserPrincipalName, PasswordNeverExpires

Note: You can only set passwords to never expire on user accounts that have not been
synchronized with a directory service.

Removing strong password requirements


The default setting in Office 365 requires that all user passwords must comply with complexity
requirements, including the following criteria:

 The password must contain at least one lowercase character.

 The password must contain at least one uppercase character.

 The password must contain at least one non-alphanumeric character.

 The password cannot contain any spaces, tabs, or line breaks.

 The password must be between 8 and 16 characters in length.

 The password cannot contain the user name.

However, you can use Windows PowerShell to change that behavior on a per-user basis.

To remove strong password requirements for a single user, at the command prompt, type the following
command, and then press Enter:

Set-MsolUser -UserPrincipalName “userprincipalname” –StrongPasswordRequired $false

Note: We do not recommend removing the strong password requirement, and you should
do so only if specific circumstances require it.
MCT USE ONLY. STUDENT USE PROHIBITED
2-32 Managing Office 365 users and groups

Discussion: Office 365 admin center vs. Windows PowerShell


Based on the previous topic, discuss an Office 365
management task with other students based on
the following questions:

 What are the benefits of managing Office 365


tenant with Office 365 admin center?

 In what scenario will you administer users and


groups by using Office 365 admin center?

 What are the benefits of managing Office 365


tenant with Windows PowerShell?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-33

Lesson 5
Configuring administrative access
In this lesson, you will learn about the permission model in Office 365, and you will learn how to create,
assign, or revoke administrative roles. You will also learn how to determine and assign roles, such as the
global administrator, billing administrator, and user account administrator, and how to delegate
administration to different administrators in your organization.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the Office 365 administrator roles.

 Explain how to assign Office 365 administrator roles.

 Explain how to plan for delegated administration.

Office 365 administrator roles


Office 365 provides several predefined
administrator roles that you can assign to other
users in your organization to ease administrative
burdens. Because of the nature of the tasks that
these roles can perform, you need to think
carefully about whom you assign them to,
ensuring that those people are responsible and
trustworthy.

Permission model in Office 365


The permission model in Office 365 on which
administrator roles are based is referred to as role-
based access control (RBAC). The RBAC model
makes it easier to assign permissions to a user by giving that user a role with predefined permissions
assigned to it.
Other online services have their own permission models. For example, Exchange Online uses a similar RBAC
model to define administrator roles, but it also uses a security model based on individual permissions for its
mailboxes. SharePoint Online has its own security permission model based on security groups, permissions,
and permission levels, which allows administrators to assign individual permissions or groups of
permissions to its resources, such as site collections, sites, and documents.

Office 365 administrator roles


While an administrator has full access to all tasks in the Office 365 admin center, administrator roles can
only carry out a defined subset of these administrative tasks based on the assigned role.

The administrator roles that can be assigned are:

 Global administrator. This role has the same access as the initial administrator and can perform all
available administrative tasks in the Office 365 admin center, including assigning administrator roles to
other users. You can have more than one global administrator role.

 Billing administrator. This role can make purchases, manage subscriptions, manage support tickets,
and monitor the health of the online service.
MCT USE ONLY. STUDENT USE PROHIBITED
2-34 Managing Office 365 users and groups

Note: If your organization did not purchase Office 365 directly from Microsoft, but instead
purchased it through a partner, then you cannot make billing changes, and therefore, you cannot
be assigned the billing administrator role.

 Password administrator. This role can change and reset passwords, manage service requests, and
monitor the health of the online service. Password administrators can only change and reset passwords
for standard users and other password administrators—not other administrator roles.

 Service administrator. This role can manage service requests and monitor the health of the online
service. You first need to assign administrative permission to a service such as Exchange Online before
you assign this role to a user.

 User management administrator. This role can create and delete users and groups, and it can reset
passwords, manage service requests, and monitor the health of the online service. Although they can
create and delete users, user management administrators are restricted from the following:

o They cannot create other administrator roles.

o They cannot delete global administrators.

o They cannot reset passwords for billing administrators, global administrators, or service
administrators.

 Exchange administrator. This role manages the Exchange Online by using the Exchange admin center
in Office 365.

 Skype for Business administrator. This role manages the Skype for Business Online by using the
Skype for Business admin center in Office 365.
 SharePoint administrator. This role manages SharePoint Online by using the SharePoint admin
center in Office 365.

Note: In Office 365 for professionals and small businesses, there is only one administrator
role. An administrator can assign other users this same administrator role, but there are no other
subordinate roles to assign.

In Windows PowerShell, not all administrator roles have the same names as specified in the Office 365
admin center. The following table lists the equivalent role names.

Office 365 admin center role name Windows PowerShell equivalent role name

Global administrator Company administrator

Billing administrator Billing administrator

Password administrator Helpdesk administrator

Service administrator Service support administrator

User management administrator User account administrator

To view the available administrator roles in the Azure AD module for Windows PowerShell, at the command
prompt, type the following command, and then press Enter:

Get-MsolRole
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-35

Global administrator–only tasks


Only a global administrator can:

 Manage domains.

 Manage organization information.

 Delegate administrator roles to other users.

 Use directory synchronization.

Assigning administrator roles


You can use the Office 365 admin center or
Windows PowerShell to assign the various
administrator roles to users in Office 365.

To assign an administrator role in the Office 365


admin center, perform the following steps:

1. In the Office 365 admin center Home page,


click Users.

2. In the list view, click the name of the user to


which you want to assign an administrator
role.

3. In the details pane on the right side, in the


Roles section, click Edit.
4. Under Edit user roles, select an admin role by selecting one of the option buttons.

5. Provide an alternate email address.

6. Save your changes.

To assign an administrator role in Windows PowerShell, at the command prompt, type the following
cmdlet, and then press Enter:

Add-MsolRoleMember -RoleName “nameofrole” –RoleMemberEmailAddress “useremailaddress”

For example:

Add-MsolRoleMember –RoleName “Helpdesk Administrator” –RoleMemberEmailAddress


“melissaf@Adatum.onmicrosoft.com”

To view a user’s assigned administrator role, at the command prompt, type the following cmdlet, and then
press Enter:

Get-MsolUserRole –UserPrincipalName “userprincipalname”

To view all users who are assigned to a specific administrator role, at the command prompt, type the
following cmdlets, pressing Enter after each:

$role = Get-MsolRole –RoleName “Helpdesk Administrator”


Get-MsolRoleMember –RoleObjectId $role.ObjectId
MCT USE ONLY. STUDENT USE PROHIBITED
2-36 Managing Office 365 users and groups

To remove an administrator role in Windows PowerShell, at the command prompt, type the following
cmdlet, and then press Enter:

Remove-MsolRoleMember -RoleName “nameofrole” –RoleMemberEmailAddress “useremailaddress”

For example:

Remove-MsolRoleMember –RoleName “Helpdesk Administrator” –RoleMemberEmailAddress


“melissaf@Adatum.onmicrosoft.com”

Corresponding online service roles


Administrator roles in Office 365 have some corresponding roles in other online services, such as Exchange
Online and SharePoint Online.

Exchange Online SharePoint Online Skype for Business Online


Office 365 role
role role role

Global administrator Exchange Online SharePoint Online Skype for Business Online
administrator administrator administrator
Company
administrator

Billing administrator Not applicable Not applicable Not applicable

Password administrator Helpdesk Not applicable Skype for Business Online


administrator administrator

Service administrator Not applicable Not applicable Not applicable

User management Not applicable Not applicable Skype for Business Online
administrator administrator

Exchange Online Exchange Online Not applicable Not applicable


administrator administrator

Skype for Business Not applicable Not applicable Skype for Business Online
Online administrator administrator

SharePoint Online Not applicable SharePoint Online Not applicable


administrator administrator
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-37

Planning delegated administration


If you do not have in-house administrators, you
can outsource your administration to a Microsoft
partner. For example, if your organization is small
and does not need specialized IT administration
roles, you might rely on a Microsoft partner to
provide IT administrative functionality.

In Office 365, this is called delegated


administration, and is initiated by a partner
sending your organization an email message
requesting that you give them permission to act as
an administrator on your behalf.

Delegated administration process


To accept the delegated administration offer:

1. Open the email message from your partner and read the terms of the offer.

2. Click the link to authorize the agreement, which takes you to an authorization page in Office 365.

3. Under Delegated administration, click Yes to authorize the partner to be your delegated administrator.

4. If the delegated administration offer came with a trial subscription or a purchase offer, create the trial
or subscription tenant account.
To view the delegated administrators:

1. In the Office 365 admin center, click Admin.

2. On the left navigation pane, click Users, in the list view, click the Select a view drop-down list and then
select any of the roles you have assigned.

Note: If you do not have a delegated administrator, the message on that page will state,
“There are no delegated administrators associated with your account.”

Administrator roles set by partners


When you delegate administration to a partner, they receive the ability to specify administration roles for
your organization when they create users on your behalf. They can assign these roles to support agents in
their own organization or to users in your organization. However, delegated administrators are restricted to
the following two roles only:
 Full administration. This role has the same privileges as the Global administrator role in Office 365.

 Limited administration. This role has the same privileges as the Password administrator role in
Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
2-38 Managing Office 365 users and groups

To ensure that you manage Office 365 administrator roles correctly, we recommend the following best
practices:

 Carefully plan administrator roles by creating a matrix to distribute roles based on the organization’s
operational model.

 Document and audit administration roles and their privileges.

 Ensure that you keep administration roles up to date by changing or removing roles as necessary.

 Ensure that you get approval and sign off for final administration role design.

Question: What are the administrator roles that you can assign in Office 365?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-39

Lab B: Managing Office 365 groups and administration


Scenario
In addition to creating user accounts, you also need to know how to create group accounts in Office 365. In
this pilot project, you will use Windows PowerShell commands to manage users and groups. If the pilot is
successful, you can manage several hundred users and groups, and Windows PowerShell will be a means to
manage them efficiently. One of the goals in the pilot project is to test delegated administration in
Office 365, so you also need to delegate password management and billing management to different users.

Objectives
After completing this lab, you will be able to:

 Manage Office 365 groups by using the Office 365 admin center.

 Manage Office 365 users and groups by using Windows PowerShell.

 Configure delegated administrators.

Lab Setup
Estimated Time: 60 minutes

Virtual machine: 20347A-LON-DC1, 20347A-LON-CL1

User name: Adatum\Administrator for LON-DC1 and Adatum\Holly for LON-CL1

Password: Pa$$w0rd

In all tasks:

 In references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with your unique Office 365


name that displays on the online lab portal.

 In references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com name that displays on the online lab portal.
This lab requires the following virtual machines:

 LON-DC1

o Sign in as Adatum\Administrator with the password Pa$$w0rd.

 LON-CL1

o Sign in as Adatum\Holly with the password Pa$$w0rd.

Exercise 1: Managing Office 365 groups


Scenario
Your organization has a policy that groups rather than individual user accounts must be in use to assign
permissions. Ensure that you can manage groups in the Office 365 admin center.

The main tasks for this exercise are as follows:

1. Create Office 365 security groups.

2. Manage security groups.


MCT USE ONLY. STUDENT USE PROHIBITED
2-40 Managing Office 365 users and groups

 Task 1: Create Office 365 security groups


1. On LON-CL1, open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com, where yyxxxxx is your unique Adatum number,


with the password Pa$$w0rd.

3. In the Office 365 admin center, create a new group named Sales, with a description of Sales
department users.

4. Add Lindsey Gates and Christie Thomas as group members.

5. In the Office 365 admin center, create a new group named Accounts, with a description of Accounts
department users.
6. Add Francisco Chaves and Sallie McIntosh as group members.

 Task 2: Manage security groups


1. In the Office 365 admin center, verify that you can see the following groups:

o Sales
o Accounts

2. In the groups list, click the Sales group.

3. Add Amy Santiago as a member of the Sales group.


4. Ensure that Amy Santiago now lists under the Display name list.

5. Delete the Sales group, and then click Active Users.

6. Confirm that Amy Santiago’s account still exists in the list of users.

Results: After completing this exercise, you should have created and managed security groups.

Exercise 2: Managing Office 365 users and groups by using Windows


PowerShell
Scenario
If the pilot project is a success, you expect that you will need to manage hundreds of user and group
accounts. To manage these efficiently, you will need to use Windows PowerShell. In preparation for this,
you need to familiarize yourself with managing users and groups by using Windows PowerShell.
The main tasks for this exercise are as follows:

1. Install Microsoft Azure Active Directory module for Windows PowerShell.

2. Create new users and assign licenses by using Windows PowerShell.


3. Modify existing users by using Windows PowerShell.

4. Configure groups and group membership by using Windows PowerShell.

5. Configure user passwords by using Windows PowerShell.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-41

 Task 1: Install Microsoft Azure Active Directory module for Windows PowerShell
1. On LON-CL1, open Microsoft Edge, and browse to http://aka.ms/t01i1o.

2. Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW.

3. In Microsoft Edge, connect to http://aka.ms/siqtee.

4. Download and install the Microsoft Azure AD module for Windows PowerShell.

 Task 2: Create new users and assign licenses by using Windows PowerShell
1. On LON-CL1, on the desktop, right-click the Windows Azure Active Directory Module for Windows
PowerShell shortcut, and then click Run as administrator.

2. If a User Account Control dialog box appears, click Yes.

3. At the command prompt, type the following command, and then press Enter:

Connect-msolservice

4. In the Enter Credentials dialog box, sign in as holly@Adatumyyxxxxx.onmicrosoft.com, where


yyxxxxx is your unique Adatum number, with the password Pa$$w0rd.

5. Use the following command to create a new user account:

New-MsolUser –UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com –DisplayName


“Catherine Richard” –FirstName “Catherine” –LastName “Richard” –Password ‘Pa$$w0rd’
–ForceChangePassword $false –UsageLocation “CH”

6. Use the following command to create another new user:

New-MsolUser –UserPrincipalName tameka@Adatumyyxxxxx.hostdomain.com –DisplayName


“Tameka Reed” –FirstName “Tameka” –LastName “Reed” –Password ‘Pa$$w0rd’
–ForceChangePassword $false –UsageLocation “CH”

7. Use the following command to determine which users are unlicensed:

Get-MsolUser -UnlicensedUsersOnly

8. Use the following command to assign a license to Catherine Richard; replace Adatumyyxxxxx in the
–AddLicenses attribute with the onmicrosoft.com domain name provided by the hosting provider:

Set-MsolUserLicense -UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com


–AddLicenses “Adatumyyxxxxx:ENTERPRISEPACK”

9. Use the following command to assign a license to Tameka Reed; replace Adatumyyxxxxx in the
–AddLicenses attribute with the onmicrosoft.com domain name provided by the hosting provider:

Set-MsolUserLicense -UserPrincipalName Tameka@Adatumyyxxxxx.hostdomain.com


–AddLicenses “Adatumyyxxxxx:ENTERPRISEPACK”

10. Use the following command to prevent a user from signing in to Office 365:

Set-MsolUser -UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com


-blockcredential $true

11. Use the following command to delete a user:

Remove-MsolUser –UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com –Force


MCT USE ONLY. STUDENT USE PROHIBITED
2-42 Managing Office 365 users and groups

12. Use the following command to view the Deleted Users list:

Get-MsolUser –ReturnDeletedUsers

13. Verify that Catherine Richard is in the Deleted Users list.

14. Use the following command to restore a deleted user:

Restore-MsolUser –UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com

15. Use the following command to view the Deleted Users list:

Get-MsolUser –ReturnDeletedUsers

16. Verify that Catherine Richard is no longer in the Deleted Users list.

17. Use the following command to view the Active Users list:

Get-MsolUser

18. Verify that Catherine Richard is in the Active Users list.

19. Use the following command to allow a user to sign in:

Set-MsolUser -UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com


-blockcredential $false

 Task 3: Modify existing users by using Windows PowerShell


1. On LON-CL1, open C:\labfiles\O365users.csv by using Notepad.

2. In Notepad, replace adatumyyxxxxx.hostdomain.com with your unique public domain name.


3. In Notepad, replace adatumyyxxxxx:ENTERPRISEPACK with your unique onmicrosoft.com domain
name, followed by ENTERPRISEPACK.

4. Close and save O365users.csv.

5. To bulk import several users from a CSV file, copy and paste this code into the Administrator: Windows
Azure Active Directory Module for Windows PowerShell window on LON-CL1, and then press Enter:

Import-Csv -Path C:\labfiles\O365Users.csv | ForEach-Object { New-MsolUser


-UserPrincipalName $_."UPN" -AlternateEmailAddresses $_."AltEmail" -FirstName
$_."FirstName" -LastName $_."LastName" -DisplayName $_."DisplayName" -BlockCredential
$False -ForceChangePassword $False -LicenseAssignment $_."LicenseAssignment"
-Password $_."Password" -PasswordNeverExpires $True -Title $_."Title" -Department
$_."Department" -Office $_."Office" -PhoneNumber $_."PhoneNumber" -MobilePhone
$_."MobilePhone" -Fax $_."Fax" -StreetAddress $_."StreetAddress" -City $_."City"
-State $_."State" -PostalCode $_."PostalCode" -Country $_."Country" -UsageLocation
$_."UsageLocation" }

6. Use the following command to view the Active Users list:

Get-MsolUser

7. In the Office 365 admin center, verify the new user accounts.

8. In the Exchange admin center, verify that the users have been assigned mailboxes.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-43

 Task 4: Configure groups and group membership by using Windows PowerShell


1. Use the following command to create a Marketing group:

New-MsolGroup –DisplayName “Marketing” –Description “Marketing department users”

2. Use the following command to configure a variable for the group:

$MktGrp = Get-MsolGroup | Where-Object {$_.DisplayName -eq "Marketing"}

3. Use the following command to configure a variable for the first user account:

$Catherine = Get-MsolUser | Where-Object {$_.DisplayName -eq "Catherine Richard"}

4. Use the following command to configure a variable for the second user account:

$Tameka = Get-MsolUser | Where-Object {$_.DisplayName -eq "Tameka Reed"}

5. Use the following command to add Catherine Richard to the Marketing group:

Add-MsolGroupMember -GroupObjectId $MktGrp.ObjectId -GroupMemberType "User"


-GroupMemberObjectId $Catherine.ObjectId

6. Use the following command to add Tameka Reed to the Marketing group:

Add-MsolGroupMember -GroupObjectId $MktGrp.ObjectId -GroupMemberType "User"


-GroupMemberObjectId $Tameka.ObjectId

7. Use the following command to verify the members of the Marketing group:

Get-MsolGroupMember -GroupObjectId $MktGrp.ObjectId

 Task 5: Configure user passwords by using Windows PowerShell


1. Use the following command to modify the password policy:

Set-MsolPasswordPolicy -DomainName “Adatumyyxxxxx.onmicrosoft.com” –ValidityPeriod


“90” -NotificationDays “14”

2. Use the following command to assign a new password to Tameka’s account:

Set-MsolUserPassword –UserPrincipalName “Tameka@adatumyyxxxxx.hostdomain.com”


–NewPassword ‘Pa$$w0rd123’

3. At the command prompt, type the following command, and then press Enter:

Get-MsolUser | Set-MsolUser –PasswordNeverExpires $false

Results: After completing this exercise, you should have created new users, assigned licenses, modified
existing users, and configured groups and user passwords by using the Windows PowerShell command-line
interface.
MCT USE ONLY. STUDENT USE PROHIBITED
2-44 Managing Office 365 users and groups

Exercise 3: Configuring delegated administrators


But not delegated administration
Scenario
Members of the pilot project team have different responsibilities during the pilot. To ensure that team
members have only the permissions that they require to perform various tasks in Office 365, you are going
to assign different administrator roles to different users.

The main tasks for this exercise are as follows:

1. Assign delegated administrators in the Office 365 admin center.

2. Manage delegated administration with Windows PowerShell.

3. Verify delegated administration.

 Task 1: Assign delegated administrators in the Office 365 admin center


1. On LON-CL1, open Microsoft Edge, and then browse to https://login.microsoftonline.com/.
2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com, with the password Pa$$w0rd.

3. In the Office 365 admin center, configure Francisco Chaves as a Billing administrator using an
alternate email address of user@alt.none.
4. In the Office 365 admin center, configure Tameka Reed as a Password administrator from the list.

5. In the Alternative email address text box, type user@alt.none.

6. In the Office 365 admin center, configure Christie Thomas as User management administrator.

7. In the Alternative email address text box, type user@alt.none.

8. Close Microsoft Edge.

 Task 2: Manage delegated administration with Windows PowerShell


1. In Windows PowerShell, use the following command to add Sallie to the service support administrator
role:

Add-MsolRoleMember –RoleName “Service Support Administrator” –RoleMemberEmailAddress


“Sallie@Adatumyyxxxxx.hostdomain.com”

2. Use the following command to add Nona to the company administrator role:

Add-MsolRoleMember –RoleName “Company Administrator” –RoleMemberEmailAddress


She doesn't exist “Nona@Adatumyyxxxxx.hostdomain.com”

3. Use the following command to input the service support administrator role to the $role variable:

$role = Get-MsolRole –RoleName “Service Support Administrator”

4. Use the following command to list the role members:

Get-MsolRoleMember –RoleObjectId $role.ObjectId

5. Verify that Sallie McIntosh is in the list of users who have the Service Support Administrator role.

6. Use the following command to input the billing administrator role to the $role variable:

$role = Get-MsolRole –RoleName “Billing Administrator”


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 2-45

7. Use the following command to list the role members:

Get-MsolRoleMember –RoleObjectId $role.ObjectId

8. Verify that Francisco Chaves is in the list of users who have the billing administrator role.

9. Use the following command to input the company administrator role to the $role variable:

$role = Get-MsolRole –RoleName “Company Administrator”

10. Use the following command to list the role members:

Get-MsolRoleMember –RoleObjectId $role.ObjectId

11. Verify that Nona Snider is in the list of users who have the Company Administrator role.

12. At the command prompt, type the following command, and then press Enter:

Exit

 Task 3: Verify delegated administration


1. On the Office 365 page sign out if needed and then sign in as
Tameka@Adatumyyxxxxx.hostdomain.com, where yyxxxxx is your unique Adatum number, with
the password Pa$$w0rd123.

2. Change Tameka’s password to Pa$$w0rd.

3. Access the new Office 365 admin center.

4. Verify that you cannot modify any settings for Jessica Jenning’s user account.

5. Verify that you can reset Jessica’s password.

6. Write down the temporary password assigned to Jessica: ______________________________


7. Sign out as Tameka Reed, and then sign back in as Christie@Adatumyyxxxxx.hostdomain.com
using the temporary password assigned in Lab A. Change the password to Pa$$w0rd.

8. Verify that you can modify settings on the Jessica Jennings user account. Change her phone number to
555-1234 and then block her sign in access.

9. Verify that you can add a new user named Chris Breland.

10. Verify that you can also delete the user account that you created.

Results: After completing this exercise, you should have assigned delegated administrators in the Office
365 admin center, managed delegated administration with Windows PowerShell, and verified delegated
administration.
MCT USE ONLY. STUDENT USE PROHIBITED
2-46 Managing Office 365 users and groups

Module Review and Takeaways


Review Questions
Question: What is the most efficient way of creating user accounts if your organization
decides to migrate to Office 365?

Question: How will you configure Office 365 password policies in your organization, and will
you use multi-factor authentication?

Question: Why is it more convenient to assign permissions to security groups than to users?

Question: In which management scenarios will you use Office 365 with Windows PowerShell
rather than the Office 365 admin center?

Question: In which scenarios will you use RBAC in Office 365?

Best Practices
 Always perform detailed planning for user and group management, and check the plan in a test Office
365 tenant before deploying in production.

 Plan and test user administrative tasks to improve user management efficiency and to eliminate errors
in the production environment, especially when running Windows PowerShell scripts.

 Plan for multi-factor authentication to help administrators choose the authentication method that suits
their organizational security requirements.

 Plan administrative roles to distribute administrative tasks according to organizational security and
business requirements.
MCT USE ONLY. STUDENT USE PROHIBITED
3-1

Module 3
Configuring client connectivity to Microsoft Office 365
Contents:
Module Overview 3-1 

Lesson 1: Planning for Office 365 clients 3-2 

Lesson 2: Planning connectivity for Office 365 clients 3-8 

Lesson 3: Configuring connectivity for Office 365 clients 3-18 

Lab: Configuring client connectivity to Office 365 3-24 

Module Review and Takeaways 3-30 

Module Overview
Microsoft Office 365 supports different types of clients that run on various hardware platforms. In this
module, you will learn about the different types of client software that you can use to connect to Office 365.
You also will learn about the infrastructure requirements that the clients need to connect to Office 365, and
how to configure different types of Office 365 clients.

Objectives
After completing this module, you will be able to:
 Plan for the deployment of Office 365 clients.

 Plan for and troubleshoot connectivity for Office 365 clients.

 Configure connectivity for Office 365 clients.


MCT USE ONLY. STUDENT USE PROHIBITED
3-2 Configuring client connectivity to Microsoft Office 365

Lesson 1
Planning for Office 365 clients
You can use several clients to connect to Office 365, such as Office 2016 apps for Windows, Microsoft Office
Online, mobile devices, and Office 2016 for Mac. Based on your organization’s business requirements, you
should choose the appropriate clients and deploy them in your organization.

Lesson Objectives
After completing this lesson, you will be able to:

 List the types of clients that can connect to Office 365.

 List the new features in Office 2016.


 Describe the key features and usage scenarios for Office Online.

 Identify the mobile clients that are available for Office 365.

 List the new features in Office 2016 for Mac.

Overview of Office 365 clients


Depending on the Office 365 plan, you can deploy
several client packages to your end users.

Microsoft Office 365 ProPlus


Office 365 ProPlus is a downloadable version of
the Microsoft productivity suite, and it includes
Microsoft Word 2016, Excel 2016, PowerPoint 2016,
Outlook 2016, Access 2016, Publisher 2016,
OneNote 2016, InfoPath, and the Skype for
Business client.

Office 365 ProPlus supports streaming deployment


by using the Click-to-Run technology, which
allows users to click an application-installation icon, and start using the application while the application
installs in the background. Office 365 ProPlus is not a web-based version of Microsoft Office, so users do
not have to be connected to the Internet permanently. However, users will need an Internet connection
during deployment. After the Office 365 ProPlus installation finishes, it runs locally on the user's computer.

Visio and Project Pro


Some Office 365 plans also include Visio and Project Pro. However, these applications are not part of
Office 365 ProPlus.

Office Online
There also are Office Online versions of Word, Excel, PowerPoint, and OneNote. Office Online streams them
directly from the cloud, and you cannot use these applications offline.

To use Office Online, you need a subscription for an Office 365 plan that includes SharePoint Online.

Office 2016 for Mac


You can configure whether Office 2011 or Office 2016 for Mac or both are available on the Apps page in the
Office 365 admin center. Mac users can download and install the software from the Office 365 Software
site.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-3

Office for iPad, iPhone and iPod touch


You can use the new Office for iPad, iPhone and iPod touch app to view, create, and edit documents on an
iPad. You can install this application from the App Store, and it consists of touch-friendly versions for Word,
Excel, and PowerPoint. There also are other apps for the iPad, such as the Microsoft OneNote for iPad,
Microsoft Office Outlook Web Access for iPad, a Microsoft SharePoint Newsfeed app, a Microsoft OneDrive
for Business client, and a Yammer app.

New features in Office 2016


Office 365 subscribers have an option to upgrade
their current Office 2013 apps with Office 2016,
which provides several new features, including:

 The coauthoring feature in Word and


PowerPoint enables multiple users to work
together on a document simultaneously. Users
can collaborate on shared documents
regardless of the devices they are using.

 The OneDrive integration feature in Word,


PowerPoint, Excel, OneNote, and Outlook
provides access to Office documents that users
save in OneDrive from different devices and
Office apps.

 The Skype integration feature enables users to collaborate from any device by using instant messaging,
audio, video, and screen sharing.
 The multiplatform support feature in Word, PowerPoint, Excel, OneNote, and Outlook enables users to
work on different devices, including Windows, Android, and Apple devices.

 The Clutter feature in Outlook makes decisions on prioritizing users’ emails, and moves lower priority
emails to a separate folder.
Courrier Pele-Mèle en Fr

Office Online
Office Online provides an alternative way to use
Office applications online. You cannot use Office
Online in an offline mode, and it is either streamed
from Office 365 or from on-premises servers.
Therefore, you need Internet access or network
access to use Office Online, and you also must
subscribe to an Office 365 plan that includes
SharePoint Online. Once you meet all of these
requirements, you can use the following Office
Online apps to view and edit documents online:

 Microsoft Word Online

 Microsoft OneNote Online

 Microsoft PowerPoint Online

 Microsoft Excel Online


MCT USE ONLY. STUDENT USE PROHIBITED
3-4 Configuring client connectivity to Microsoft Office 365

Office Online vs. Office 365 ProPlus and Office 2016 Professional Plus
Office Online provides a subset of the Office 365 ProPlus and Office 2016 Professional Plus features.
However, this subset includes all of the editing and formatting features that users utilize most commonly,
including:

 Word Online. Includes features that allow you to perform basic document editing and formatting in a
web browser. However, to perform advanced editing, you must open the documents in Word by using
the Open in Word command. After you finish your edits, you can save them to the website from which
you opened Word Online.

Additional Reading: For more information, refer to Differences between using a document
in the browser and in Word: http://aka.ms/b2wwul.

 OneNote Online. Enables you to take notes and organize note pages in a web browser. However, to
perform advanced editing, you must open the notebooks in OneNote by using the Open in OneNote
command. In OneNote Online, you cannot open notebooks that are created with versions prior to
OneNote 2010.

Additional Reading: For more information, refer to Differences between using a notebook
in the browser and in OneNote: http://aka.ms/js6f8w.

 PowerPoint Online. Enables you to create and share basic presentations in your web browser. You can
work simultaneously with others, and present your slide show from anywhere. To perform advanced
editing, you must open the presentations in PowerPoint by using the Open in PowerPoint command.

Additional Reading: For more information, refer to How certain features behave in
PowerPoint Online: http://aka.ms/edhcwl.

 Excel Online. Enables you to view a workbook in a browser window, and use basic editing and printing
features. However, to perform advanced editing, you must open the workbook in Excel by using the
Open in Excel command.

Additional Reading: For more information, refer to Differences between using a workbook
in the browser and in Excel: http://aka.ms/sc8n0n.

System requirements
Office Online supports the following browsers:

 Microsoft Edge

 Internet Explorer 11 or newer

 The latest version of Mozilla Firefox

 The latest version Apple Safari

 The latest version of Google Chrome

Additional Reading: For more information on browser requirements, refer to Office Online
browser support: http://aka.ms/jv2cok.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-5

Office 365 mobile clients


Office 365 supports multiple platforms for mobile
devices, such as Windows Phone, Android, and
Apple iOS devices. The availability of the features
depends on the type of the platform and the
operating system that you are using.

The following table lists the available Office 365


features for different mobile platforms.

Apps and features Surface Windows Phone iOS Android

Outlook Web App Yes Yes Yes Light version

Outlook Yes Yes Outlook for iPhone Outlook for Android


and iPad

Exchange ActiveSync Yes Yes Yes Yes

Search the global Yes Yes Yes Yes


address list, sync
calendar and contacts,
and remote wipe

Office on mobile Yes Yes Yes Yes


devices

Office Online Edit View-only in View-only on iPhone, View-only


browser, edit in edit on iPad
Office Mobile

View documents in Yes Yes Yes Yes


OneDrive for Business

Skype for Business Yes Yes Yes Yes


mobile app

Office 365 Partner Yes Yes Yes Yes


admin mobile app
MCT USE ONLY. STUDENT USE PROHIBITED
3-6 Configuring client connectivity to Microsoft Office 365

Overview of Office 2016 for Mac


Office 2016 for Mac includes several improvements
and new features. Office 365 users who own a Mac
can install the new Office 2016 by signing in to
Office 365. The following table lists some of the
new Office 2016 for Mac features.

Product Feature

Office Provides improved integration capabilities with OneDrive, OneDrive for Business, and
SharePoint
Provides multitouch gesture support

Word Provides improved document sharing capabilities that enable users to share files and
invite other users to review or edit documents
Improves coauthoring, which enables multiple users to work simultaneously in the
same Word document
Provides relevant contextual Internet information that the Bing search provider displays
in the Insights pane

Excel Provides the PivotTable Slicers feature, which helps users discover patterns in large
volumes of data
Offers the Analysis Toolpak add-on feature, which enables users to perform complex
statistical or engineering analysis

PowerPoint Offers the Threaded comments feature, which allows users to have conversations about
the relevant text
Provides an improved presenter view
Provides improved coauthoring features, which allows multiple users to work
simultaneously in the same PowerPoint presentation

OneNote Provides sharing capability for OneNote notebooks with other users
Offers different formatting capabilities for notes, including the ability to insert files,
pictures, and tables

Outlook Provides Push Mail support for email synchronization


Provides an online archive folder in the navigation pane, which allows users to move
older messages on the server
Offers a side-by-side calendar view, in which users can see multiple calendars in parallel
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-7

Discussion: Which Office 365 clients will you need to support?


Based on the different types of clients that you can
use with Office 365, discuss what type of clients
you will need to support in your organization.
MCT USE ONLY. STUDENT USE PROHIBITED
3-8 Configuring client connectivity to Microsoft Office 365

Lesson 2
Planning connectivity for Office 365 clients
Organizations should consider business requirements before implementing Office 365 clients, and
administrators should evaluate system requirements for Office 365 clients before deployment.
Furthermore, administrators should evaluate the network-bandwidth requirements and technologies that
will provide automatic client configuration, such as Autodiscover.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the requirements for network infrastructure.

 Describe the requirements for network bandwidth.

 Describe the tools for evaluating network connectivity.

 Describe Autodiscover.
 Describe how Outlook and Skype for Business use Autodiscover.

 Identify the Domain Name System (DNS) records that Autodiscover requires.

 Explain how to troubleshoot client connectivity.

Requirements for network infrastructure


Network administrators should understand what
type of Office 365 clients their organizations will
use. Based on that information, they can plan and
evaluate the client-connection requirements, such
as the ports that Office 365 clients need. The
following table shows these ports.

Protocol Port Usage

TCP 443 Office 365 portal (admin and user), Outlook, Outlook on the web,
SharePoint Online, the Skype for Business client, and Active
Directory Federation Services (AD FS) federation and proxy

TCP 25 Mail routing

TCP 587 Simple Mail Transport Protocol (SMTP) relay

TCP 143/993 IMAP Simple Migration Tool

TCP 80/443 Microsoft Azure Active Directory Sync tool, mail migration tools,
Exchange Management Console, and Exchange Management
Shell
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-9

Protocol Port Usage

TCP 995 Post Office Protocol (POP3) with SSL

PSOM/TLS 443 Skype for Business Online: outbound data sharing

STUN/TCP 443 Skype for Business Online: outbound audio, video, and application
sharing sessions

STUN/UDP 3478 Skype for Business Online: outbound audio and video sessions

TCP 5223 Skype for Business mobile client push notifications

UDP 20000-45000 Skype for Business-to-phone outbound

RTC/UDP 50000-59000 Skype for Business: outbound audio and video sessions

Additional Reading: For more information on the list of ports, refer to Ports and protocols
used by Office 365: http://aka.ms/ifj2gl.

Third-party caching and filtering rules


Microsoft Office 365 relies on third-party content-caching engines to achieve good performance and fast
response times. The types of content that these third-party engines cache are non-Secure Socket Layer
(SSL) resources, such as the images downloaded to draw the Outlook Web App user interface.
Organizations might use IP-based filtering for the SSL content that downloads from Office 365 and for the
Office 365 endpoints that make in-bound calls to an on-premises environment. However, Office 365 does
not support, nor is it possible to use, IP-based filtering for the non-SSL resources that third-party content-
caching engines host. To configure filtering rules that allow these non-SSL resources to download to your
intranet clients, you need to use hostname-based filtering rather than IP-based filtering. This is because the
IPs that third-party content-caching engines use change frequently, which makes it impractical to track
each individual IP change. However, you should allow the following hostnames for non-SSL resources:

 r3.res.outlook.com

 r4.res.outlook.com

 prod.msocdn.com

Additional Reading: For more information on IP-based filtering, refer to Office 365 URLs
and IP address ranges: http://aka.ms/rploze.

IPv6-capable devices
If the organization is connecting to Office 365 with network equipment that is capable of Internet Protocol
version 6 (IPv6), you must ensure that:
 The network equipment can support Internet Protocol version 4 (IPv4) and IPv6.

 The perimeter emulates any hardware solution that has been configured to allow IPv6 clients to
connect to the Microsoft Exchange Online services.

For example, if your organization uses a web proxy, you must configure it as an IPv6-capable web proxy.
MCT USE ONLY. STUDENT USE PROHIBITED
3-10 Configuring client connectivity to Microsoft Office 365

Requirements for network bandwidth


Using Office 365 services will result in an increase
in your organization’s Internet traffic. Therefore, it
is important to evaluate and assess how these
services affect your organization’s network.

In Microsoft Exchange hybrid deployments,


directory synchronization and email traffic typically
have the greatest effect on bandwidth, but
organizations should notice a general increase in
the Internet traffic after they migrate users to
Office 365.

Before you deploy Office 365 in your organization,


you must consider how deployment will affect
bandwidth with respect to:

 The Office 365 service offerings to which the organization has subscribed.

 The number of client computers that will be in use at any given time.

 The nature of the tasks that each client computer will perform.

 The performance of the Internet browser that is installed on client computers.

 The capacity of the network connections and network segments associated with each client computer.
 The organization’s network topology and capacity of its network hardware.

 The number of simultaneous mailbox migrations.

 The number of simultaneous Skype for Business conferencing and telephony connections.

 Office 365 ProPlus installation and desktop setup.

 Network address translation (NAT) limitations.

It is important to test and validate download, upload, and latency constraints with respect to Internet
bandwidth, so that you can ensure that your end users have a satisfactory experience. Apart from the user’s
experience, the Internet bandwidth also affects the speed at which you can migrate on-premises mailbox
content to Exchange Online. If you have a slow or latent connectivity, you can migrate only a few mailboxes
during one migration window. Later modules in this course will provide more information on this topic.

Office 365 ProPlus installation uses significant bandwidth, and you must run the Office 365 ProPlus desktop
setup on each client computer. If you initiate the setup without installing any necessary operating system
service packs and updates, this can utilize a significant amount of download bandwidth, because each
computer connects separately to the Internet, downloads the service packs or updates, and installs them.
To prevent bandwidth saturation, you should deploy updates before you deploy the Office 365 ProPlus
setup. You also can use a package deployment tool, such as Microsoft System Center Configuration
Manager, so that updates download only once, and you then can distribute them as part of your planned
and scheduled deployment.

If you cannot deploy the updates prior to deploying the Office 365 ProPlus setup, you can use Active
Directory Group Policy to throttle the Office 365 ProPlus deployment by deploying the setup package to
one user subset at a time, such as by organizational unit or site/location. This allows all users to download
the updates, but the download’s length might vary from days to weeks. There are tools, such as the
Exchange Client Network Bandwidth Calculator and Skype for Business, Bandwidth Calculator, that you can
use to estimate network bandwidth.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-11

Additional Reading: For more information, refer to Exchange Client Network Bandwidth
Calculator: http://aka.ms/r7m054.

Additional Reading: For more information, refer to Skype for Business, Bandwidth
Calculator: http://aka.ms/i6jsff.

NAT limitations
While evaluating network-bandwidth requirements, you also must consider NAT limitations. Most users on
corporate networks access the Internet through a private (RFC1918) IP address space. Organizations then
use gateway technologies, such as firewalls and proxies that provide NAT, or port address-translation
services to translate from the internal private address space to an external IP address or address range. Each
outbound connection from an internal device translates to a different source Transmission Control Protocol
(TCP) port on the public IP address. Therefore, thousands of users on a corporate network can share a few
publicly routable IP addresses.

An Outlook client potentially can consume eight or more connections. The maximum number of available
ports on a Windows-based NAT device is 64,000, so there typically would be a maximum of 8,000 users
behind an IP address before the ports are exhausted. If customers are using NAT devices that are not
running a Windows operating system, the total available ports could be less than 64,000.

To determine the maximum number of devices behind a single public IP address, monitor the network
traffic to determine peak port consumption per client. Also, set a peak factor for the port usage (minimum
four). You then can use the following formula to calculate the maximum number of supported devices per
IP address:
Maximum supported devices behind a single public IP address = (64,000 – restricted ports)/(Peak port
consumption + peak factor).

For instance, if 4,000 ports were restricted so that they can be used by Windows devices and six ports were
needed per device, with a peak factor of four:

Maximum supported devices behind a single public IP address = (64,000 – 4,000)/(6 + 4) = 6,000.

To support more than 2,000 devices behind a single public IP address, follow these recommendations to
assess the maximum number of supported devices:

 Monitor network traffic to determine peak port consumption per client, and collect this data from
multiple locations, from multiple devices, and at multiple times.

 Use the formula listed above to calculate the maximum users per IP address that can be supported in
your environment.
MCT USE ONLY. STUDENT USE PROHIBITED
3-12 Configuring client connectivity to Microsoft Office 365

Tools for evaluating network connectivity


You can use many different tools to evaluate client
connectivity. To access these tools, sign in to the
previous Office 365 admin center, and from the
navigation menu, choose Tools. On the Tools
page, you can access Office 365 health, readiness,
and connectivity checks; Microsoft Office 365 Best
Practices Analyzer; the Microsoft Connectivity
Analyzer Tool; and the Microsoft Office 365 Client
Performance Analyzer.

Note: At the time of this writing, the network


connectivity tools were not available in the new
Office 365 admin center. The “Troubleshooting client connectivity” topic later in this lesson
provides an explanation of the Microsoft Connectivity Analyzer Tool.
https://portal.office.com/tools

Office 365 health, readiness, and connectivity checks


Office 365 health, readiness, and connectivity checks are tools that evaluate configuration requirements for
the Office 365 services, and perform readiness checks in the on-premises environment. If these tools detect
any potential issues, they will display applicable information so that administrators can address the issues
proactively.

We recommend that you use Office 365 health, readiness, and connectivity checks in the following
scenarios:

 When your organization is planning to deploy Office 365.

 When your organization has deployed Office 365, and plans to add new features.

Office 365 health, readiness, and connectivity checks perform tests in the following categories:
 Office setup. They evaluate the configuration of a user’s Outlook and Office deployment.

 Computer settings. They evaluate a computer to determine whether it has the latest updates, and what
Internet browsers and other configuration settings it utilizes.
 Domains. They evaluate the Office 365 domains and determine whether the DNS settings are correct.

 Users and Groups. If the organization uses Active Directory Domain Services (AD DS), it verifies the
security objects for directory synchronization and/or single sign-on (SSO). Organizations can ignore
errors if they are not planning to integrate their directory with Office 365.

Office 365 health, readiness, and connectivity checks display the results in following categories:

 Passed. This displays when an organization’s settings are correct for Office 365.
 Warning. This displays when an organization’s settings are not optimized for Office 365. You can fix the
settings, so that the results do not show warnings, or choose to ignore the warnings, and continue with
your deployment.
 Error. This displays when an organization’s settings have issues that will block the Office 365
deployment. You should fix the settings before you continue with the Office 365 deployment.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-13

Office 365 Best Practices Analyzer


The Office 365 Best Practices Analyzer for Microsoft Exchange Server 2013 is an automated tool that you
can use in the organizations where you have deployed Exchange Server 2013 in an on-premises
environment or in a hybrid configuration. The Office 365 Best Practices Analyzer evaluates the health and
configuration of on-premises Exchange Server 2013 environment, and compares it with the predefined
best-practices settings that we recommend. It then displays the results which you can save and view later.
You might choose to modify the current Exchange 2013 configuration and rerun the Office 365 Best
Practices Analyzer tool to verify that the change fixed the issues.

If you want to run Office 365 Best Practices Analyzer, you must download it from the previous Office 365
admin center. You need an Office 365 or Microsoft Azure Active Directory user ID to download the tool.

Office 365 Client Performance Analyzer


Office 365 Client Performance Analyzer is a tool that identifies network performance issues between an
organization’s client computers and Office 365. You should run the Office 365 Client Performance Analyzer
whenever users notify you about connectivity issues.

Office 365 Client Performance Analyzer performs the following networking tests:

 Performs network performance analysis between client computers and Office 365

 Analyzes DNS and Internet Service Provider (ISP) data


 Checks whether all ports that Office 365 requires are open

 Checks the client computer information, including operating system, browser, and hardware
configurations
 Performs route tracing and measures bandwidth

 Checks download times and ping statistics

What is Autodiscover?
The Autodiscover service in Office 365 simplifies
client configuration in Microsoft Office Outlook
2007, Outlook 2010, Outlook 2013, and Outlook
2016. Autodiscover provides configuration
information that Outlook requires to create a
configuration profile for the client. The
Autodiscover service provides profile settings to
Outlook 2007, Outlook 2010, Outlook 2013, and
Outlook 2016 clients and the supported mobile
devices based on the user’s email address and
password. Additionally, it provides configuration
information for Skype for Business clients when
they connect to Skype for Business Online in Office 365. If you want to connect Outlook and Skype for
Business clients to the Office 365 service, you must create appropriate DNS records that will point to the
Autodiscover service in Office 365.

Note: The “DNS records required for Autodiscover” topic later in this lesson provides a
detailed description about the DNS records that are necessary for locating the Autodiscover
services for Outlook and Skype for Business clients.
MCT USE ONLY. STUDENT USE PROHIBITED
3-14 Configuring client connectivity to Microsoft Office 365

You can test whether Autodiscover is working correctly by pressing the Ctrl key, right-clicking the Outlook
icon in the notification area, and then clicking Test E-mail AutoConfiguration.

You can use the Microsoft Remote Connectivity Analyzer tool for testing the Autodiscover functionality.
You can use this official Microsoft testing tool to test Autodiscover for ActiveSync and Outlook connectivity,
and use it for an on-premises Exchange Server, and to test Office 365 service availability.

Note: The “Troubleshooting client connectivity” topic later in this lesson explains the
Microsoft Connectivity Analyzer Tool.

Additional Reading: You can find the Remote Connectivity Analyzer tool at the following
URL: http://aka.ms/ppl6h8.

How Outlook and Skype for Business use Autodiscover


An Outlook client connects to Office 365 in the
following manner:

1. When Outlook 2007 or a newer version starts


for the first time, you have to type your email
address and password in the appropriate
fields.

2. Based on the email address that you enter, the


client looks for the Autodiscover host in DNS.
For example, if you sign in as
Holly@Adatum.com, the Outlook client will
search for the autodiscover.adatum.com
record. The client then redirects Outlook to
the Autodiscover service in Office 365, where the client performs a request to download the
configuration information.

3. The request that the client makes to Office 365 is actually the HTTP POSTS command to the
Autodiscover service endpoint, which requests configuration information for the SMTP address that
the client sends in the request.

4. Office 365 provides the Autodiscover information to the client.

5. Outlook downloads and applies the required configuration information from the Autodiscover service.

6. Outlook then uses the appropriate configuration settings to connect to Exchange Online in
Office 365.

The Skype for Business clients connect to Office 365 in the following manner:

1. When a Skype for Business client starts for the first time, you have to type your email address and
password in the appropriate fields.
2. Based on the email address that you enter, the client looks for specific records in DNS. For example, if
you sign in as Holly@Adatum.com, the Skype for Business client will search for the sip.adatum.com
record. The client redirects Skype for Business to the Autodiscover service in Office 365, where the
client performs a request to download the configuration information.

3. Office 365 provides the Autodiscover information to the Skype for Business client.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-15

4. The Skype for Business client downloads and applies the required configuration information from the
Autodiscover service.

5. The Skype for Business client then uses the appropriate configuration settings to connect to Skype for
Business Online in Office 365.

DNS records required for Autodiscover


In order for Outlook and Skype for Business clients
to locate the Autodiscover services in Office 365,
you should configure the appropriate DNS records
on the publicly available DNS servers on the
Internet. In organizations where the internal DNS
namespace, such as Adatum.local, is different from
the Internet DNS namespace, such as Adatum.com,
the internal DNS servers forward internal client
queries to Internet DNS servers. In organizations
that use split-brain DNS, where internal and
Internet DNS namespaces are the same, such as
Adatum.com, you should configure both the
internal and Internet DNS servers to resolve the Autodiscover records in Office 365.

The following table lists the Autodiscover records that Outlook clients need to connect to Exchange Online
in Office 365.

DNS record Purpose Value to use

CNAME The Autodiscover service configures Alias: Autodiscover


(Exchange Outlook for users. Target: autodiscover.outlook.com
Online)

CNAME The Autodiscover service configures Alias: For example,


(Exchange Outlook for users in Exchange federation Autodiscover.service.adatum.com
federation) scenarios. This record is optional, and it is Target: autodiscover.outlook.com
needed when you deploy Exchange in a
hybrid configuration with Office 365.

The following table lists the Autodiscover records that Skype for Business clients need to connect to Skype
for Business Online in Office 365.

DNS record Purpose Value to use

CNAME Used by the Skype for Business clients to Alias: sip


(Skype for find the Skype for Business Online service Target: sipdir.online.lync.com
Business in Office 365 and sign in.
Online)

CNAME Used by the Skype for Business mobile Alias: Lyncdiscover


(Skype for clients to find the Skype for Business Target: webdir.online.lync.com
Business Online service in Office 365 and sign in.
Online)
MCT USE ONLY. STUDENT USE PROHIBITED
3-16 Configuring client connectivity to Microsoft Office 365

Troubleshooting client connectivity


Microsoft provides tools that you can use to
analyze connectivity issues in Office 365
deployments. Remote Connectivity Analyzer is an
online tool that you can use to run tests directly
from the http://testconnectivity.microsoft.com
website. The Microsoft Connectivity Analyzer Tool
is another tool that runs a similar set of tests, but it
runs the tests locally from a client computer. In
addition, you can use the Microsoft Office 365
Support and Recovery Assistant tool to fix issues
related to Office 365 connectivity. This tool allows
you to run the connectivity tests locally from a
client computer.

The Remote Connectivity Analyzer website


The Remote Connectivity Analyzer website, also known as the Exchange Remote Connectivity Analyzer,
provides a set of tools for identifying common connectivity issues for Outlook, Exchange, Skype for
Business, and Office 365. Remote Connectivity Analyzer has several tests that you can access from the
various tabs that are present in the tool.

The Microsoft Connectivity Analyzer Tool


The Microsoft Connectivity Analyzer Tool is a downloadable client program that you can use to identify
connectivity issues between email clients and Exchange Server, and between email clients and Office 365.
You also can use this tool to troubleshoot Exchange Server and Office 365 deployments. Furthermore, email
users can use the Microsoft Connectivity Analyzer Tool to identify common problems.

The Microsoft Connectivity Analyzer Tool is a companion to the Remote Connectivity Analyzer website.
Remote Connectivity Analyzer enables you to identify connectivity issues by simulating connectivity from
the Internet, while the Microsoft Connectivity Analyzer Tool allows both you and end users to run similar
tests from a client computer within the corporate network.
To install the Microsoft Connectivity Analyzer Tool, go to the Remote Connectivity Analyzer website at
http://testconnectivity.microsoft.com, click the Client tab, and then click Install Now.

The Microsoft Connectivity Analyzer Tool and the Remote Connectivity Analyzer both provide a log that
shows the test steps that were successful, and those that were unsuccessful. Additionally, the Microsoft
Connectivity Analyzer Tool provides a Tell me more about this issue and how to resolve it link that
provides suggestions about how to help fix reported issues. You can save the log as MCATestResults.html.

Additional Reading: For more information on the specific error conditions that are
identified by the Microsoft Connectivity Analyzer Tool, and for help on resolving the issue, refer to
the Microsoft Connectivity Analyzer Tool: http://aka.ms/aphk3s.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-17

The Office 365 Support and Recovery Assistant tool


Office 365 Support and Recovery Assistant is a tool that helps users to isolate Outlook connectivity issues
with Exchange Online in Office 365. The tool runs multiple diagnostic tests, and then it either fixes the
connectivity issues or provides information on how troubleshoot the issues. Furthermore, the tool
generates a log file that contains the test results, which users can submit to the support team for further
investigation.

The Office 365 Support and Recovery Assistant tool performs diagnostic tests to identify and fix potential
issues with Office setup, Outlook, Outlook for Mac, Mobile devices, and Outlook on the web.
Question: Which tools will you use for evaluating network connectivity for Office 365?

Question: What is Autodiscover?

Question: Which tools will you use to troubleshoot client connectivity with Office 365?
MCT USE ONLY. STUDENT USE PROHIBITED
3-18 Configuring client connectivity to Microsoft Office 365

Lesson 3
Configuring connectivity for Office 365 clients
When an organization deploys different types of Office 365 clients, the organization’s administrators must
configure and support Office 365 clients. Some clients, such as Outlook and the Skype for Business client,
use the Autodiscover functionality to connect to Office 365 services automatically. Other clients, such as
Office Online, are web-based and only require users to connect to the Internet to access their
functionalities. Furthermore, you will need to configure and manage many users’ mobile devices so that
they can access Office 365 services.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe how to configure Outlook.

 Describe how to configure Skype for Business.


 Describe how to work with Office Online.

 Describe how to configure the OneDrive for Business client.

 Describe how to manage mobile devices.

Configuring Outlook
When Outlook users connect to Office 365, they
need to provide their Office 365 email address and
password when they start Outlook for the first
time. The Autodiscover functionality in Office 365
automatically configures Outlook for use with
Office 365. For Autodiscover to work properly, you
must configure appropriate DNS records during
the Office 365 tenant setup.

Connectivity protocols
Outlook can connect to Office 365 by using the
Messaging Application Programming Interface
(MAPI) over HTTP or Outlook Anywhere. Both
protocols use MAPI commands to communicate with Exchange Online in Office 365, but Outlook
Anywhere encapsulates remote procedure call (RPC) packets that contain the MAPI commands in HTTPS.
MAPI over HTTP places the MAPI commands directly in HTTPS packets, which is more efficient. MAPI over
HTTP is better designed for modern networks and connectivity over the Internet. MAPI over HTTP and
Outlook Anywhere both use TCP port 443. If a client, such as Outlook 2010, does not support MAPI over
HTTP, it always uses Outlook Anywhere.

Outlook connectivity for cloud-only and hybrid deployments


Outlook clients connect in different ways, depending on whether you have a cloud-only or hybrid Office
365 deployment. In a cloud-only deployment, Outlook clients on an internal network connect to Office 365
services by using Autodiscover DNS records on internal or Internet DNS servers. Internet-based Outlook
clients connect to Office 365 services by using Autodiscover DNS records on the Internet DNS servers.

However, in a hybrid deployment of Office 365, Outlook clients always need to connect to the Autodiscover
service that is running on the organization’s Exchange server. When a client is on an internal network,
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-19

Outlook locates the Exchange server by searching for the Autodiscover Service Connection Point located in
AD DS. After Outlook connects to the Exchange server, the Exchange server determines if the user’s mailbox
is in an on-premises environment or in Office 365. If the user’s mailbox is located in Office 365, the
Exchange server provides alternate SMTP domain information to Outlook. Outlook uses that alternate
SMTP domain to search for the Office 365 Autodiscover service’s record on the Internet, and then connects
to Exchange Online in Office 365. When a client is on the Internet, Outlook locates the Exchange server by
searching for the Autodiscover record that points to the Exchange client access services on the internal
network. After Outlook connects to the Exchange server, the Exchange server determines if the user’s
mailbox is in an on-premises environment or in Office 365. If the user’s mailbox is located in Office 365,
the Exchange server provides alternate SMTP domain information to Outlook, which uses it to search for
the Office 365 Autodiscover service’s record on the Internet, and then connects to Exchange Online in
Office 365.

Network configuration
Office 365 services contain multiple endpoints through which clients connect to services, such as Exchange
Online, Skype for Business Online, and SharePoint Online. Office 365 endpoints include fully qualified
domain names (FQDNs), ports, uniform resource locators (URLs), and IPv4 and IPv6 address ranges. Some
organizations restrict computers on their networks from accessing certain Internet resources. Therefore, it is
important that you know every endpoint that Office 365 uses, so that you can properly configure the
organization’s network devices, such as routers and firewalls. After you configure the network devices,
clients can connect successfully to Office 365 services.

Note: For more information on Office 365 endpoints, refer to Office 365 URLs and IP address
ranges: http://aka.ms/Cpq72y.

Configuring Skype for Business


The Skype for Business 2016 client is the default
client for Skype for Business Online in Office 365.
You can deploy the Skype for Business client
through an IT-managed deployment, or you can
allow end users to install it. The method that you
choose depends on several factors, including your
organization’s size and security requirements, the
deployment methods that you have in place
already, and the experience of your users.

Skype for Business clients use the Autodiscover


service to connect to Skype for Business Online in
Office 365. Users must enter their email addresses
and passwords to connect to Office 365.

Users also can choose to configure a Skype for Business client manually. We do not recommend this
configuration method because it increases the probability that users will make a typing error. Furthermore,
non-IT users might find it difficult to configure the Skype for Business client, which might lead to increased
support calls to your organization’s IT department.

However, in some scenarios, users might have to configure the Skype for Business client manually. For
example, if the DNS configuration for the Autodiscover service is not configured properly, clients cannot
locate Autodiscover services in Office 365. In this case, users must configure the Skype for Business client
manually, and then test the Skype for Business Online functionality.
MCT USE ONLY. STUDENT USE PROHIBITED
3-20 Configuring client connectivity to Microsoft Office 365

To configure the Skype for Business client, users must perform the following steps:

1. In the upper-right corner of the Skype for Business client, click Options.

2. On the menu, click Tools, and then click Options.

3. In the Skype for Business – Options window, in the navigation pane on the left, click Personal.

4. In the right pane of the window, under My Account, type their email address, and click Advanced.

5. In the Advanced Connection Settings dialog box, click Manual Configuration.

6. Insert the following information for both Internal Server Name and External Server Name:
sipdir.online.lync.com:443.

Note: The Online Meeting add-in for Skype for Business, which supports meeting
management from the Microsoft Outlook messaging and collaboration client, installs
automatically with Skype for Business.

Working with Office Online

Using Office Online


Office Online apps open when a user selects a
document to view or edit from the OneDrive page
in the Office 365 portal. Users also can open Office
Online apps from on-premises editions of Office
Web Apps, Exchange, and SharePoint. Office
Online includes commonly used editing features.
However, users can access advanced features by
editing a document in an existing Office
installation, such as Office 365 ProPlus.

Office Online apps vs. Office apps


There are many differences between Office Online apps and on-premises Office apps, including the
following application-level differences with respect to features:

 Word Online does not have advanced page layout tools or advanced printing capabilities.

 Users cannot preview or author Office Online documents without an Internet connection.

 Office Online documents do not have Office add-ins, and they cannot run Visual Basic for Applications
(VBA) and forms scripts.

 Excel Online cannot create external data connections.

The default locations for saving documents are different in Office Online and on-premises Office, including
in:

 Word Online. Users must save documents manually, because there is no auto-save feature, and they
can save them locally.

 Excel Online. Users must save the worksheets manually. They can use the download command to
download a copy to the local computer.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-21

 OneNote Online. If a OneNote notebook is saved to a Microsoft SharePoint document library, the
OneNote notebook is available online. Users can share the notebook by sending a link in an email
message, rather than sending it as an email attachment. Recipients can click the link to read notes in
their web browser.

 PowerPoint Online. It saves all changes automatically, and there is no Save command that the users
must utilize. To download a copy of a file, users must have the PowerPoint desktop app. If a
presentation is saved in a SharePoint document library, the presentation is available online. Users can
share the presentation by sending a link in an email message, rather than sending it as an email
attachment. Recipients with proper permissions can view the presentation in their web browser or
mobile device.

The differences in supported file types in Office Online and on-premises Office include:

 Binary and template files in Excel are not available in Excel Online.

 PowerPoint Online does not support add-ins for PowerPoint.

In SharePoint Online, you can configure the default behavior for opening documents, so that they open in
Office Online or in an Office client application.

Additional Reading: For more information on Office Online, refer to Office Online Service
Description: http://aka.ms/qla0s5.

Configuring the OneDrive for Business client


OneDrive for Business is a private library for the
storage, organization, and sharing of users’ work
documents. It is an integral component of a user’s
Office 365 online environment, and you provide it
to your organization’s users through a subscription
to SharePoint Online in Office 365. If you get
OneDrive for Business through your organization’s
subscription to Office 365, then you get 1 terabyte
(TB) of personal storage space by default.
However, if you host your OneDrive for Business
library on an on-premises SharePoint server, your
SharePoint administrator allocates and controls
your storage space.

The files that a user stores in OneDrive for Business are visible initially only to the user who stored them.
However, the user can share the files with everyone in the organization by simply placing them in the
Shared with Everyone folder. Alternatively, the user can share a file with specific coworkers by clicking the
SHARE option that appears when they click the ellipsis (…) menu for a file. After clicking the SHARE option,
the user can enter the names of coworkers to whom they want to send an invitation to share the file.

Note: OneDrive for Business is not the same as OneDrive, which is a cloud-based service that
is for personal storage, and which is provided with Microsoft and Outlook.com accounts. This can
be confusing because in the Office 365 portal, the OneDrive for Business feature actually displays
as OneDrive in the navigation bar.
MCT USE ONLY. STUDENT USE PROHIBITED
3-22 Configuring client connectivity to Microsoft Office 365

Synchronize OneDrive for Business to a computer


Users can use the OneDrive for Business feature to synchronize their library’s files to their local computer, so
that they can work offline on files, and synchronize them to the OneDrive for Business library after they are
back online.

To synchronize OneDrive for Business with a local computer, users can perform the following steps:

1. In the Office 365 portal or in a SharePoint Online site page, click OneDrive in the navigation bar.

2. In the top-right menu, click SYNC.

3. Select Sync now.


4. If prompted to start an application, select Microsoft OneDrive for Business, and then click OK.

5. Sign in to their account, if required.

6. On the Ready to sync your OneDrive for Business documents? page, click Sync Now.

7. Choose Show my files.

The synchronized files will be located in a OneDrive for Business subfolder under their username, and they
now can work on the files locally. Any changes that they make will synchronize automatically with the
OneDrive for Business library when they go back online.

Additional Reading: For more information, refer to What is OneDrive for Business?:
http://aka.ms/p9wzus.

Managing mobile devices


Office 365 includes the mobile device
management (MDM) feature that is built-in to
provide you with tools to secure and manage your
mobile devices, such as Windows Phone, Android,
and Apple iOS devices. You can use MDM to create
an inventory of all enrolled devices that connect to
Office 365, and you also can manage device
security policies, remotely wipe a device, and view
detailed device reports.
To activate and set up MDM for Office 365, you
must:

1. Activate MDM in the previous Office 365


admin center console.

2. Set up MDM for Office 365, by configuring domains for MDM and the Apple Push Notification Service
certificate for iOS devices.
3. Create MDM device security policies.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-23

4. Enroll users. After you deploy an MDM policy, each Office 365 user receives an enrollment message
when they sign in to Office 365 from their mobile device. They must complete the enrollment and
activation steps before they can access any Office 365 email and documents. Users who work on
Android or iOS devices have to install the Company Portal app as part of the enrollment process.

5. Manage mobile devices from the previous Office 365 admin center. Some common MDM tasks
include, viewing device properties, accessing reports, and wiping devices.

Question: Outlook uses which protocols to connect to Office 365?

Question: What steps should you perform to enable MDM in Office 365?
MCT USE ONLY. STUDENT USE PROHIBITED
3-24 Configuring client connectivity to Microsoft Office 365

Lab: Configuring client connectivity to Office 365


Scenario
You configured the Office 365 tenant and the custom domain for A. Datum Corporation. You also created
user accounts for your pilot users. The next step you must perform is to ensure that clients can connect to
Office 365, and that their configuration is automatic, where possible. To enable these features, you must
configure the required DNS records for your custom domain, and use the Office 365 connectivity tools to
verify connectivity. You then must configure Office 2016 clients to connect to Office 365.

Objectives
After completing this lab, you will be able to:

 Configure DNS records for Office 365.

 Run Office 365 connectivity analyzer tools.

 Configure and verify client connectivity.

Lab Setup
Estimated Time: 60 minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-CL1, and 20347A-LON-CL2

User name: Adatum\Administrator, Adatum\Holly, LON-CL2\Francisco

Password: Pa$$w0rd

In all tasks:

 In references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with your unique Office 365


name that is displayed in the online lab portal.

 In references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com name that is displayed in the online lab portal.
This lab requires the following virtual machines:

 LON-DC1

o Sign in as Adatum\Administrator with the password Pa$$w0rd 

 LON-CL1

o Sign in as Adatum\Holly with the password Pa$$w0rd 

 LON-CL2

o Sign in as LON-CL2\Francisco with the password Pa$$w0rd 

Exercise 1: Configuring DNS records for Office 365 clients


Scenario
All users in the pilot group at A. Datum are going to use the custom domain name in their email address
and sign-in credentials. You want to ensure that these users can sign in and that clients are configured
automatically, so you must configure the DNS records that the custom domain requires.

The main tasks for this exercise are as follows:

1. Review the recommended DNS records in the Office 365 admin center.

2. Configure the DNS records for external clients.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-25

 Task 1: Review the recommended DNS records in the Office 365 admin center
1. Switch to the LON-CL1 virtual machine.

2. On the desktop, open Microsoft Edge.

3. Connect to http://login.microsoftonline.com, and then sign in as


holly@adatumyyxxxxx.onmicrosoft.com.com, replacing yyxxxxx with your unique Adatum number,
and with the password Pa$$w0rd.

4. In the Office 365 admin center, in the Domains window, review the domain names assigned to the
Adatum tenant.

5. In the Domains window, under the Adatum domain on the right, review the recommended DNS
records.

6. On the DNS errors page, review the records that need to be configured for your domain.

7. Leave the Microsoft Edge window open.

 Task 2: Configure the DNS records for external clients

Configure DNS settings for Exchange Online


1. On LON-DC1, start Server Manager, and then open the DNS Manager.

2. In DNS Manager, expand Forward Lookup Zones, expand adatumyyxxxxx.hostdomain.com zone,


and then create following records:

o Alias (CNAME) – autodiscover -autodiscover.outlook.com

o Mail Exchanger (MX) – adatumyyxxxxx-hostdomain-com.mail.protection.outlook.com.

Configure DNS settings for Skype for Business Online


1. On LON-DC1, in DNS Manager, expand the adatumyyxxxxx.hostdomain.com zone, and then create
following service (SRV) records:

a. On the Service Location (SRV) tab, enter the following information, and then click OK:
 Service: _sip
 Protocol: _tls
 Priority: 100
 Weight: 1
 Port number: 443
 Host offering this service: sipdir.online.lync.com
 Time to live: 1 hour (default)
b. On the Service Location (SRV) tab, enter the following information, and then click OK:
 Service: _sipfederationtls
 Protocol: _tcp
 Priority: 100
 Weight: 1
 Port number: 5061
 Host offering this service: sipfed.online.lync.com
 Time to live: 1 hour (default)
MCT USE ONLY. STUDENT USE PROHIBITED
3-26 Configuring client connectivity to Microsoft Office 365

2. In DNS Manager, create the following Alias (CNAME) records:

a. On the Alias (CNAME) tab, enter the following information, and then click OK:
 Alias name: sip
 Fully qualified domain name: sip.adatumyyxxxxx.hostdomain.com
 Fully qualified domain name (FQDN) for target host: sipdir.online.lync.com
 Time to live: 1 hour (default)
b. On the Alias (CNAME) tab, enter the following information, and then click OK:
 Alias name: lyncdiscover
 Fully qualified domain name: lyncdiscover. adatumyyxxxxx.hostdomain.com
 Fully qualified domain name (FQDN) for target host: webdir.online.lync
 Time to live: 1 hour (default)
3. Switch back to LON-CL1, and then in the Office 365 admin console, click Check DNS.

4. You should now see that most records are not listed anymore (you should see msoid,
enterpriseregistration, enterpriseenrollment, and SPF records). Click to close the page.

5. In the top bar, click the Office 365 apps icon.

6. Click Mail, and configure your time zone.

7. On LON-CL2, verify that you are signed in as Francisco.

8. Open Microsoft Edge, and then connect to https://login.microsoftonline.com.

9. Sign in as Francisco@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

10. In the Office 365 portal, click Mail, and configure your time zone.

11. Create a new email to Holly Dickson.

12. When the name resolves, note her instant message (IM) status. It might take a couple of minutes for
her status to update.

13. Initiate an IM session with Holly Dickson.

14. On LON-CL1, click the IM dialog box.

15. Reply to the IM. Note that you now can send IMs between the two users.

16. Close both IM windows, and then close the Microsoft Edge windows on both virtual machines.

Results: After completing this exercise, you should have reviewed the recommended DNS records in the
Office 365 admin center, configured the DNS records for external clients, and configured the DNS records
for internal clients.

Exercise 2: Running the Office 365 connectivity analyzer tools


Scenario
Before you connect any clients to Office 365, you must ensure that the environment’s configuration is
correct. To do this, you will run the Office 365 connectivity analyzer tools.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-27

The main tasks for this exercise are as follows:

1. Run the Microsoft Connectivity Analyzer tool.

2. Run the Office 365 Client Performance Analyzer.

 Task 1: Run the Microsoft Connectivity Analyzer tool


1. On LON-CL1, open Microsoft Edge.

2. In the address bar, enter https://testconnectivity.microsoft.com/.

3. On the Microsoft Remote Connectivity Analyzer page, on the Office 365 tab, perform an Office
365 Exchange Domain Name Server (DNS) Connectivity Test, and for Domain Name, type
adatumyyxxxxx.hostdomain.com.

4. Perform verification by entering the characters that you see in the Verification field.

Note: The verification code is not case-sensitive.

Note: If you receive a message about having performed too many tests in 60 seconds, wait
for a minute, and then repeat the test.

5. When you see Connectivity Test Successful, review the checks that were made against the Exchange
Online domain.

6. Click Start Over.


7. On the Office 365 tab, perform Office 365 Lync Domain Name Server (DNS) Connectivity Test,
and in the Sign-in address text box, type Francisco@adatumyyxxxxx.hostdomain.com.

Note: If you receive a message about having performed too many tests in 60 seconds, wait
for a minute, and then repeat the test.

8. When you see Connectivity Test Successful, review the checks that were made against the Skype for
Business Online domain.

9. Click Start Over.

10. Under Microsoft Office Outlook Connectivity Tests, perform the Outlook Connectivity test.

11. On the Outlook Connectivity page, in Email Address and Microsoft Account, enter
Francisco@adatumyyxxxxx.hostdomain.com.

12. In Password and Confirm password, enter Pa$$w0rd.

13. Select Use Autodiscover to detect server settings.

14. Check I understand that I must use the credentials of a working account from my Exchange
domain to be able to test connectivity to it remotely. I also acknowledge that I am responsible
for the management and security of this account.

15. When you see Connectivity Test Successful with Warnings, under Test Details, review the checks
that have been made against Outlook Anywhere. Note in particular the message that contains
information about the Autodiscover steps that fail.

16. Under Run Test Again at the top right, note that you can copy this test to the clipboard, or save it as
XML or HTML.
MCT USE ONLY. STUDENT USE PROHIBITED
3-28 Configuring client connectivity to Microsoft Office 365

 Task 2: Run the Office 365 Client Performance Analyzer


1. In the Microsoft Connectivity Analyzer window, on the Client tab, in the Microsoft Office 365 Client
Performance Analyzer section, click Microsoft Office 365 Client Performance Analyzer.

2. In the Office 365 Client Performance Analyzer window, download and install Office 365 Client
Performance Analyzer.

3. Run Exchange Analyzer.

4. In the pop-up window, type Francisco@adatumyyxxxxx.hostdomain.com, clear the Allow OCPA to


run in the background collecting diagnostics every few hours for you check box, and then click
OK.

5. Wait until Office 365 Client Performance Analyzer generates the results.

6. Review the results, and then click Show Trace Route Details.

7. Review the details, and then close the window.

Results: After completing this exercise, you should have run the Microsoft Connectivity Analyzer tool, and
the Office 365 Client Performance Analyzer tool.

Exercise 3: Connecting Office 2016 clients


Scenario
The final step is to ensure that the Office 2016 clients can connect to Office 365.
The main tasks for this exercise are as follows:

1. Verify that Outlook 2016 can connect to Office 365.

2. Verify that Skype for Business can connect to Office 365.

 Task 1: Verify that Outlook 2016 can connect to Office 365


1. Switch to the LON-CL1 virtual machine.

2. Start Outlook 2016, and then sign in by using the following details:

o Your Name: Holly Dickson

o E-mail Address: Holly@adatumyyxxxxx.onmicrosoft.com

o Password: Pa$$w0rd

o Retype Password: Pa$$w0rd

3. Verify that you are connected to Exchange Online. Close the First things first dialog box.

4. On LON-CL2, repeat steps 1 through 3 by using the following information:

o Your Name: Francisco Chaves

o E-mail Address: Francisco@adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

o Retype Password: Pa$$w0rd.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 3-29

 Task 2: Verify that Skype for Business can connect to Office 365
1. Switch to the LON-CL1 virtual machine.

2. Start Skype for Business, and on the Skype for Business sign in page, type
Holly@adatumyyxxxxx.onmicrosoft.com, and then click Sign in.

3. Verify that you are connected to Skype for Business Online.

4. On LON-CL2, repeat steps 1 through 3 by using the following information:


o Sign-in address: Francisco@adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

5. Keep the virtual machines running for the next module.

Results: After completing this exercise, you should have verified that Outlook 2016 can connect to Office
365, verified that Skype for Business can connect to Office 365, and verified OneDrive for Business
connectivity to Office 365.

Question: Why do you need to edit the DNS configuration, and add the canonical name
(CNAME), service (SRV), and MX records?

Question: How can you verify that the Autodiscover service in Office 365 is properly
configured?
MCT USE ONLY. STUDENT USE PROHIBITED
3-30 Configuring client connectivity to Microsoft Office 365

Module Review and Takeaways


Best Practices
Planning is the key to a successful Office 365 client deployment, and your planning process should include:

 Analyzing Office 365 clients and deciding which clients meet the organization’s business requirements.

 Performing a detailed review of all DNS record changes that are needed for Office 365 deployment
process. Without a proper DNS configuration, there might be issues when clients connect to Office 365
services.

 Planning network connectivity. When you migrate your infrastructure to Office 365, all of your
organization’s resources are hosted in the cloud. Therefore, you need a reliable Internet connection to
support client connections to Office 365.

 Planning changes that you need to configure in your organization’s network infrastructure, such as
firewalls and internal DNS servers that provide connectivity to Office 365.

 Preparing a thorough support plan for users to help them transition to Office 365 services.
MCT USE ONLY. STUDENT USE PROHIBITED
4-1

Module 4
Planning and configuring directory synchronization
Contents:
Module Overview 4-1

Lesson 1: Planning and preparing for directory synchronization 4-2

Lesson 2: Implementing directory synchronization by using Azure AD Connect 4-15

Lesson 3: Managing Office 365 identities with directory synchronization 4-28

Lab: Configuring directory synchronization 4-39

Module Review and Takeaways 4-46

Module Overview
In this module, you will learn how to plan, prepare, and implement directory synchronization as a
methodology for user and group management in a Microsoft Office 365 deployment. This module covers
the preparation of an on-premises environment; the installation and configuration of directory
synchronization, and how to manage Office 365 identities after you enable directory synchronization.

Objectives
After completing this module, you will be able to:

 Plan and prepare for directory synchronization.

 Implement directory synchronization by using Microsoft Azure Active Directory Connect (AD Connect).

 Manage Office 365 identities with directory synchronization.


MCT USE ONLY. STUDENT USE PROHIBITED
4-2 Planning and configuring directory synchronization

Lesson 1
Planning and preparing for directory synchronization
In this lesson, students will learn about directory synchronization with Microsoft Azure Active Directory
Connect (Azure AD Connect). Included in this lesson is a review of the installation requirements, planning
for nonroutable domain names and multiple forests, cleaning up existing objects in Active Directory
Domain Services (AD DS), and enabling directory synchronization.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe Office 365 authentication options.

 Describe directory synchronization.

 Plan for directory synchronization.

 Describe prerequisites for directory synchronization.


 Prepare for directory synchronization.

 Configure a tenant for directory synchronization.

Office 365 authentication options


With an effective account access management
solution, your organization can track who has
access to what information across the
organization. Access control is a critical function of
a centralized, single-point provisioning system.
Besides protecting sensitive information, access
controls expose existing accounts that have
unapproved authorizations or are no longer
necessary.

Accounts in most information technology (IT)


systems include hundreds of parameters that
define authorities, and the provisioning system can
control these details in your environment. New users can be readily identified with the data feed that you
establish from the human resources directory. The access request approval capability initiates the processes
that approve, or reject, resource provisioning for them. The following table compares the options for user
account management and provisioning across the three topologies.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-3

Life cycle Design Options


Management Phase On-Premises Cloud Hybrid

Account  With AD DS, you can  You have to create an  Extend Active
Management and create a scalable, account for every user Directory
secure, and who will access a identities into the
Provisioning
manageable Microsoft cloud service. cloud through
infrastructure for user You can also change user synchronization
and resource accounts or delete them and Federation
management, and when you no longer need Service.
provide support for them. By default, users do
directory-enabled not have administrator
applications such as permissions, but you can
Microsoft Exchange optionally assign them.
Server.
 Within Microsoft Azure
 Provisioning groups Active Directory (Azure
in AD DS through a AD), one of the major
Microsoft Identity features is the ability to
Manager (MIM). manage access to
resources. These
 Provisioning users in
resources can be part of
AD DS.
the directory, as in the
 Administrators can case of permissions to
use access control to manage objects through
manage user access roles in the directory, or
to shared resources resources that are
for security purposes. external to the directory,
In Active Directory, such as software as a
access control is service (SaaS)
administered at the applications, Azure
object level by services, and Microsoft
setting different SharePoint sites or on-
levels of access, or premises resources. At
permissions, to the center of Azure AD
objects, such as Full access management
Control, Write, Read, solution is the security
or No Access. Access group. The resource
control in Active owner (or the
Directory defines administrator of the
how different users directory) can assign a
can use Active group to provide certain
Directory objects. By access rights to the
default, permissions resources they own. The
on objects in Active members of the group
Directory are set to will be provided access,
the most secure and the resource owner
setting. can delegate the rights to
manage the group’s
members list to someone
else—such as a
department manager or
a help-desk
administrator.
MCT USE ONLY. STUDENT USE PROHIBITED
4-4 Planning and configuring directory synchronization

Azure AD
Azure AD is an online instance of AD DS. Azure AD provides authentication and authorization for Office 365
and for other Microsoft cloud offerings, including Azure and Microsoft Intune. Authentication through
Azure AD can be on a cloud-only basis, through directory synchronization from on-premises AD DS, with
optional password synchronization, or you can enable user authentication with on-premises user accounts
through Active Directory Federation Services (AD FS) or other single sign-on (SSO) providers.

Authentication options in Office 365 falls into one of three main categories:

 Cloud-only. Cloud-only identities are exactly as the name suggests; the user identity only exists in the
cloud, so all password management and policy control is done through Windows Azure AD. Each user
will have two entirely separate identities.

 Directory synchronization with optional password synchronization. With directory synchronization, you
set up a directory synchronization server or appliance that provides either one or two-way
synchronization of users, groups, and attributes from on-premises AD DS to Azure AD. In the case of
Exchange hybrid environments, there is also synchronization of certain attributes from online to on-
premises. However, it is important to remember that even with password synchronization, there are still
two sets of security credentials; it is just that directory synchronization and password sync are keeping
them aligned. Users still authenticate to Azure AD to access Microsoft Exchange Online and other
online services.

 SSO with AD FS. The SSO option hands over authentication control to your directory service. Therefore,
users no longer authenticate against Azure AD but against AD FS. Consequently, when a user types
user@adatum.com into the Office 365 sign-in page, the user receives a message telling them that they
have been redirected to their organization’s sign-in page. They now enter their on-premises identity
and authenticate to the Office 365 online services by using a delegated token that verifies to Office 365
that the user has been successfully authenticated by their on-premises directory service.

Note: The SSO authentication option is covered in more detail in later modules of this
course.

In the pilot phase of a deployment, you implement cloud-only identities as this option does not have any
on-premises infrastructure requirements. In this phase, you plan for directory synchronization with
password synchronization.

Password synchronized users can sign into Microsoft cloud services, such as Office 365, Microsoft Dynamics
CRM, and Intune, using the same password as they use when signing into their on-premises network. The
user's password is synchronized to Azure AD via a password hash and authentication occurs in the cloud.
See password synchronization for more information.

Federation with AD FS users will be able to sign into Microsoft cloud services, such as Office 365, Microsoft
Dynamics CRM, and Intune, using the same password as they use when signing into their on-premises
network. The users are redirected to their on-premises AD FS infrastructure for authentication.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-5

Overview of directory synchronization


Directory synchronization is the synchronization of
directory objects (users, groups, contacts, and
computers) between your on-premises AD DS
environment and the Office 365 directory
infrastructure, Azure AD.

Although directory synchronization is most


commonly used to synchronize data to Office 365
by default, new features allow two-way
synchronization from Office 365 directory to your
on-premises AD DS. In addition to directory
objects, directory synchronization can provide
two-way synchronization of user passwords as well.
Directory synchronization tools, such as Azure AD Connect, perform this synchronization and are installed
on a dedicated computer in your on-premises environment.

Integrating your on-premises directories with Azure AD makes your users more productive by providing a
common identity for accessing both cloud and on-premises resources. With this integration, users and
organizations can take advantage of the following:

 Organizations can provide users with a common hybrid identity across on-premises or cloud-based
services, including consistent group membership, by leveraging AD DS and then connecting to
Azure AD.

 Administrators can use policies set through AD DS to provide conditional access based on application
resource, device and user identity, network location and multi-factor authentication without having to
perform additional tasks in the cloud.

 Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS
apps and non-Microsoft applications.

 Support staff will experience fewer support calls because if users have fewer passwords to remember,
they are less likely to forget them.

 Security will have confidence in knowing that user identities and information are protected because all
of the servers and services used in SSO are mastered and controlled on-premises.

 Security will have greater confidence when they have the option to use strong authentication, also
called two-factor authentication, with the cloud service.

 Developers can build applications that leverage the common identity model, integrating applications
into on-premises AD DS or Azure for cloud-based applications.
To take advantage of the integration between your on-premises directories with Azure AD, deployment of
a directory synchronization tool is required. Consequently, the directory synchronization tool provides for
the following features and functionality:

 SSO

 Two-way synchronization of user passwords

 Skype for Business 2015 hybrid environment


 Microsoft SharePoint Server 2013 hybrid environment
MCT USE ONLY. STUDENT USE PROHIBITED
4-6 Planning and configuring directory synchronization

 Microsoft Exchange Server 2016 hybrid environment, including:

o A shared Global Address List (GAL) between your on-premises Exchange Server environment and
Exchange Online.

o A synchronized GAL information from different mail systems.

o The ability to add users to and remove users from Office 365 service offerings. This requires the
following:
 Two-way synchronization from your on-premises AD DS environment to the Office 365
directory infrastructure
 An on-premises Exchange Server hybrid deployment
o The ability to move some or all mailboxes to Office 365 from an on-premises Exchange Server, or
vice versa.

o Safe senders and blocked senders enabled on-premises synchronization to Exchange Online.

o The ability to send email with basic delegation and send-on-behalf-of.

 Two-way synchronization of photos, thumbnails, conference room mailboxes, and security and
distribution groups

 Filtering and scoping to individual organizational units

When you synchronize user accounts with the directory synchronization tool for the first time, they are
marked as nonactivated. These users cannot access any of the services in Office 365 such as send/receive
email, access Skype for Business Online or Microsoft SharePoint Online, and they are not assigned Office
365 subscription licenses. When assigning Office 365 subscriptions to specific users, you must activate the
user accounts by assigning a valid Office 365 license.

Planning directory synchronization


When planning for directory synchronization, the
following issues must be considered:

 Identify on-premises AD DS preparation tasks.


For example, AD DS attribute updates or
schema extensions and whether an AD DS
upgrade is required to meet minimum version
requirements for forest functional level.

 Determine the required accounts and


permissions to use during deployment,
configuration, and operation of the directory
synchronization tool.

 Identify the network port requirements.

 Identify any requirements for auditing once you enable synchronization.

 Identify any domain controller placement issues that might affect synchronization performance and
reliability.

 Plan for multiple AD DS forest or domain scenarios.

 Perform capacity planning, such as preparation for large scale deployments requiring Microsoft SQL
Server databases, and Azure AD quota limits.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-7

 Plan for two-way directory synchronization.

 Plan for nonroutable domain names, such as .LOCAL, by using additional user principal name (UPN)
suffixes.

 Plan for Active Directory filtering to narrow the scope of which AD DS objects to synchronize to
Office 365.

Best practices for deploying directory synchronization, include:

 Have a proper project plan.

 If AD DS filtering is used, configure it before synchronizing objects to Office 365.

 Work with a cloud services partner.

 Perform thorough capacity planning.

 Remediate AD DS before deploying directory synchronization.


 Add all Simple Mail Transfer Protocol (SMTP) domains as verified domains before synchronizing;
domains cannot be removed until all synchronized objects are no longer using the domain as a proxy
address or UPN.

Multi-forest deployment considerations


While the directory synchronization tool can synchronize with multiple on-premises AD DS forests, the
deployment will be more complex. If your organization has multiple forests for authentication (logon
forests), and would prefer a simpler deployment option, you might need to plan for the following activities:

 Evaluate consolidating your forests. In general, more support is required to maintain multiple AD DS
forests. Unless you have security constraints that dictate the need for separate forests, consider
simplifying your on-premises AD DS environment prior to deploying the directory synchronization
tool.

 Deploy directory synchronization to support your primary AD DS forest only. Consider planning to
deploy Office 365 only for your primary AD DS forest during the initial rollout of Office 365.

Two-way directory synchronization


By default, the directory synchronization tool writes directory information from your on-premises AD DS to
your Office 365 environment. When you configure two-way synchronization in the tool, you enable
writeback functionality where the directory synchronization tool copies a limited number of AD DS object
attributes from Office 365 and writes them to your on-premises AD DS. This writeback functionality is
commonly used in an Exchange Server 2016 hybrid environment.

Two-way directory synchronization is required if your organization plans to take advantage of advanced
Office 365 features and functionality, such as Exchange Online archiving, safe and blocked senders, and
Exchange voice mail. In two-way directory synchronization, the directory synchronization tool will
writeback the following required AD DS object attributes from Office 365 to your on-premises AD DS.

 SafeSendersHash

 BlockedSendersHash

 SafeRecipientsHash

 msExchArchiveStatus

 ProxyAddresses as X500 email addresses

 msExchUCVoiceMailSettings

 msExchUserHoldPolicies
MCT USE ONLY. STUDENT USE PROHIBITED
4-8 Planning and configuring directory synchronization

Additional Reading: For more information, refer to the Azure Hybrid Identity Design
Considerations Guide: http://aka.ms/ibuqek.

Prerequisites for directory synchronization


After you complete a plan for directory
synchronization, you will need to review the
prerequisites. These tasks will enable you to
prepare the environment for directory
synchronization, and includes:

 Capacity planning for your directory


synchronization database server.

 Identifying the hardware requirements for


your directory synchronization computer.
 Identifying if your environment exceeds the
Azure AD object quota.

 Reviewing the network ports required by directory synchronization.

 Determining if any schema extensions to AD DS are required.

Capacity planning
Directory synchronization is a critical tool for integration with your cloud service offerings; therefore, you
need to plan accordingly to properly implement directory synchronization. In most organizations, user
objects from AD DS make up the bulk of the directory synchronization payload and influence both
synchronization times and the sizing of your infrastructure.
The directory synchronization tool has a significant database dependency, so you will need to plan for
database capacity requirements. If your AD DS forest has fewer than 50,000 objects, then the default
Windows Internal Database (WID) should be sufficient. However, if your environment has more than 50,000
objects, then you might require a full version of SQL Server. Most directory synchronization tools scales to
forests of 600,000 or more objects.

Hardware requirements
Deployments with more than 50,000 objects in AD DS require a significant increase in memory
requirements (from 4 gigabytes [GB] random access memory [RAM] to 16 GB); therefore, it is important to
implement adequate hardware resources when transitioning from the pilot to production phase.

Number of objects in Central processing unit


Memory Hard disk size
AD DS (CPU)

Fewer than 10,000 1.6 gigahertz (GHz) 4 GB 70 GB

10,000–50,000 1.6 GHz 4 GB 70 GB

50,000–100,000 1.6 GHz 16 GB 100 GB

100,000–300,000 1.6 GHz 32 GB 300 GB

300,000–600,000 1.6 GHz 32 GB 4500 GB

More than 600,000 1.6 GHz 32 GB 5000 GB


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-9

Azure AD object quota


By default, Azure AD will allow 50,000 objects (users, mail-enabled contacts, and groups). The object quota
automatically increases to 300,000 after the first domain is verified. If the object quota is exceeded during
directory synchronization, the tenant administrator will receive the following email message:

The Directory Synchronization batch run was completed on <date/time> for tenant <name>.

The following errors occurred during synchronization:

Synchronization has been stopped. The company has exceeded the number of objects that can be
synchronized. Contact Technical Support and ask for an increase in your company’s quota.

If you have a requirement to synchronize more than 300K objects, you will need to contact Microsoft
Technical Support to request a limit increase to the object quota. If you have a requirement to synchronize
more than 500K objects, you will need a license such as Office 365, Azure AD Basic, Azure AD Premium, or
Enterprise Mobility Suite. During the planning phase, it is important to plan appropriately for any quota
increase requests; otherwise, this could become a deployment blocker if left to the last minute.

Additional Reading: For more information, refer to You receive a "This company has
exceeded the number of objects that can be synchronized" error in a directory synchronization
report: http://aka.ms/r4x1q4.

Network ports
The network traffic for directory synchronization between the directory synchronization tool and Azure AD
is over a Secure Socket Layer (SSL). Most of the traffic is outbound, initiated by the directory
synchronization computer, and uses port 443. The writeback of passwords uses an Azure Service Bus relay
as an underlying communication channel, meaning that you do not have to open any new ports on your
firewall for this feature to work.

Network traffic between the directory synchronization computer and on-premises AD DS uses standard
Active Directory-related ports; for uninterrupted directory synchronization, the directory synchronization
computer must be able to contact all domain controllers in the forest.

Schema extensions
If your environment runs AD DS but not an Exchange Server, and you plan to enable the Exchange Server
2016 hybrid deployment feature, then you need to install the Exchange Server 2016, or Exchange Server
2013, schema extensions prior to installing directory synchronization.

Additional Reading: For more information, refer to Prepare Active Directory and domains:
http://aka.ms/xwdxic.

Additional Reading: For more information, refer to Prepare for directory synchronization:
http://aka.ms/esbu4f.
MCT USE ONLY. STUDENT USE PROHIBITED
4-10 Planning and configuring directory synchronization

Preparing for directory synchronization


Before you deploy directory synchronization to
synchronize your on-premises AD DS to Azure AD,
you will need to do some preparation in your
environment.

 If you will be using SSO in your environment,


then you should deploy it before directory
synchronization. Why?

 You will need to prepare your on-premises


AD DS environment, which includes resolving
issues with object attributes.

 You will identify and configure the


appropriate UPN suffixes in your on-premises AD DS environment.

 You will use the Office 365 readiness checks to run automatic checks against your on-premises AD DS
environment and to assess its readiness to deploy Office 365.

 You will use Office 365 IdFix to resolve any issues identified by the Office 365 readiness checks.
Consider activating directory synchronization a long-term commitment. After you have activated directory
synchronization, you can only edit synchronized objects by using your on-premises AD DS management
tools.

AD DS preparation
When preparing for deployment of directory synchronization, your project plan should include AD DS
preparation, and the requirements and functionality of the Azure AD. To prepare AD DS:

 Identify the source of authority

 Satisfy domain controller requirements

 Clean up AD DS

 Set up auditing

Source of authority
For directory synchronization, source of authority refers to the location where Active Directory service
objects, such as users and groups, are mastered (an original source that defines copies of an object) in a
cross-premises deployment. You can change the source of authority for an object by using one of these
scenarios—activate, deactivate, or reactivate directory synchronization from within Office 365 or with
Windows PowerShell. Source of authority transfers from Office 365 to your customer’s on-premises
directory service after you perform the first sync.

Additional Reading: For more information, refer to Directory synchronization and source of
authority: http://aka.ms/fvexdc.

Domain controller requirements


The on-premises AD DS forest must meet specific requirements for the schema master, global catalog
servers, and domain controllers. It is important to carefully read the latest requirements and ensure that
your on-premises AD DS servers meet those requirements.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-11

Additional Reading: For more information, refer to Prepare for directory synchronization:
http://aka.ms/e1d0ft.

Active Directory cleanup


To help ensure a seamless transition to Office 365 by using directory synchronization, you should prepare
your AD DS forest before you begin your Office 365 directory synchronization deployment.

Your directory remediation efforts should focus on the following tasks:


Proxyaddresses=smtp:exchSVR@adatum.com
 Remove duplicate proxyAddresses and userPrincipalName attributes.
 Update blank and invalid userPrincipalName attributes with valid userPrincipalName attributes.

 Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName,
displayName, mail, proxyAddresses, mailNickname, and userPrincipalName attributes.

AD DS auditing
You might want to use AD DS auditing to capture and evaluate the events that are associated with directory
synchronization, such as user creation, password reset, adding users to groups, and so on. By implementing
directory synchronization, auditing captures directory services logs from the AD DS domain controllers.
Note that security logging might be disabled by default, so you will need to enable it for events to appear
in the logs.

UPN suffixes
Before deploying directory synchronization, it is important to verify that on-premises user objects in AD DS
have a nonnull value for the UPN suffix, and that the value is correct for both the AD DS domain and Office
365. The UPN suffix is the part of a UPN to the right of the @ character. If a verified public routable domain
is used in Office 365, then this domain should be the UPN suffix, so that the users' principal names are of
the form user@verified domain. If the on-premises UPN suffix does not contain a public routable DNS
domain (such as contoso.local), the default routing domain (for example, contoso.onmicrosoft.com) is used
for the UPN suffix in Office 365.

If the UPN suffix must be changed, it is important to check for any applications that might be dependent on
a specific UPN. If planning SSO, you need know your AD DS UPN to register the domain for SSO (for
federated or nonfederated IDs).

After you deploy directory synchronization, modifying the user’s UPN suffix is not supported. If you need to
modify the UPN after you deploy directory synchronization, you will need to manually update the UPN in
Office 365; therefore, it is important that you plan the UPN suffix correctly from the start. To add a UPN
suffix to the on-premises AD DS:
1. In Active Directory Domains and Trusts, sign in to one of the organization’s Active Directory domain
controllers.

2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.

3. Select the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.

4. Repeat step 3 to add additional alternative UPN suffixes.

If directory synchronization has already been deployed, the user’s UPN for Office 365 might not match the
user’s on-premises UPN defined in AD DS; this can occur if the user was assigned an Office 365 subscription
license before the domain was verified. To resolve this issue, Windows PowerShell can be used to update
users’ UPNs in Office 365 to ensure that their Office 365 UPN matches their corporate user name and
domain in your on-premises AD DS.
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Planning and configuring directory synchronization

Office 365 readiness checks


The Office 365 readiness checks, formerly known as the Office 365 OnRamp tool, are used to run automatic
checks against a current on-premises environment and to assess its readiness to deploy Office 365. These
checks are read-only, and do not make permanent changes to the on-premises environment. After the
checks have completed, the Office 365 readiness checks list the configuration steps that you will need to
complete a deployment.

Depending on the type of Office 365 deployment required, the Office 365 readiness checks will validate:

 Credentials. Determines whether there are valid credentials available in the local environment,
including necessary administrator rights in Exchange Server 2013 or later if migrating to Exchange
Online. It will also determine whether there are valid tenant administrator credentials for any existing
trial account with Office 365.
 Network. Determines whether there is network connectivity to Office 365, and checks for availability of
required ports.

 Domains. Determines the on-premises domain suffixes, and identifies whether any domains are already
verified with Office 365. Appropriate DNS records are also checked.

 Users and groups. Determines whether the on-premises AD DS is ready for directory synchronization
and SSO. User and group objects are also checked to ensure that they meet the requirements for
successful synchronization with Office 365.

 Email. Evaluates messaging integration with the on-premises environment, and the readiness for email
migration if required.
 Sites. Determines whether the on-premises AD environment is able to support the deployment of
Microsoft SharePoint Online.

 Skype for Business. Identifies any current integration with Skype for Business Server 2016 or Lync
Server.

 User software. Determines whether domain-joined computers meet the service and identity
requirements for the required Office 365 deployment.

Note: At a minimum, an Office 365 trial tenant is required to complete all the readiness
checks.

You can access the Office 365 readiness checks from the previous Office 365 admin center. The computer
used to run the readiness checks must meet the following system requirements:

 Windows Server 2008 R2, Windows 7 (64-bit) or later

 Internet Explorer 9.0 or later

 Windows PowerShell v2.0 or later

 WinRM 2.0 or later

Additional Reading: For more information, refer to Readiness Checks: http://aka.ms/b3lsxp.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-13

Office 365 IdFix tool


While the Office 365 readiness checks provide valuable information about your environment, they will not
resolve any issues identified by the tool. On the other hand, the Office 365 IdFix tool provides you the
ability to identify and remediate the majority of object synchronization errors in your AD DS forests in
preparation for deployment to Office 365. This remediation will then allow you to more successfully
synchronize users, contacts, and groups from your on-premises AD DS into the Office 365 environment.

The Office 365 IdFix tool queries all the AD DS domains in the currently authenticated forest and displays
object attribute values that would be reported as errors by the directory synchronization tool. The Office
365 IdFix tool displays these object attribute values in a data grid. This data grid supports the ability to
scroll, sort, and edit the objects in a resulting table to produce compliant values. Depending on the method
of use, the Office 365 IdFix tool provides:

 Confirmation of each change is enforced. Only the objects you have selected to update will be
changed.

 Transaction rollback. You can undo confirmed updates to object attributes applied to the forest.
 Well known exclusions. Not all AD DS objects should be made available for editing as some could cause
harm to the source environment, for example, critical system objects. These objects are excluded from
the Office 365 IdFix data grid.

 Save to File. Data is exported into CSV or LDF format for offline editing or investigation.

 Import of CSV. Data is imported from a CSV file. Because this function relies upon the
distinguishedName attribute to determine the value to update, the recommended method to use this
feature is to export from a query, such as the Save to File. Keep the other columns as they were and do
not introduce escape characters into the values.

 Verbose logging. Because the Office 365 IdFix tool makes changes in your environment, verbose
logging is enabled by default.

 Support for multi-tenant and dedicated Office 365 tenants. Depending on your environment, the
Office 365 IdFix tool supports validation of multiple or dedicated Office 365 tenants.

The computer used to run the Office 365 IdFix tool must meet the following system requirements:

 Windows Server 2008 R2, Windows 7 (64-bit) or later

 The Microsoft .NET Framework 4.0 or later

Additional Reading: For more information, refer to IdFix DirSync Error Remediation Tool:
http://aka.ms/sr02nb.
MCT USE ONLY. STUDENT USE PROHIBITED
4-14 Planning and configuring directory synchronization

Configuring a tenant for directory synchronization


Before you use directory synchronization to
initiate synchronization, you must first enable
Active Directory synchronization in Office 365. This
process can take up to 24 hours to complete, so it
is important to plan for this requirement ahead of
the directory synchronization deployment. You
can enable Active Directory synchronization in the
Office 365 tenant through the Office 365 admin
center, or by using Windows PowerShell.

To enable Active Directory synchronization by


using the previous Office 365 admin center,
complete these steps:

1. In the left navigation pane, click Users, and then click Active Users.

2. In the right navigation pane, under Active Directory synchronization, click Set up.

3. Under Activate Active Directory synchronization, click Activate.


4. At the prompt, click Activate.

Note: At the time of this writing, the option to activate directory synchronization is not
available in the new Office 365 admin center.

To enable Active Directory synchronization by using the Microsoft Azure Active Directory Module for
Windows PowerShell, type the following command, and press Enter:

Set-MsolDirSyncEnabled -EnableDirSync $true -Force


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-15

Lesson 2
Implementing directory synchronization by using Azure AD
Connect
In this lesson, students will learn how to deploy Azure AD Connect. Included in this lesson is a review of the
Azure AD Connect installation requirements, the options for installing and configuring the tool, and
students will review the monitoring of Azure AD Connect.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe Azure AD Connect.

 Describe Azure AD Connect requirements.

 Describe Azure AD Connect express synchronization.

 Describe Azure AD Connect customized synchronization.

 Upgrade to Azure AD Connect.

 Describe Azure AD Connect monitoring features.

Overview of Azure AD Connect


The Azure AD Connect tool, formerly known as
Windows Azure Active Directory Synchronization
or DirSync, is the latest directory synchronization
tool supported by Office 365. Azure AD Connect is
designed to operate as a software-based set-and-
forget “appliance.” For Office 365, the purpose of
the tool is to allow coexistence between your on-
premises Active Directory environment and Office
365 in the cloud. When using Azure AD Connect
for directory synchronization:

 New user, group, and contact objects in on-


premises AD DS are added to Office 365;
however, Office 365 licenses are not automatically assigned to these objects.

 Attributes of existing user, group, or contact objects that are modified in on-premises AD DS are
modified in Office 365; however, not all on-premises AD DS attributes are synchronized to Office 365.

 Existing user, group, and contact objects that are deleted from on-premises AD DS are deleted from
Office 365.

 Existing user objects that are disabled on-premises are disabled in Office 365; however, licenses are not
automatically unassigned.

In a cloud-only Office 365 deployment, all Azure AD objects are originally created (mastered) in the cloud,
and must be edited using cloud-based tools (either using the Office 365 admin center, or by using
Windows PowerShell cmdlets). In this scenario, Azure AD is referred to as the source of authority for all
Active Directory objects.
MCT USE ONLY. STUDENT USE PROHIBITED
4-16 Planning and configuring directory synchronization

Azure AD requires a single source of authority for every object. It is important to understand, therefore, that
in the scenario you have deployed Azure AD Connect for Active Directory synchronization, you are
mastering objects from within your on-premises AD DS by—using tools such as Active Directory Users and
Computers or Windows PowerShell—the source of authority is the on-premises AD DS. After the first
synchronization cycle has completed, the source of authority is transferred from the cloud to the on-
premises AD DS. All subsequent changes to cloud objects (except for licensing) are mastered from the on-
premises AD DS tools. The corresponding cloud objects are read-only, and Office 365 administrators
cannot edit cloud objects if the source of authority is on-premises.

Email address matching is used to identify the on-premises AD DS user object that relates to an Office 365
user.

 If a user exists in your on-premises AD DS and no matching user yet exists in Office 365, Azure AD
Connect will create a new Office 365 user with the same email address as the on-premises account.

 If a user already exists in both your on-premises AD DS and in Office 365, and these objects have the
same email address, then during the first synchronization these objects will become joined, or linked.

More information on attributes and matching is provided later in this module.

By synchronizing user, contact, and group objects, Azure AD Connect provides a unified GAL experience
between an on-premises AD DS or Exchange environment, and Office 365. Using the filtering features in
Azure AD Connect, objects hidden from the GAL on-premises are also hidden from the GAL in Office 365.
We will cover filtering and scoping later in this module.

Azure AD Connect supports the following simple scenarios:


 Where Office 365 replaces on-premises Exchange Server.

 Where there are both on-premises and Exchange Online mailboxes in a hybrid deployment scenario.

In hybrid scenarios, Azure AD Connect allows mail routing between on-premises and Office 365 with a
shared domain namespace. This scenario allows on-premises/cloud coexistence for both Exchange Server
2013 or later, Skype for Business Server 2015, or Lync Server 2013.

Note: Azure AD Connect is not designed to be used as a single-use bulk upload tool for
Office 365, and does not automatically assign licenses to the Office 365 accounts.

Some Office 365 deployment models set up AD FS and SSO before Azure AD Connect, and then use the
tool to ensure that Office 365 accounts are present for all on-premises users after federation has been
enabled. However, this course follows the Office 365 FastTrack methodology, where Azure AD Connect is
used as an enabler for SSO through AD FS.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-17

Azure AD Connect requirements


Azure AD Connect is the successor of DirSync,
Azure AD Sync, and Microsoft Forefront Identity
Manager with the Azure AD connector
preconfigured for synchronizing user, group,
contact, and computer objects from your on-
premises AD DS to Office 365. This out-of-the-box
configuration is why Azure AD Connect is referred
to as a software appliance (set and forget).

Azure AD requirements
Before deploying Azure AD Connect in your
environment, there are a few requirements for
Azure AD:

 An Azure subscription or an Azure trial subscription. This is only required for accessing the Azure portal
and not for using Azure AD Connect. If you are using Windows PowerShell or Office 365 you do not
need an Azure subscription to use Azure AD Connect. If you have an Office 365 license you can also use
the Office 365 portal. With a paid Office 365 license you can also get into the Azure portal from the
Office 365 portal.

 Add and verify the domain you plan to use in Azure AD. For example, if you plan to use Adatum.com
for your users, then you will need to ensure the domain name has been verified in Office 365 and that
you are using more than the default domain, adatum.onmicrosoft.com.

 An Azure AD directory will by default allow 50K objects. As discussed earlier in the module, when you
verify your domain the limit increases to 300K objects. If you need even more objects in Azure AD you
need to open a support case to have the limit increased even further. If you need more than 500K
objects, you will need a license such as Office 365, Azure AD Basic, Azure AD Premium, or Enterprise
Mobility Suite.

Domain and forest requirements


Azure AD Connect requires that the AD schema version and forest functional level must be Windows Server
2003 or newer. Azure AD Connect supports a single AD DS forest with express settings, and supports
multiple AD DS forest scenarios and multiple Exchange organizations with customized settings.

Note: Using Azure AD Connect for Forefront Identity Manager 2010 R2, using Azure AD
Connect with a non-Microsoft directory service, and installing Azure AD Connect on a non-
Windows computer are all out of scope for this course.

To integrate with Azure AD Connect, Active Directory domain controllers must run one of the following
operating systems:

 Windows Server 2003 Standard Edition or Enterprise Edition with Service Pack 1 (SP1) or later.

 If you plan to use the password writeback feature, the AD domain controllers must be on Windows
Server 2008 or later.

When you install Azure AD Connect with express settings, the directory synchronization computer must be
a member of a domain, and for single forest scenarios, this computer must be joined to a domain within the
same forest that will be synchronized. On the other hand, with customized settings, you can install Azure
AD Connect on a computer that is not joined to a domain. Azure AD Connect also supports installation on
domain controllers. However, for production scenarios, we recommend to use a member server for Azure
AD Connect.
MCT USE ONLY. STUDENT USE PROHIBITED
4-18 Planning and configuring directory synchronization

During installation of Azure AD Connect, you will be required to select an AD DS attribute for the source
anchor. This attribute, also called sourceAnchor, should be an attribute that is immutable during the
lifetime of a user object, as it is the link between on-premises AD DS and Azure AD. In most scenarios, this
might be the objectGUID. This attribute will not change unless the user account is moved between
forests/domains.
However, in a multi-forest scenario, where you move user accounts between forests, another attribute must
be used, such as an attribute with the employeeID.

Note: Attributes to avoid are those that would change if a person marries or change
assignments. Other attributes which cannot be used include attributes with an @-sign, therefore
email and userPrincipalName cannot be used.

Operating system and supporting software requirements


Azure AD Connect requires the following Windows Server versions (64-bit edition only):

 Windows Server 2008 or later.

 Windows Server 2012 or later.


 If you plan to use the password synchronization feature, the server must be on Windows Server 2008
R2 SP1 or later.

In addition, Azure AD Connect requires the following software prerequisites:


 Microsoft .NET Framework 4.5.1 or later.

 Windows PowerShell 3.0 or later.

 Windows Azure AD Module for Windows PowerShell (64-bit version).

Additional Reading: For more information, refer to Office 365 URLs and IP address ranges:
http://aka.ms/A4c1kq.

Permissions and accounts


Installing and configuring Azure AD Connect requires the following accounts:

 An Azure AD Global Administrator account for the Azure AD directory with which you want to
integrate.

 An Enterprise Administrator account for your on-premises AD if you use express settings or upgrade
from the Microsoft Azure Active Directory Sync Tool (DirSync).
Azure AD Connect uses the Azure AD Global Administrator account to provision and update objects in the
Office 365 tenant when you initiate directory synchronization. If you create a dedicated service account in
Office 365 for directory synchronization in place of the Office 365 tenant administrator account, it is
important to disable the default 90-day password expiration; otherwise, the synchronization service will
stop working when the password expires for the Office 365 tenant administrator account. In this scenario,
you will need to reconfigure Azure AD Connect to update the password.
To disable password expiration for the service account in Office 365 by using the Azure Active Directory
Module for Windows PowerShell, type the following command, and then press Enter:

Set-MsolUser -UserPrincipalName <service account>@<domain>.onmicrosoft.com


-PasswordNeverExpires $true
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-19

The account used to install and configure Azure AD Connect must have the following permissions:

 Enterprise Administrator permission in your on-premises AD DS. This is required to create the directory
synchronization service account in AD DS.

 Local administrator permission on the Azure AD Connect computer. This is required to install the Azure
AD Connect tool.

The account used to configure Azure AD Connect and run the configuration wizard must reside in the local
group ADSyncAdmins on the Azure AD Connect computer; by default, the account used to install Azure
AD Connect (the Enterprise Administrator account) is automatically added to this group during installation.

The Enterprise Administrator account is only required when installing and configuring Azure AD Connect,
and the Enterprise Administrator credential is not stored or saved by the configuration wizard.

The Enterprise Administrator account is required to:

 Create the MSOL_<id> domain service account in the CN=Users container of the root domain.

 Delegate the following permissions to MSOL_<id> on each domain partition in the forest

o Replicating Directory Changes

o Replicating Directory Changes all

o Replication Synchronization

Note: Because it poses a security risk with the service account it uses, Azure AD Connect does
not support using a group Managed Service Account to connect to your on-premises AD DS
environments. By default, Azure AD Connect creates service accounts with minimal privileges but
with nonexpiring passwords on the computer that run Azure AD Connect, and in both the on-
premises AD DS and the Azure AD tenant.

During an Azure AD Connect configuration, you can enable the Exchange hybrid deployment feature.
Previously known as rich coexistence, this feature allows for the coexistence of Exchange mailboxes both
on-premises and in Azure by synchronizing a specific set of attributes from Azure AD back into your on-
premises AD DS. During deployment, the Enterprise Administrator account will create an MSOL_Active
Directory_Sync_RichCoexistence group in the CN=Users container of the root domain automatically. In
addition, the Enterprise Administrator account will delegate write permissions for particular AD DS
attributes that writeback from Azure AD to your on-premises AD DS. These attributes are covered earlier in
this module.

The following accounts are created in your on-premises AD DS during Azure AD Connect configuration:

 MSOL_<id>. This account is created during installation of Azure AD Connect, and is configured to
synchronize to Azure AD. The account has directory replication permissions in your on-premises AD DS
and write permission on certain attributes to enable the Exchange Hybrid Deployment.

 AAD_<id>. This is the service account for the synchronization engine, and is created with a randomly
generated complex password automatically configured to never expire. When the directory
synchronization service runs, it uses the service account credentials to read from your on-premises
AD DS and then to write the contents of the synchronization database to Azure AD by using the Office
365 tenant administrator credentials specified during configuration of Azure AD Connect.

Note: Do not change this service account after installing Azure AD Connect, as directory
synchronization will attempt to use the service account created during setup. If the account is
changed, directory synchronization will stop running and scheduled directory synchronizations will
no longer occur.
MCT USE ONLY. STUDENT USE PROHIBITED
4-20 Planning and configuring directory synchronization

Database requirements
Azure AD Connect requires an SQL Server database to store identity data. By default, a SQL Server 2012
Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is
created on the local machine. SQL Server Express has a 10 GB database limit, which allows you to manage
approximately 100,000 objects. In large deployments, you might need to manage a higher volume of
objects. In this scenario, you should configure Azure AD Connect to a full version of SQL Server. Azure AD
Connect supports all versions of SQL Server, from SQL Server 2014 to SQL Server 2008 (with SP4 or later).

When deploying to a different version of SQL Server, SQL Server rights are required to create the database
used by Azure AD Connect, and to enable the SQL service account with the role of db_owner. You can
achieve this by ensuring that the account used to install Azure AD Connect has sysadmin permission to the
SQL database, and that the service account used to run Azure AD Connect has public permission to the
database used by Azure AD Connect.

Azure AD Connect express synchronization


During installation of Azure AD Connect, you can
choose the Express Settings, which is the default
option and is one of the most common scenarios.
When doing this, Azure AD Connect deploys
synchronization with the password
synchronization option. This is for a single forest
only and allows your users to use their on-premises
password to sign in to Office 365.

Using the Express Settings is the recommended


and default option. The scenario for when to
choose Express Settings include:

 If you have a single AD DS forest.

 Users sign in with the same password using password synchronization.

During installation of Azure AD Connect with Express Settings, the installer will:

 Install the synchronization engine.

 Configure Azure AD Connect.

 Configure the on-premises AD DS connector.

 Enable password synchronization.


 Configure synchronization services.

 Configure sync services for Exchange hybrid deployment (optional).

 Enable automatic upgrade of Azure AD Connect.

Using the Express Settings will automatically start synchronization once the installation is complete (though
you can choose not to do this).
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-21

Azure AD Connect customized synchronization


An alternative option to the Express Settings is
installing Azure AD Connect with customized
settings. This option is beneficial if you have
additional configuration options or need optional
features that are not covered in the express
installation. The scenarios for when to select
Customized Settings include:

 When you have multiple forests. Supports


many on-premises topologies.
 When you customize your sign-in option, such
as AD FS for federation or use a non-Microsoft
identity provider.

 When you customize synchronization features, such as filtering and writeback.

In addition to the required components that are installed as part of Express Settings, you might select the
following optional components during installation:

 Specify a custom installation location. This optional component allows you to specify a different
location to install Azure AD Connect.

 Use an existing server running SQL Server. This optional component allows you to select an existing
database server.

 Use an existing service account. This optional component allows you to specify an existing service
account. By default, Azure AD Connect will create a local service account for the synchronization
services to use. The password is generated automatically and unknown to the person installing Azure
AD Connect. If you specify a remote server running SQL Server, then you will need a service account to
which you know the password.
 Specify custom sync groups. This optional component allows you to specify existing management
groups for Azure AD Connect. By default, Azure AD Connect will create four groups on the server when
the synchronization services install. These groups include: Administrators group, Operators group,
Browse group, and the Password Reset group. Use this option if you prefer to specify your own groups.
The groups must be on the server and cannot be located in the domain.

During installation of Azure AD Connect with Customized Settings, the installer will allow you to enable the
following features:

 Select the Single Sign-On Method. This feature allows you to specify the SSO method for users. The
SSO methods include password synchronization, federation with AD FS, or do not configure.

 Connect multiple on-premises directories or forests. This feature allows you to connect to one or more
AD DS domains or forests.

 Matching across forests. This feature allows you to define how Azure AD represents users from your
AD DS forests. A user might either be represented only once across all forests or have a combination of
enabled and disabled accounts.

 Sync filtering based on organizational units. This feature allows you to run a small pilot where only a
small subset of objects should be created in Azure AD and Office 365. To use this feature, create an
organizational unit in your AD DS and add the users and groups which should synchronize with Azure
AD to the OU. You can later add and remove users to this group to maintain the list of objects which
should be present in Azure AD.
MCT USE ONLY. STUDENT USE PROHIBITED
4-22 Planning and configuring directory synchronization

 Select the Source Anchor. This feature allows you to choose the primary key that will link the on-
premises user with the user in Azure AD.

 Select the login attribute. This feature allows you to choose the attribute users will use when they login
to Azure AD and Office 365. Typically, this should be the userPrincipalName attribute. But if this
attribute is nonroutable and cannot be verified, then it is possible to select another attribute, for
example email, as the attribute holding the login ID, known as Alternate ID.

Additional Reading: For more information, refer to Configuring Alternate Login ID:
http://aka.ms/nqh5gc.

 Exchange hybrid deployment. This optional feature enables for the coexistence of Exchange mailboxes
both on-premises and in Office 365 by synchronizing a specific set of attributes from Azure AD back to
your on-premises AD DS.

 Azure AD app and attribute filtering. This optional feature enables you to tailor the set of synchronized
attributes to a specific set, based on Azure AD apps.

 Password hash synchronization. You can enable this optional feature if you selected federation as the
SSO solution. You can then use password synchronization as a backup option.

 Password writeback. With this optional feature, password changes that originate in Azure AD are
written back to your on-premises AD DS. You typically deploy this feature when you want to enable
users for self-service password reset of their Azure AD passwords.

 Group writeback. With this optional feature, if you use the Groups in Office 365 feature, then you can
have these groups in your on-premises AD DS as a distribution group. This option is only available if
you have deployed Exchange Server on-premises.

 Device writeback. With this optional feature, device objects in Azure AD are written back to your on-
premises AD DS for conditional access scenarios.

 Directory extension attribute sync. Not available in previous directory synchronization versions, this
optional feature enables you to extend the schema in Azure AD with custom attributes added by your
organization or other attributes in your on-premises AD DS.

After selecting the optional features, the Azure AD Connect installer will provide you the option to deploy a
new Windows Server 2012 R2 AD FS farm or to select an existing Windows Server 2012 R2 AD FS farm. In
addition, the Azure AD Connect installer will provide you the option to set up the federation relationship
between AD FS and Azure AD. It configures AD FS to issue security tokens to Azure AD and configures
Azure AD to trust the tokens from this specific AD FS instance.

Note: The Azure AD Connect installer will only allow you to configure the trust for a single
domain during the first time. You can configure additional domains at any time by opening up
Azure AD Connect again and performing this task.

During the final stages of the Azure AD Connect installer, you will have the option to automatically start
synchronization once the installation is complete (though you can choose not to do this). You will also have
the option to enable staging mode. This process allows you to set up a new directory synchronization server
in parallel with an existing server.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-23

While Office 365 only supports one directory synchronization server connected to one Azure AD directory
in the cloud, if you want to move from another server, for example one running DirSync, then you can
enable Azure AD Connect in staging mode. When enabled, the sync engine will import and synchronize
data as normal, but it will not export anything to Azure AD and will turn off password sync and password
writeback.
While in staging mode, it is possible to make required changes to the sync engine and review what is about
to be exported. When the configuration looks good, run the installation wizard again and disable staging
mode. This will enable data to export to Azure AD.

Note: Ensure you disable the other directory synchronization server at the same time so only
one server is actively exporting to Azure AD.

Upgrading to Azure AD Connect


If you previously deployed DirSync, then you might
choose to upgrade to Azure AD Connect to take
advantage of the newer features in Azure AD
Connect. Depending on your current DirSync
deployment scenario, there are different options
for the upgrade to Azure AD Connect:

 In-place upgrade. If the expected upgrade


time is less than 3 hours, then the
recommended option is to do an in-place
upgrade.
 Parallel deployment. If the expected upgrade
time is more than 3 hours, then the
recommend option is to do a parallel deployment on another server. If you have more than 50,000
objects in AD DS, estimate that it will take more than 3 hours, to do the upgrade. In this scenario, the
preferred upgrade option is a parallel deployment.

Note: When you plan to upgrade from DirSync to Azure AD Connect, do not uninstall
DirSync yourself before the upgrade. Azure AD Connect will read and migrate the configuration
from DirSync and uninstall after inspecting the directory synchronization server.

In-place upgrade
The wizard displays the expected time to complete the upgrade. This estimate is based on the assumption it
will take 3 hours to complete an upgrade for a database with 50,000 objects (users, contacts, and groups).
Azure AD Connect will analyze your current DirSync settings and recommend an in-place upgrade if the
number of objects in your database is less than 50,000. If you decide to continue, your current settings will
apply automatically during the upgrade and your server will automatically resume active synchronization.

During inspection of the DirSync server, Azure AD Connect will assess the customizations of the directory
synchronization server. While Azure AD Connect supports most of the configuration changes for an
upgrade, there are a few scenarios that might prevent an in-place upgrade.

The following configuration changes are supported with DirSync and will be upgraded:

 Domain and organizational unit (OU) filtering

 Alternate ID (UPN)
MCT USE ONLY. STUDENT USE PROHIBITED
4-24 Planning and configuring directory synchronization

 Password synchronization and Exchange hybrid settings

 Your forest or domain and Azure AD settings

 Filtering based on user attributes

The following are unsupported DirSync changes and will prevent an in-place upgrade:

 Removed attributes

 Using a custom extension dynamic-link library (DLL)

In the unsupported scenarios, the recommendation is to install a new Azure AD Connect server in staging
mode and verify the old DirSync and new Azure AD Connect configuration. Reapply any changes using a
custom configuration, as described earlier in the module.

Note: The passwords used by DirSync for the service accounts cannot be retrieved and will
not be migrated. These passwords are reset during the upgrade.

The high-level steps for upgrading from DirSync to Azure AD Connect include:

 Analysis of current DirSync configuration


 Collect Azure AD global admin password

 Collect credentials for an enterprise admin account (only used during the installation of Azure AD
Connect)
 Installation of Azure AD Connect

o Uninstall DirSync

o Install Azure AD Connect

o Optionally begin synchronization

Additional steps are required when:

 You are currently using Full SQL Server, local or remote


 You have more than 50,000 objects in scope for synchronization

Parallel deployment
If you prefer to deploy Azure AD Connect in a parallel deployment you can use one of two options,
depending on your current environment:

 Parallel deployment with more than 50,000 objects. During the upgrade from DirSync to Azure AD
Connect, the wizard will provide you the option to Export Settings if it determines there are more than
50,000 objects. This option will export the current configuration settings of the DirSync server. When
you install Azure AD Connect on a separate server, these settings will be imported to migrate any
settings from your current DirSync to your new Azure AD Connect installation.
 Parallel deployment with less than 50,000 objects. If you have less than 50,000 objects but still prefer to
deploy Azure AD Connect in a parallel deployment, then you can override the in-place upgrade
recommendation. This option is common if you want to take the opportunity to refresh the hardware
and OS. In this scenario, you will need to do the following:

a. Run the Azure AD Connect installer on the DirSync server.

b. When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking
the "X" in the upper-right corner of the window.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-25

c. Open a command prompt.

d. From the installation location of Azure AD Connect (default is C:\Program Files\Microsoft Azure
Active Directory Connect) execute the following command:

AzureADConnect.exe /ForceExport

e. Click the Export settings button. When you install Azure AD Connect on a separate server these
settings will be imported to migrate any settings from your current DirSync to your new Azure AD
Connect installation.

Installing Azure AD Connect


When you install Azure AD Connect on a new server it will assume that you want to perform a clean
installation of Azure AD Connect. Because you want to use the DirSync configuration settings that you
exported earlier, there are some extra steps you will need to perform:

1. Run the Azure AD Connect installer.

2. When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking the
"X" in the upper-right corner of the window.

3. Open a command prompt.


4. From the installation location of Azure AD Connect (default is C:\Program Files\Microsoft Azure Active
Directory Connect) execute the following command:

AzureADConnect.exe /migrate

5. The Azure AD Connect installation wizard starts and allows you to select the settings file that exported
from your DirSync installation.

6. Configure any advanced options, including:

o A custom installation location for Azure AD Connect.


o An existing instance of SQL Server. Do not use the same database instance as your DirSync server.

o A service account used to connect to SQL Server. If your SQL Server database is remote, then this
account must be a domain service account.
7. Click Next.

8. On the Ready to configure page, leave the Start the synchronization process as soon as the
configuration completes option selected. The server will be in staging mode so changes will not
export to Azure AD at this time.

9. Click Install.

Enable Azure AD Connect


In order to enable Azure AD connect, you will need to:

 Verify that Azure AD Connect is ready to begin synchronization.

 Uninstall DirSync from the old server.


 Enable Azure AD Connect on the new server.

To verify that Azure AD Connect is ready to take over directory synchronization from DirSync you will need
to open Synchronization Service Manager in the Azure AD Connect group on the Start menu.
MCT USE ONLY. STUDENT USE PROHIBITED
4-26 Planning and configuring directory synchronization

In Synchronization Service Manager, you will need to view the Operations tab. On this tab you are looking
to confirm that the following operations have been completed:

 Import on the AD Connector

 Import on the Azure AD Connector

 Full Sync on the AD Connector


 Full Sync on the Azure AD Connector

Review the result from these operations to ensure there are no errors and that you are satisfied with the
changes that are about to be exported.

Next, you will need to uninstall the Azure AD sync tool from the Programs and Features tool on the old
server.

Note: The uninstallation of DirSync might take up to 15 minutes to complete.

With DirSync uninstalled, there is no active server exporting to Azure AD. You must complete the next step
before any changes in your on-premises AD DS will continue to synchronize to Azure AD.

After installation, reopening Azure AD Connect will allow you to make additional configuration changes.
Start Azure AD Connect on the Start menu or from the shortcut on the desktop and do the following:

Note: Make sure you do not try to run the installation MSI again.

1. Select Configure staging mode.

2. Turn off staging by clearing the Enabled staging mode checkbox.

3. Click the Next button.

4. On the confirmation page, click the install button.

Azure AD Connect is now your Active Directory synchronization server.

Azure AD Connect monitoring features


Azure AD Connect Health helps you monitor and
gain insight in to your on-premises identity
infrastructure and the synchronization services
available through Azure AD Connect. It offers you
the ability to view alerts, performance, usage
patterns, configuration settings, and allows you to
maintain a reliable connection to Office 365. You
accomplish this by using an agent that is installed
on the targeted servers.

The Azure AD Connect Health portal presents the


information retrieved from the agent. Using the
Azure AD Connect Health portal you can view
alerts, performance monitoring, and usage analytics. This information is located in one easy to use place for
your convenience.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-27

While Azure AD Connect Health for AD FS monitors your on-premises AD FS environment, Azure AD
Connect Health for Sync monitors and provides information on the synchronizations that occur between
your on-premises AD DS and Azure AD. Azure AD Connect Health for Sync provides the following set of key
capabilities:

 View and take action on alerts to ensure reliable synchronizations between your on-premises
infrastructure and Azure AD.

 Email notifications for critical alerts.

 View performance data.

To get started with Azure AD Connect Health, do the following:

1. Sign in to the Azure portal.

2. Access Azure AD Connect Health by going to the Marketplace and searching for it or by selecting
Marketplace, and then selecting Security + Identity.

3. In the introductory window, click Create. This will open another window with your directory
information.
4. In the directory window, click Create.

Note: You will need an Azure AD Premium License to use Azure AD Connect Health.

When you first access Azure AD Connect Health, you will be presented with the first window. In the first
window, you can access the following information:

 Quick Start. This option will open the Quick Start window. Here you can download the Azure AD
Connect Health agent by selecting Get tools, access documentation, and provide feedback.

 AD FS. This option represents all of the AD FS services that Azure AD Connect Health is currently
monitoring. By selecting one of the instances, a window will open with information about that services
instance. This information includes an overview, properties, alerts, monitoring, and usage analytics.
 Configure. This option allows you to turn the following on or off:

o Auto update to automatically update the Azure AD Connect Health agent to the latest version.
This option will automatically update the agent on your server to the latest version of the Azure AD
Connect Health Agent when they become available. This is enabled by default.

o Allow Microsoft access to your Azure AD directory’s health data for troubleshooting purposes only.
When this option is enabled, Microsoft will be able to see the same data that you are seeing. This
can help with troubleshooting and assistance with issues. This is disabled by default.

Additional Reading: For more information, refer to Monitor your on-premises identity
infrastructure and synchronization services in the cloud: http://aka.ms/dqaaps.
MCT USE ONLY. STUDENT USE PROHIBITED
4-28 Planning and configuring directory synchronization

Lesson 3
Managing Office 365 identities with directory
synchronization
In this lesson, students will learn about managing Office 365 identities with Azure AD Connect. Included in
this lesson is managing users and groups in Office 365 with Azure AD Connect and how to maintain
directory synchronization.

Lesson Objectives
After completing this lesson, you will be able to:

 Manage users with directory synchronization.

 Manage groups with directory synchronization.

 Modify directory synchronization.

 Monitor directory synchronization.

 Troubleshoot directory synchronization.

Managing users with directory synchronization


When you successfully deploy Azure AD Connect
and enable scheduled synchronization, there are
several required management tasks to ensure
users synchronize efficiently.
NB. This has
disappeared from User writeback
AD Connect User accounts created in Azure AD can now
synchronize back to on-premises AD DS.

To enable the user writeback feature for Azure AD


Connect, you need to enable the user writeback
option during installation of Azure AD Connect,
with customized settings, and then run the
following Windows PowerShell cmdlets on the Azure AD Connect server:

Note: User writeback requires that the AD DS forest runs Windows Server 2012 R2 or later.

Import-Module ‘C:\Program Files\Microsoft Azure Active Directory


Connect\AdPrep\AdSyncPrep.psm1
Initialize-ADSyncUserWriteBack -AdConnectorAccount $accountName -UserWriteBackContainerDN
$userOU

Note: $accountName is the account that will be used by Azure AD Connect to manage
objects in AD DS, this is usually an account in the form of an Azure AD number. $userOU is the OU
where these cloud users will be stored in on-premises AD DS.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-29

Once these cmdlets complete, the Azure AD Connect service account to on-premises AD DS will have
permission to write objects to this OU. You can view the permissions in Active Directory Users and
Computers for this OU if you enable Advanced mode in the program. There should be a permission entry
for this account that is not inherited from the parent OU’s.

After the synchronization completes, Office 365 users will appear in the on-premises container, which you
selected during the configuration.

Note: An Azure AD Premium license is required to enable device writeback.

Password writeback
Users can now change their passwords via the login page or user settings in Office 365 and have them
written back to on-premises AD DS.

To enable the password writeback feature for Azure AD Connect, you need to enable the password
writeback option during installation of Azure AD Connect—with customized settings—and then run the
You can rerun AD following Windows PowerShell cmdlets on the Azure AD Connect server:
Connect wizard

Note: Password writeback requires that the AD DS forest runs Windows Server 2012 R2 or
later. Setup OU by OU

Get-ADSyncConnector | fl name,AADPasswordResetConfiguration
Get-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com - AAD"
Set-ADSyncAADPasswordResetConfiguration -Connector "adatum.onmicrosoft.com - AAD" -Enable
$true
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Reset Password`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Change Password`";user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;lockoutTime;user'"
Invoke-Expression $cmd | Out-Null
$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;pwdLastSet;user'"
Invoke-Expression $cmd | Out-Null

Note: Azure AD Connect uses the $accountName account to manage objects in AD DS, this
is usually an account in the form of Azure AD number. $passwordOU is the OU where these cloud
users will be stored in on-premises AD DS.

Once these cmdlets complete, they will configure the following:

 The Azure AD Connect connectors are enabled for password reset.


 Azure AD Connect service account to on-premises AD DS will have permission to reset passwords to
objects in this OU. You can view the permissions in Active Directory Users and Computers for this OU if
you enable Advanced mode in the program. There should be a permission entry for this account that is
not inherited from the parent OU’s.

Note: An Azure AD Premium license is required to enable device writeback.


MCT USE ONLY. STUDENT USE PROHIBITED
4-30 Planning and configuring directory synchronization

Device writeback
Devices that are enrolled with Office 365 MDM or Intune, which will allow login to AD FS controlled
resources based on the user and the device they are on. Device writeback is used to enable conditional
access based on devices to AD FS protected applications, or relying party trusts. This provides additional
security and assurance that access to applications is granted only to trusted devices.

To enable the device writeback feature for Azure AD Connect, you need to enable the device writeback
option during installation of Azure AD Connect—with customized settings—and then run the following
three Windows PowerShell cmdlets on the Azure AD Connect server:

Install-WindowsFeature –Name AD-DOMAIN-Services –IncludeManagementTools


Import-Module 'C:\Program Files\Microsoft Azure Active Directory
Connect\AdPrep\AdSyncPrep.psm1'
Initialize-ADSyncDeviceWriteback {Optional:–DomainName [name] Optional:
-AdConnectorAccount [account]}

Note: Device writeback requires that:

 The AD DS forest runs Windows Server 2012 R2 or later.


 AD FS is hosted from Windows Server 2012 R2 (AD FS v3.0) or later.

Note: DomainName is the AD DS domain where device objects are created.


AdConnectorAccount is the AD DS account that Azure AD Connect uses to manage objects in the
directory. This is the account used by Azure AD Connect sync to connect to AD. If you installed
using express settings, it is the account prefixed with MSOL_.

These cmdlets will configure the following:

 If not present, they create and configure new containers and objects under CN=Device Registration
Configuration,CN=Services,CN=Configuration,[forest-dn], where forest-dn is the Distinguished
Name of your AD DS forest.

 If not present, they create and configure new containers and objects under
CN=RegisteredDevices,[domain-dn], where forest-dn is the Distinguished Name of your AD DS
forest. Device objects are created in this container.

 They set necessary permissions on the Azure AD Connector account to manage devices on your AD DS.

Note: An Azure AD Premium license is required to enable device writeback.

Managing primary Simple Mail Transfer Protocol addresses


One of the key user maintenance tasks is to manage user mailbox attributes, in particular primary Simple
Mail Transfer Protocol (SMTP) addresses. For an on-premises user account to get the correct primary SMTP
address, it needs to be mailbox-enabled, either by using the Exchange 2016 admin center, or by setting the
mail attribute manually to mail-enable the user.

Note: If a primary SMTP address is not set for a user account, Office 365 will use an
@domain.onmicrosoft.com address as the user’s default SMTP address.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-31

If it is not possible to ensure that all synced users will have a valid primary SMTP address prior to
synchronization, you can use user attribute filtering to ensure that all accounts without a valid UPN are
excluded from synchronization scope.

Recovery from accidental deletes


Azure AD now supports soft deletes. After you delete a user in Office 365, either following synchronization
or if you manually remove an unsynchronized user in Office 365, the user’s data is deleted and the user’s
licenses can be reassigned; however, accounts remain recoverable for 30 days. After the cloud recycle bin is
purged (hard delete), it is no longer possible to restore deleted accounts.

Recovery from unsynchronized deletes


Another important maintenance task is dealing with an on-premises delete that does not synchronize to
Office 365, so that the linked object is not removed from Azure AD. Such a situation might occur if directory
synchronization has not yet completed, or if directory synchronization failed to delete a specific cloud
object, both of which results in an orphaned Azure AD object.

To resolve this issue, follow these steps:


1. Manually run a directory synchronization update.

2. Force directory synchronization.

3. Check that directory synchronization occurred correctly.


4. Verify directory synchronization.

If the above steps validate that directory synchronization is working correctly but the AD DS object deletion
has still not propagated to Azure AD, the orphaned object can be manually removed using one of the
following Microsoft Azure Active Directory Module for Windows PowerShell cmdlets:

Remove-MsolContact
Remove-MsolGroup
Remove-MsolUser

For example, to manually remove an orphaned user originally created using directory synchronization, run
the following cmdlet:

Remove-MsolUser –UserPrincipalName <username>@<Office 365 domain>

Accidental account deletion


If you accidentally delete a user account and a directory synchronization cycle runs, this action will delete
the user in Office 365. However, if you have the recycle bin feature enabled in AD DS, you can recover the
account from the recycle bin and the link between accounts is re-established. If you do not have the recycle
bin enabled, you might need to create another account with a new GUID.

Additional Reading: For more information on how to troubleshoot deleted user accounts in
Office 365 is available at the following link, refer to: http://aka.ms/cmof9n.
MCT USE ONLY. STUDENT USE PROHIBITED
4-32 Planning and configuring directory synchronization

Bulk activation of new accounts


User accounts that you create in Office 365 through directory synchronization are not automatically
activated for Office 365. We recommend that you use scripting to manage this requirement. A simple
approach makes use of Microsoft Azure Active Directory Module for Windows PowerShell cmdlets. For
example:

Get-MsolAccountSku (to report the Office365 SKUs that, such as EXCHANGESTANDARD)


Get-MsolUser -UnlicensedUsersOnly |Set-MsolUser -UsageLocation <location>, such as "US"
Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses SKU

The isLicensed user attribute indicates whether a user has a license assigned (True) or not assigned (False).
Windows PowerShell can, therefore, report on licensed Office 365 user accounts. To show all users licensed
in Office 365, enter the following command at the Microsoft Azure Active Directory Module for Windows
PowerShell prompt:

Get-MsolUser | Where-Object {$_.isLicensed -eq "True"}


To export a list of licensed Office 365 users to CSV, use the following command:
Get-MsolUser | Where-Object { $_.isLicensed -eq "True" } | Export-Csv
C:\Labfiles\LicensedUsers.csv

Additional Reading: For more information, refer to Getting all Licensed Office 365 users
with PowerShell: http://aka.ms/me03qp.

Additional Reading: For more information, refer to How to Use PowerShell to Automatically
Assign Licenses to Your Office 365 Users: http://aka.ms/pwr39r.

Managing groups with directory synchronization


Similar to the directory synchronization of users
from on-premises AD DS to Azure AD, groups (as
well as their membership) in AD DS also
synchronize from on-premises AD DS to Azure AD.
Similarly to the user writeback feature, the group
writeback feature also writes Office 365 Groups
from Azure AD to on-premises AD DS. The process
that Azure AD Connect uses is very similar for user
and group objects, and has many of the same
limitations and caveats.

Note: Writing Office 365 Modern Groups


back to on-premises AD DS requires your on-premises Exchange server to be on Exchange 2013
cumulative update 8 (released in March 2015) or later, or Exchange 2016 to recognize this new
group type.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-33

Although you enable the group writeback feature during installation of Azure AD Connect by selecting the
group writeback feature after installing with customized settings, you also need to create the OU and
appropriate permissions required for group writeback in AD DS. For this, Azure AD Connect has a built-in
cmdlet, called Initialize-ADSyncGroupWriteBack that prepares AD DS automatically.

Note: Group writeback requires that the AD DS forest runs Windows Server 2012 R2 or later.

Import-Module ‘C:\Program Files\Microsoft Azure Active Directory


Connect\AdPrep\AdSyncPrep.psm1’
Initialize-ADSyncGroupWriteBack -AdConnectorAccount $accountName
-GroupWriteBackContainerDN $groupOU

Note: Azure AD Connect uses the $accountName account to manage objects in AD DS—
this is usually an account in the form of Azure AD number. $groupOU is the OU where these cloud
groups will be stored in on-premises AD DS.

Once these cmdlets complete, the Azure AD Connect service account to on-premises AD DS will have
permission to write objects to this OU. You can view the permissions in Active Directory Users and
Computers for this OU if you enable Advanced mode in the program. There should be a permission entry
for this account that is not inherited from the parent OU’s.

After the synchronization completes, Office 365 Groups will show up in the on-premises container, which
you selected during the configuration. These groups will be represented as distribution groups in on-
premises AD DS.

Note: At this time, group writeback in Azure AD Connect only supports the writeback of
distribution groups.

Similar to user accounts synchronized from Azure AD to on-premises AD DS, the synchronized groups will
not show up in the on-premises GAL. As such, you will need to run the Update-Recipient cmdlet first as
illustrated in the following example:

Update-Recipient Group_af905347-5322-4183-a1aa-9522a85bfeb9ad

Note: Alternatively, you might use the Update-AddressList or Update-GlobalAddressList


to cause the synchronized group to appear. However, these cmdlets will require more cycles on
the servers running Exchange Server compared with the Update-Recipient cmdlet.

Once this cmdlet completes, the group will show up in the on-premises GAL.

Synchronized groups from Azure AD to on-premises AD DS also includes the membership. If you have
enabled user writeback in Azure AD Connect, the group memberships for user accounts created in Azure
AD are also included. However, if you have not enabled user writeback in Azure AD Connect, only group
memberships for user accounts created on-premises are included.

Note: If deployed, the Exchange Server hybrid writeback is the classic writeback from Azure
AD and is separate from group writeback. As such, it is the only one of the writebacks that does not
require an Azure AD Premium license. Otherwise, an Azure AD Premium license is required if you
enable group writeback without the Exchange Server hybrid writeback feature.
MCT USE ONLY. STUDENT USE PROHIBITED
4-34 Planning and configuring directory synchronization

Modifying directory synchronization


In Azure AD Connect synchronization, you can
enable filtering at any time. If you have already
deployed the default configurations of directory
synchronization and then enable filtering, the
objects that are filtered out are no longer
synchronized to Azure AD. Because of this, any
objects in Azure AD that were previously
synchronized but were then filtered are deleted in
Azure AD. If objects were inadvertently deleted
because of a filtering error, you can recreate the
objects in Azure AD by removing your filtering
configurations, and then synchronize your
directories again.

Note: While you can enable multiple customizations of filtering in Azure AD Connect,
Microsoft does not support all modifications or operations of the Azure AD Connect
synchronization outside of the formally documented actions. Any of these actions might result in
an inconsistent or unsupported state of Azure AD Connect sync and as a result, Microsoft cannot
provide technical support for such deployments.

You might be asking yourself, “Why would I want to enable filtering if Azure AD Connect synchronizes
everything I need after implementation?” In most cases, your on-premises AD DS environment contains a
lot more objects (for example, user accounts, contacts and groups) than are required within Azure AD. For
instance, service accounts or administrative accounts that are only required on-premises might have no
purpose to synchronize for Office 365. Fortunately, you can filter objects so that only the objects you
require online synchronize. Filtering makes synchronization more secure, with no forgotten accounts in
online services, therefore providing a smaller attack surface. Filtering can also help you limit the number of
objects, which in turn can help you minimize the size of your Azure AD Connect database and might
prevent the need for full SQL Server deployment. Remember, if your environment has more than 50,000
objects, then you might require a full version of SQL Server. In many ways, enabling filtering in Azure AD
Connect will promote less complexity and increase the speed of directory synchronization.

Here are a few scenarios where filtering might be required to customize the default configuration:

 You plan to use the multi-Azure AD-directory topology. Then you need to apply a filter to control
which object should be synchronized to a particular Azure AD directory.

 You run a pilot for Azure or Office 365 and only want a subset of users in Azure AD. In the small pilot it
is not important to have a complete GAL to demonstrate the functionality.

 You have many service accounts and other nonpersonal accounts or administrative accounts you do
not want in Azure AD.

 For compliance reasons, your company does not delete any user accounts in on-premises AD DS; you
only disable them. But in Azure AD you only want active accounts to be present.

Note: With the exception of outbound attribute-based filtering, the configurations in Azure
AD Connect will be retained when you install or upgrade to a newer version of Azure AD Connect.
It is always a best practice to verify that the configuration was not inadvertently changed after an
upgrade to a newer version before running the first synchronization cycle.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-35

The following are three filtering configuration types that can be applied to Azure AD Connect (listed in
order of broad filtering to more detailed filtering):

 Domain. This filtering configuration type enables you to select which AD DS domains are allowed to
synchronize to Azure AD. You would use the Synchronization Service Manager tool to manage the
properties of the Source AD Connector in Azure AD Connect. This tool is installed on the directory
synchronization server automatically during deployment of Azure AD Connect.

 OU. This filtering configuration type enables you to select which OUs in AD DS are allowed to
synchronize to Azure AD. Most organizations already have an OU structure that separates objects that
are eligible for synchronization and those that are not, such as the Exchange Security Groups OU,
service/administrative accounts OU, or an OU for specific security groups. You can use Azure AD
Connect or the Synchronization Service Manager tool to manage the properties of the Source AD
Connector in Azure AD Connect. The Synchronization Service Manager tool is installed on the directory
synchronization server automatically during deployment of Azure AD Connect.

 Attribute. This filtering configuration type enables you to control which objects in AD DS should
synchronize to the Azure AD based on criteria of the object’s attributes. Even with domain filtering and
OU filtering, it is possible that some objects in an OU should not synchronize. It might also be
impractical to change the OU design for the purpose of filtering objects that synchronize to Azure AD.
While significantly more complex than the Synchronization Service Manager tool, you would use the
Synchronization Rules Editor tool to manage the synchronization rules in Azure AD Connect. This tool
is installed on the directory synchronization server automatically during deployment of Azure AD
Connect.

Note: You use Source AD as the name for your AD DS Connector. If you have multiple
forests, you will have one Connector per forest and the configuration must repeat for each forest.

You can use all, two, or just one filtering configuration type. Which field(s) you choose is dependent on how
your on-premises AD DS domain(s) are structured, what objects need to be synchronized to Azure AD, and
the filtering criteria.

Now set by PowerShell


Note: Before making changes to filtering, you should disable the scheduled task for
synchronization on the directory synchronization server to ensure you do not accidently export
changes, which have not been verified, to Azure AD.
set-adsyncscheduler -synccycleenabled $false

Because filtering in Azure AD Connect can remove many objects in a very short time, you should verify
changes to the filters before exporting to Azure AD. After you have completed the configuration steps, we
strongly recommend you follow the verification steps before you export and make changes to Azure AD.

To protect you from deleting multiple objects by accident, the feature that prevents accidental deletes is on
by default. If you delete many objects due to filtering (500 by default) you need to follow the steps in the
following article to allow the deletes to go through to Azure AD.

Additional Reading: For more information, refer to Azure AD Connect sync: Configure
Filtering: http://aka.ms/au8smo.
MCT USE ONLY. STUDENT USE PROHIBITED
4-36 Planning and configuring directory synchronization

Monitoring directory synchronization


As a best practice, we recommend that you use
Microsoft System Center Operations Manager
(Operations Manager) for monitoring the directory
synchronization server and services such as AD DS
to ensure that problems are detected and
communicated effectively to all responsible
administrators. It is available as the System Center
Management Pack for Azure.

Office 365 admin center


Office 365 provides multiple methods for
monitoring directory synchronization. If there are
any errors during directory synchronization, an
email notification is sent to the email address registered as the cloud service technical contact when you
signed up for Office 365. In addition, you might see notifications in the Office 365 Dashboard or Office 365
Message Center for outages related to the Identity Service in Office 365.
To verify directory synchronization in real-time by using the previous Office 365 admin center:

1. In the left navigation pane, click USERS, and then click Active Users.

2. In the right navigation pane, under Active Directory synchronization, you will see the last synced time.
Another option is to install the Office 365 Support Central App on your mobile phone. With the mobile app
you can search for answers; view service health incidents, including planned maintenance events, and
message center notices; post questions and track your answers in the Office 365 for Business Support
Community.

Windows PowerShell
You can also use Windows PowerShell cmdlets and scripts to help manage Azure AD, report
synchronization state, and so on.

After connecting to Office 365 in Windows PowerShell, you can use the following cmdlet to verify the last
time directory synchronization was successful in Office 365.

Import-Module MSOnline
Connect-MsolService
Get-MsolCompanyInformation | fl LastDirSyncTime

Additional Reading: For more information, refer to AzureADHelp: http://aka.ms/pfsm1x.

Synchronization Service Manager


The Synchronization Service Manager is installed automatically, as part of Azure AD Connect. This tool
allows you to verify and change the directory synchronization service. From the Operations tab, you can
select the list of various connector operations to review the Start Time, End Time, and the Status of the
previous jobs that have completed.

Event logs
The directory synchronization tool writes entries to the directory synchronization computer's event log.
These entries indicate the start and end of a directory synchronization session. Directory synchronization
errors are also reported in the event log and sent via e-mail to your organization's designated technical
contact. When reviewing the event log, look for entries whose source is directory synchronization. An entry
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-37

designated Event 4 and with the description “The export has completed indicates that the directory
synchronization is complete.”

Troubleshooting directory synchronization


Key troubleshooting tasks for directory
synchronization include analyzing logs for errors,
and remediating synchronization errors with the
tool itself. Typical issues that can lead to problems
include:

 Installation errors, such as using incorrect on-


premises or Office 365 credentials.
 Inadvertently deactivating directory
synchronization in the admin center or
through Windows PowerShell.
 Unexpected changes in AD DS that affect OU
scoping or attribute filtering.

 Corrupted AD DS, requiring directory recovery.

One key area that can lead to issues unless clearly understood is when you deactivate and then reactivate
synchronization in the Office 365 admin center. When directory synchronization is deactivated, the source
of authority is transferred from the on-premises AD DS to Office 365. Deactivation is needed when on-
premises AD DS is no longer being used to create and manage users, groups, contacts, and mailboxes, such
as after a staged Exchange migration to the cloud, where the organization no longer wants to manage
objects from on-premises. Problems can subsequently arise if directory synchronization is then reactivated,
with the source of authority transferred back from Office 365 to the on-premises AD DS.

For example, assume an organization activated directory synchronization in January, and then created new
users on-premises, which were synced to Office 365. In this case, the source of authority is the on-premises
AD DS. In July, the organization deactivated directory synchronization, resulting in transfer of the source of
authority to Office 365; from this point on, objects were edited in Office 365. In September, the company
decided to deploy AD FS and SSO. To meet this requirement, directory synchronization was reactivated,
transferring the source of authority back to the on-premises AD DS. In this example, when you reactivate
and run directory synchronization, any changes made to the Office 365 objects from July through to
September would be overwritten and lost.

Additional Reading: For more information, refer to Directory synchronization and source of
authority: http://aka.ms/cdm2kk.

Upgrading directory synchronization


It is important to use the latest version of the directory synchronization tool, because the link to download
the tool from the previous Office 365 admin center is always the most current release and is officially
supported by Microsoft. When upgrading to a new version of the directory synchronization tool, some
existing filters and other management agent customizations might not automatically import into the new
installation. If you are upgrading to a newer version of directory synchronization, you must always manually
reapply filtering configurations after you upgrade, but before you run the first synchronization cycle.
MCT USE ONLY. STUDENT USE PROHIBITED
4-38 Planning and configuring directory synchronization

Synchronization Service Manager


In order to check the directory synchronization tool for issues, you will need to open Synchronization
Service Manager in the Azure AD Connect group on the Start menu.

Within the application, you will need to view the Operations tab. On this tab you are looking to confirm
that the following operations have been completed successfully:

 Import on the AD Connector.

 Import on the Azure AD Connector.

 Full Sync on the AD Connector.

 Full Sync on the Azure AD Connector.

Review the result from these operations to validate the directory synchronization status and to identify any
errors.
30 mins
By default, these operations are scheduled to run once every three hours. If you do not want to wait this
long to troubleshoot an issue, use the following procedure to force manual synchronization:

 Open the Azure AD Connect tool on the Start menu.

 Provide the information requested on the wizard pages (you should be able to accept the default
settings if the tool has already been deployed).

 On the Configure page, select the Start the synchronize process as soon as the initial
configuration completes option, and then click Finish.

Additional Reading: For more ore information, refer to How to troubleshoot Azure Active
Directory Sync tool installation and Configuration Wizard errors: http://aka.ms/bz5cjw.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-39

Lab: Configuring directory synchronization


Scenario
The pilot deployment of Office 365 is well underway at A. Datum. The project steering committee has made
the recommendation to continue with migrating additional departments to Office 365. The first step in
completing the migration is to configure directory synchronization so that user and group accounts will be
synchronized for the on-premises AD DS domain rather than managing all user and group accounts in
Office 365.

Objectives
After completing this lab, you will be able to:

 Prepare the on-premises AD DS domain for directory synchronization.

 Install and configure directory synchronization with Azure AD Connect.

 Manage user and group accounts by using directory synchronization.

Lab Setup
Estimated Time: 90 minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, and 20347A-LON-CL2

User names: Adatum\Administrator, Adatum\Holly, LON-CL2\Francisco

Password: Pa$$w0rd

In all tasks:

 In references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with your unique Office 365


name displayed in the online lab portal.

 In references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com name displayed in the online lab portal.

Note: When you connect to the Office 365 admin center, you may be prompted to provide
an authentication phone and authentication email address. If you see this window, click Cancel.

This lab requires the following virtual machines:

 LON-DC1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-DS1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-CL1

o Sign in as Adatum\Holly using the password Pa$$w0rd

 LON-CL2

o Sign in as LON-CL2\Francisco using the password Pa$$w0rd


MCT USE ONLY. STUDENT USE PROHIBITED
4-40 Planning and configuring directory synchronization

Exercise 1: Preparing for directory synchronization


Scenario
Before directory synchronization can be configured, there are several checks that the team needs to run,
including identifying duplicate accounts in AD DS, filtering the directory, correcting UPNs, and enabling
directory synchronization in Office 365.

In this exercise, you will prepare the environment for directory synchronization.

The main tasks for this exercise are as follows:

1. Configure UPN.

2. Prepare problem user accounts.

3. Run the IdFix tool and fix identified issues.


4. Configure the Office 365 tenant for directory synchronization.

 Task 1: Configure UPN


1. On LON-DC1, open Active Directory Domains and Trusts, and add Adatumyyxxxxx.hostdomain.com as
an Alternate UPN Suffix.

2. Using Windows PowerShell, update the UPN on every user in AD DS with


“@Adatumyyxxxxx.hostdomain.com” for the domain name. To do this, type the following
command and then press Enter:

Get-ADUser –Filter * -Properties SamAccountName | foreach { Set-ADUser $_


-UserPrincipalName ($_.SamAccountName + “@Adatumyyxxxxx.hostdomain.com” )}

 Task 2: Prepare problem user accounts


1. On LON-DC1, set the Execution policy in Windows PowerShell to Unrestricted, change the path to
C:\labfiles and then run the Windows PowerShell cmdlet .\CreateProblemUsers.ps1.

2. This Windows PowerShell script will make the following changes in AD DS:

o Amr Zaki. Add the "@" character to the beginning of "adatum" for the UserPrincipalName
attribute.

o Brad Sutton. Replace the existing string with "brad@adatum.com" for the emailAddress
attribute.

o Don Funk. Replace the existing string with “brad@adatum.com” for the emailAddress attribute.

o Holly Dickson. Replace the existing string with “holly@adatum.com” for the EmailAddress
attribute.

o Kelly Rollins. Replace the existing string with “ “ for the emailAddress attribute.

 Task 3: Run the IdFix tool and fix identified issues


1. On LON-CL1, download the IdFix DirSync Error Remediation Tool from
https://www.microsoft.com/en-us/download/details.aspx?id=36832.

2. Extract the files to C:\Deployment Tools\IdFix and then run IDFix as an administrator.

3. In the IdFix tool, click Query, and then sort the errors by the ERROR column.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-41

4. On the Actions menu, select Edit for each of these objects, and then click Apply:

o Amr Zaki

o Holly Dickson

o Kelly Rollins

5. Click Query.

6. Click to sort the errors by the UPDATE column, and for each of these objects, replace the mail attribute
with the appropriate string. On the Actions menu, select EDIT.

o Don Funk. mail attribute should be “don@adatum.com”.

o Kelly Rollins. mail attribute should be “kelly@adatum.com”.

7. Click Apply, and click Query.

8. Remediate any remaining issues.

 Task 4: Configure the Office 365 tenant for directory synchronization


1. On LON-CL1, open Windows Azure Active Directory Module for Windows PowerShell and connect to
MSOnline with the following credentials:

o User name: Holly@Adatumyyxxxxx.onmicrosoft.com


o Password: Pa$$w0rd

2. In Windows PowerShell, enable directory synchronization for Office 365 by using the following
command:

Set-MsolDirSyncEnabled -EnableDirSync $true -Force

3. In the Office 365 admin center, verify that directory synchronization has been enabled.

Results: After completing this exercise, you will have resolved issues in AD DS identified by the IdFix tool
and you will have enabled Active Directory synchronization in Office 365.

Exercise 2: Configuring directory synchronization


Scenario
Now that the environment is prepared for directory synchronization, the next step is to install and
configure the Azure AD Connect tool and configure an initial synchronization.

The main tasks for this exercise are as follows:

1. Download and install Azure AD Connect.

2. Run the Azure AD Connect tool with custom settings.

3. Configure synchronization service filtering for organizational units.


4. Configure synchronization service filtering for object attribute.

5. Verify that synchronization was successful.


MCT USE ONLY. STUDENT USE PROHIBITED
4-42 Planning and configuring directory synchronization

 Task 1: Download and install Azure AD Connect


1. Sign in to LON-DS1 with the following credentials:

o User name: Adatum\Administrator

o Password: Pa$$w0rd
2. Open Internet Explorer and connect to the Office 365 portal: https://portal.microsoftonline.com.
3. If you are connected to the previous Admin center, click the banner at the top of the window to
connect to the new Admin center.

4. Sign in with the following credentials:

o User name: holly@Adatumyyxxxxx.OnMicrosoft.com

o Password: Pa$$w0rd

5. Change the domain portion of Holly Dickson’s account to @adatumyyxxxxx.hostdomain.com.

6. Close Internet Explorer, open it again, and connect to the Office 365 admin center. Sign in as
Holly@adatumyyxxxxx.hostdomain.com using the password Pa$$w0rd.

7. From the previous Office 365 admin center, download and install Azure AD Connect with Customized
Settings. You will need to configure the security settings for the Internet zone to enable file downloads.

 Task 2: Run the Azure AD Connect tool with custom settings


 On LON-DS1, complete the configuration of Azure AD and connect with the following settings:

o Connect to Azure AD, use the following credentials:


 User name: holly@Adatumyyxxxxx.hostdomain.com
 Password: Pa$$w0rd
o Connect your directories, use the following credentials:
 User name: Adatum\Administrator
 Password: Pa$$w0rd
o Filtering: Select only the IT OU.

o Do not make changes on other pages of the wizard.


o On the Ready to configure page, clear the option to Start the synchronization process as soon
as the initial configuration completes.

o Sign out of LON-DS1 and then sign back in as Adatum\Administrator.

 Task 3: Configure synchronization service filtering for organizational units


 On LON-DS1, configure the Active Directory Connector in Synchronization Service Manager for the
following:

o Containers: Add the Research OU.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-43

 Task 4: Configure synchronization service filtering for object attribute


1. On LON-DS1, use the Synchronization Rules Editor to configure a filter on the inbound synchronization
rule with the following:

o Name: “In from AD – User DoNotSyncFilter”

o Connected System: Adatum.com

o CS Object Type: User


o Metaverse Object Type: Person

o Link Type: Join

o Precedence: 50

o Scoping filter:
 Attribute: MSDS-cloudExtensionAttribute15
 Operator: EQUAL
 Value: NoSync
o Transformation:
 FlowType: Constant
 Target Attribute: cloudFiltered
 Source: True
o Use the Windows PowerShell to start the synchronization by executing the following command:

Start-ADSyncSyncCycle –PolicyType Initial

 Task 5: Verify that synchronization was successful


1. Ensure that you are signed in to LON-DS1 with the following credentials:

o User name: Adatum\Administrator

o Password: Pa$$w0rd

2. Open Internet Explorer and connect to http://aka.ms/siqtee.

3. Download and install the Microsoft Azure Active Directory Module for Windows PowerShell.

4. Use the following methods to verify synchronization:

o Synchronization Service Manager

o Windows PowerShell

o Office 365 admin center

Results: After completing this exercise, you will have installed Azure AD Connect with customized settings.
Upon completion of the installation, you will start directory synchronization to Office 365 and have verified
that synchronization was successful.
MCT USE ONLY. STUDENT USE PROHIBITED
4-44 Planning and configuring directory synchronization

Exercise 3: Managing Active Directory users and groups


Scenario
Now that directory synchronization is in place and working, you need to identify how managing user and
group accounts has changed with directory synchronization.

The main tasks for this exercise are as follows:

1. Create a new user and group account.

2. Move a user out of the scope of synchronization.


3. Move a user into the scope of synchronization.

4. Change group membership.

5. Force synchronization.

6. Validate the results of directory synchronization.

 Task 1: Create a new user and group account


1. On LON-DC1, use Active Directory Users and Computers to create the following user in the Research
OU:

o First name: Perry

o Last name: Brill

o User logon name: PerryAdatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

2. Uncheck User much change password at next logon.

3. Select Password never expires.

4. E-mail: Perry@Adatumyyxxxxx.hostdomain.com

5. Use Active Directory Users and Computers to create the following group in the Research OU:

o Group name: Project Team


o Group scope: Universal

o Group type: Distribution

6. E-mail: projectteam@Adatumyyxxxxx.hostdomain.com
7. Members:

o Chris Sells

o Lukas Keller

o Sabine Royant

 Task 2: Move a user out of the scope of synchronization


1. On LON-DS1, run the following command to verify that Josh Bailey is an Office 365 user.

Get-MsolUser -Search Josh

2. On LON-DC1, in Active Directory Users and Computers, move Josh Bailey from the Research OU to the
Sales OU.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 4-45

 Task 3: Move a user into the scope of synchronization


 On LON-DC1, use Active Directory Users and Computers to move the user David So to the Research
OU.

 Task 4: Change group membership


 On LON-DC1, use Active Directory Users and Computers to remove these users from the Research
group:

o Allie Bellew

o Anil Elison

o Aziz Hassouneh

 Task 5: Force synchronization Start-ADSyncSyncCycle –PolicyType Delta

 On LON-DS1, use Windows PowerShell to force an unscheduled, delta directory synchronization.

 Task 6: Validate the results of directory synchronization


 On LON-CL1, verify that the changes in AD DS were successfully synchronized to Office 365.

Results: After completing this exercise, you will have identified how managing user and group accounts
has changed with directory synchronization.

Question: How do you configure OU level filtering for directory synchronization?


MCT USE ONLY. STUDENT USE PROHIBITED
4-46 Planning and configuring directory synchronization

Module Review and Takeaways


Review Question
Question: What are some of the typical issues that can arise if UPN suffixes are not properly
configured before directory synchronization is deployed?

Real-world Issues and Scenarios


Because directory synchronization is the link between your on-premises AD DS objects and the services in
Office 365, be very careful when making changes to Azure AD Connect or the Synchronization Service
Manager after production deployment. For example, a minor mistake in filtering could accidentally delete
all user mailboxes in Office 365 very quickly.

In some environments, you might test all changes on a separate directory synchronization server in test that
is connected to a separate Office 365 tenant (trial). In addition, you should manually initiate run profiles for
each management agent in Synchronization Service Manager and observe the pending actions before
exporting to Office 365. In some cases, it might be a good idea to create a new run profile for exporting to
Azure AD that includes a maximum limit on the number of allowed deletions.

Tools
IdFix. The Office 365 IdFix tool provides you the ability to identify and remediate the majority of object
synchronization errors in your AD DS forests in preparation for deployment to Office 365.

Having completed this module, you can now prepare an on-premises environment ready for directory
synchronization, install and configure Azure AD Connect, and manage Active Directory users and groups
with directory synchronization to Office 365 enabled.

Best Practices
 You must have a proper project plan.
 If using filtering, it should be set up before synchronizing any objects.

 You should work with a cloud services partner.

 You should perform thorough capacity planning.


 You should remediate AD DS before deploying directory synchronization.

 You should add all SMTP domains as verified domains before synchronizing.

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Directory synchronization filtering is no


longer working.

After installing Azure AD Connect, you


might be prompted with the following error
message when you open Synchronization
Service Manager:
"Unable to connect to the Synchronization
Service."
MCT USE ONLY. STUDENT USE PROHIBITED
5-1

Module 5
Planning and deploying Office 365 ProPlus
Contents:
Module Overview 5-1 

Lesson 1: Overview of Office 365 ProPlus 5-2 

Lesson 2: Planning and managing user-driven Office 365 ProPlus deployments 5-9 

Lesson 3: Planning and managing centralized deployments of Office 365 ProPlus 5-12 

Lesson 4: Office Telemetry and reporting 5-17 

Lab: Managing Office 365 ProPlus installations 5-22 

Module Overview
In this module, students will learn how to plan for a client deployment and ensure that users receive the
tools they need to interact with Microsoft Office 365 effectively. This module covers the planning process,
how to make Microsoft Office 365 ProPlus directly available to end users, and how to deploy it as a
managed package. Finally, this module covers how to set up Office telemetry so that administrators can
keep track of how users are interacting with Microsoft Office.

Objectives
After completing this module, you will be able to:

 Describe Office 365 ProPlus.


 Plan and manage user-driven Office 365 ProPlus deployments.

 Plan and manage centralized deployments for Office 365 ProPlus.

 Describe Office telemetry and reporting.


MCT USE ONLY. STUDENT USE PROHIBITED
5-2 Planning and deploying Office 365 ProPlus

Lesson 1
Overview of Office 365 ProPlus
This lesson examines how to plan for an Office 365 client deployment of Office 365 ProPlus. This includes
planning for Microsoft Outlook, the Skype for Business client, and Office Online. This lesson also explains
the process of activation, revoking activation, and how activation relates to licensing. Finally, it covers the
differences between Click-to-Run and Microsoft installer applications.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe Office 365 ProPlus.

 Explain Office 365 ProPlus licensing and activation.

 Describe Office 365 deployment.

 Describe Office 365 ProPlus update branches.

Overview of Office 365 ProPlus


Depending on the Office 365 plan, there are
several client packages that users can deploy.
Office 365 ProPlus is a part of several subscriptions,
but the license assigned to the user will determine
what is available for download and use.

Office 365 ProPlus


Office 365 ProPlus is a downloadable version of
the Microsoft productivity suite, and includes
Microsoft Word 2016, Microsoft Excel 2016,
Microsoft PowerPoint 2016, Microsoft Outlook
2016, Microsoft Access 2016, Microsoft Publisher
2016, Microsoft OneNote 2016, and the Skype for
Business client. Access, Publisher, and Skype for Business are not part of Microsoft Office 2016 for Mac
installations; however, you can download and use Microsoft Lync 2011 instead of Skype for Business.

Office 365 ProPlus supports streaming deployment by using Click-to-Run technology. This enables users to
click the application installation icon and start using the application, while the program installs in the
background. It is important to emphasize that, although deployment requires an Internet connection,
Office 365 ProPlus installs and runs locally on the user's computer. Office 365 ProPlus is not a web-based or
a light version of Office, and users do not have to connect to the Internet permanently to use it. However,
they must connect at least every 30 days.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-3

Office 365 ProPlus vs. Office Professional 2016


While Office 365 ProPlus installs from the Office 365 subscription license and includes the Office
Professional applications, it differs from Office Professional 2016 in a few ways. These differences include:

 Office Professional 2016 is the desktop version of Office. You install Office Professional 2016 in the
traditional way, through Microsoft Windows Installer (MSI) from volume license media, which requires
a volume license product key.

 Office 365 ProPlus is a full version of Office that you install through Click-to-Run technology, and it
includes Office Online in the license. Updates automatically push out to the users (we will discuss
controlling the frequency through update branches later in this lesson).

 Office 365 ProPlus licensing also provides five copies of the full Office suite to use on multiple devices
per user.

 Office Professional 2016 installations do not stream. They include a license for only one copy per user,
and updates do not automatically update the applications without some intervention.

Office 365 ProPlus system requirements


The following table provides examples of Office 365 ProPlus system requirements.

Component Requirement

Computer and processor 1 gigahertz (GHz) or faster x86-bit or x64-bit processor with Streaming
Single Instruction Multiple Data (SIMD) Extensions 2 from Intel (SSE2) Intel
processor.

Memory  2 gigabytes (GB) random access memory (RAM) (PC)


 4 GB RAM (Mac)

Hard disk  3.0 GB of available disk space (PC)


 6.0 GB Hierarchal File System Plus (HFS+) hard disk format (Mac)

Display 1280x800 minimum resolution.

Operating system  PC: Windows 10, Windows 8, Windows 7 Service Pack 1 (SP1), Windows
Server 2016 Windows Server 2012 R2, Windows Server 2012, or Windows
Server 2008 R2
 Mac: Mac OS X 10.10
For the best experience, always use the latest operating system version.

Graphics Graphics hardware acceleration requires a DirectX 10 graphics card with


1280x800 resolution.

Browser The use of the most current or immediately previous version of Internet
Explorer, or current versions of Microsoft Edge, Safari, Chrome, or Firefox.
Other browser versions might work, but there is no guarantee.

Network Internet functionality requires an Internet connection.


MCT USE ONLY. STUDENT USE PROHIBITED
5-4 Planning and deploying Office 365 ProPlus

Internet requirements
Users must be able to connect to Office Licensing Service through the Internet at least once every 30 days.

The following list identifies the ports, protocols, and URLs that Click-to-Run for Office 365 uses for
downloads, installation, automatic updates, subscription maintenance, and activation:

 Download and installation from the portal, automatic updates. TCP (80), target URL:
http://officecdn.microsoft.com

 Subscription maintenance. TCP (443), target URL: https://ols.officeapps.live.com/olsc

 Office 365 ProPlus activation. TCP (443), target URL: https://activation.sls.microsoft.com

 Office 365 ProPlus activation. TCP (80), target URLs:


http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crl,
http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA

Note: Offices 365 ProPlus uses these URLs internally. They are not intended to be end user
accessible.

Visio and Project


Some Office 365 plans can add subscriptions of Microsoft Visio and Microsoft Project. These applications
are not part of Office 365 ProPlus, but users download them in the same way as Office 365 ProPlus by
turning them on or off in the Office 365 admin center.

Note: Microsoft InfoPath 2013 and Microsoft SharePoint Designer 2013 have been part of
Office editions in the past, but are now available as a download from the Microsoft Download
Center. These products will not upgrade past the 2013 versions and might require removal and
reinstallation when you install Office 365 ProPlus 2016 applications.

Office 365 ProPlus licensing and activation


In order to install Office 365 ProPlus, each user
must have:

 An Office 365 user account and password, to


sign in to Office 365.
 An Office 365 license, which the organization's
administrator assigns to the user.

A single Office 365 license enables a user to deploy


Office 365 ProPlus on up to five different
computers. The user manages these installations in
the Office 365 portal and can deactivate Office 365
on a specific device, if necessary.

The licensing and activation process


As part of the installation process, Office 365 ProPlus communicates with the Office Licensing Service and
the Activation and Validation Service to obtain and activate a product key. Each day, or each time the user
signs in to his or her computer, it connects to the Activation and Validation Service to verify the license
status and extend the product key. As long as the computer can connect to the Internet at least once every
30 days, Office remains fully functional. If the computer goes offline for more than 30 days, Office enters
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-5

reduced functionality mode until the next time a user can make a connection. To get Office fully functional
again, a user can simply connect to the Internet and let the Activation and Validation Service reactivate the
installation.

You can check the activation status within Office applications by clicking File (to go to the Backstage view),
and then clicking Account. If Product Activated appears on the page, you have successfully activated the
Office subscription license. If Office 365 Professional Plus is already running when activation occurs, the
Backstage view might not reflect the licensed status. In this case, you will need to restart the Office
application in order to see the updated license status.
Office 365 administrators cannot see on which computers a user has installed Office and cannot deactivate
an Office installation on a user's computer. However, administrators do control the assignment of Office
365 licenses to users. Therefore, when a user leaves an organization, an administrator can reassign that
user’s Office 365 license to a different user, and any of that user's Office installations will enter reduced
functionality mode.

Reduced functionality mode


If a user attempts to install Office 365 ProPlus on a sixth computer, he or she will need to deactivate one of
the first five installations. Office 365 ProPlus will then go into reduced functionality mode on the
deactivated computer. Office 365 ProPlus also enters reduced functionality mode if the administrator
revokes the user's license to use Office 365 ProPlus from the admin center, or if the Office 365 subscription
expires.

In reduced functionality mode, Office 365 ProPlus remains installed on the computer, but users can only
view and print their documents. All features for editing or creating new documents are disabled, and the
user sees a message with the following options to reactivate:

 Enter product key

 Sign in to Office 365

As long as the Office 365 subscription is current and the user has a license, the user can then choose one of
the available options to reactivate Office 365 ProPlus on that computer.

Overview of Office 365 deployment


You can use the deployment methods discussed in
this topic with whichever applications the Office
365 subscription includes. Note, however, that this
topic specifically covers Office 365 ProPlus; this
course does not cover on-premises deployment of
Office Online to the organization's own SharePoint
Online servers.

Note: Due to its online activation


requirement, you cannot deploy Office 365
ProPlus to computers that cannot or do not have
an Internet connection. For disconnected
computers, you should deploy Office Professional 2016 and a traditional activation method, such
as Key Management Service (KMS) or Active Directory Domain Services (AD DS).
MCT USE ONLY. STUDENT USE PROHIBITED
5-6 Planning and deploying Office 365 ProPlus

Deployment and bandwidth planning


You must run the Office 365 ProPlus desktop setup on each computer. If you initiate setup without first
installing any necessary operating system service packs and updates, you will use a significant amount of
download bandwidth. Each computer will separately connect to the Internet, and then download and install
service packs or updates. To prevent bandwidth saturation, you should deploy updates prior to deploying
the Office 365 ProPlus setup. You should use a package deployment tool, such as Microsoft System Center
Configuration Manager (Configuration Manager), so that updates download only once, but are then
distributed as part of a planned and scheduled deployment.

If you cannot deploy updates prior to Office 365 ProPlus setup, you can use Active Directory Group Policy
to throttle the deployment of the Office 365 ProPlus. You do so by deploying the setup package to one
subset of users at a time, by using such categories as organizational unit (OU) or site/location. In this way,
although all users are downloading updates, the download activity extends across days or weeks.

Removing previous versions


As part of deployment planning, it is important to consider how to remove any previous Office versions or
previous installations. For example, you might replace Office 2013 Professional Plus with Office 365 ProPlus.
You can automatically remove prior versions of Office 365 by using Control Panel, by using a Fix it tool
online, or manually. When installing the newer Office 365 ProPlus version, you will have to remove prior
versions. You might have to remove and reinstall applications like SharePoint Designer 2013 or InfoPath
2013 when installing a newer version of Office 365 ProPlus but these can be re-installed after Office 365
ProPlus is installed.

Additional Reading: For more information, refer to Uninstall Office 2013, Office 2016, or
Office 365 from a Windows computer: http://aka.ms/imbv8i.

User communications and guidance


As part of deployment planning, it is essential to maintain active communications with users. These
communications include advanced notices of planned deployments of Office 365 ProPlus, help and
guidance on using Office 365 ProPlus, and links and pointers to resources and learning tools.

If you expect users to use some form of self-service to install Office 365 ProPlus, you will have to provide
additional information, such as:
 Informing users of the download location to use for Office 365 ProPlus setup, as this location varies,
depending on the Office 365 subscription plan (for example, Office 365 ProPlus Enterprise E1 uses a
different location than Office 365 ProPlus Enterprise E3).

 Using correct wording in all communications. For example, depending on subscription level, users
might be accessing the Office 365 portal or the Office 365 admin center.

Pointing out to advanced users that Office 365 ProPlus uses Click-to-Run, and that users should not use any
existing volume license media location that they might have used in the past to self-service install Office
Professional 2016 or previous versions. We will cover this information in greater detail in the next lesson.

Deployment methods
The two most common ways of deploying Office 365 ProPlus to users include:

 User-driven (self-service) installation of Office 365 ProPlus directly from the Office 365 portal. We
describe this type of deployment in Lesson 2 of this module.
 Managed deployments, by first downloading the Office 365 ProPlus software to the local network and
then push deploying it to users. We describe this type of deployment later in this module.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-7

Users can also deploy Office 365 ProPlus by starting an installation from media in a network share.
Additionally, users can deploy Office 365 ProPlus by using application virtualization, although this method
is beyond the scope of this course.

Office 365 ProPlus uses Click-to-Run technologies for deployment. Click-to-Run is now the default
installation technology for Office Professional 2016, except for volume-licensed editions. Volume-licensed
Office Professional 2016 and previous Office versions use MSI-based deployment and support the following
options:

 User-driven deployment from volume-licensed media in a network share.


 Information technology (IT) managed deployments.

 Application virtualization.

 Presentation virtualization (Office 365 ProPlus does not support this option, as such environments do
not support Click-to-Run installations).

Additional Reading: For more information, refer to Office 2016 Deployment Guides for
Admins: http://aka.ms/v9e5xl.

Office 365 ProPlus update branches


One advantage of using Office 365 is that
applications update automatically when newer
versions become available. This can also be a
challenge for large enterprises that might want a
different frequency for purposes of testing add-ins,
macros, or preparing end user training.
Microsoft provides update branches for
administrators who use a deployment technology
to install Office 365 ProPlus, Office 365 Business,
Microsoft Project Pro for Office 365, and Microsoft
Visio Pro for Office 365. The default update period
for Office 365 ProPlus is every four months unless
changed. There are three update branches:

 Current Channel (previously named Current Branch). This update branch is referred to as Current in the
Office Deployment Tool or Group Policy. It provides all the newest features, security updates, and non-
security updates for stability or performance as soon as they become available. This is a great option if
you do not have many add-ins or macros and would like to have users always updated with the newest
content.
 Deferred Channel (previously named Current Branch for Business). This update branch is referred to as
Business in the Office Deployment Tool or Group Policy. It releases every four months. If you use this
update branch, you will continue to get security updates as they become available, but new features
will be available only every four months. You can choose whether to deploy a release, but only two
releases are supported, so if you choose to skip one, you will need to deploy the newest change or the
one right before the newest change when the next update is available. This will keep you within the
eight month supported window.
MCT USE ONLY. STUDENT USE PROHIBITED
5-8 Planning and deploying Office 365 ProPlus

 First Release for Deferred Channel (previously named First Release for Current Branch for Business). This
update branch is referred to as Validation in the Office Deployment Tool or Group Policy. It is for those
who like to pilot the next release before it comes out. Users assigned to this update branch will receive
the upcoming features four months in advance. Because you can assign update branches per user
through deployment methods, you could have some test users set to this update branch for the sole
purpose of testing macros, add-ins, or preparing training materials for end users. This is also a chance
to give Microsoft feedback on items that do not work as expected.

Configuring users for update branches


There are three methods for applying update branches to users, including:

 Using the Office 365 admin center. On the Settings menu, access the Apps page, and then click
Software Download settings. You can configure whether updates will be installed every month or every
4 months. The default for Office 365 ProPlus is the Standard release for the whole organization, which
updates every four months. If at any time you switch from every month to every 4 months, all users will
lose any updates that are for a future release. There is no option for Deferred Channel within the Office
365 admin center.

 Using the Office Deployment Tool (Office 2016 version). With this method, you can edit the
configuration.xml file to change the branch to one of the three settings mentioned above. Current,
Business, or Validation are the three available for Office 365 Enterprise subscriptions. If you are using a
business subscription, the key word of Validation is replaced with FirstReleaseCurrent in the
configuration.xml file. Different users could have different configuration.xml files to vary the release
schedules per user.

 Using Group Policy. This setting is located in Computer Configuration\Administrative


Templates\Microsoft Office 2016 (Machine)\Updates. The choices when enabling the Group Policy
settings are also the three settings mentioned above.

Additional Reading: For more information, refer to Reference for Click-to-Run


configuration.xml file: http://aka.ms/clh5x3 and Install the First Release build for Office 365 for
business customers: http://aka.ms/Qpy0w7.

Discussion: Planning on using Office 365 ProPlus?


If you plan to use Office 365 ProPlus, discuss the
following questions:

 What issues do you anticipate with deploying


Office?

 What method would work best for your


organization and why?
 What advantages can you identify with user
self-install methods as opposed to
deployment methods from an administrator?
Are there disadvantages?

 How will your organization manage update


branches?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-9

Lesson 2
Planning and managing user-driven Office 365 ProPlus
deployments
In this lesson, you will learn how to plan and manage user-initiated installations of Office 365 ProPlus. Each
user initiates these deployments from the initial start page in Office 365 and installs them by using the
Click-to-Run technology. The user’s options are limited to the location to install only.

Lesson Objectives
After completing this lesson, you should be able to:

 Describe the user-driven deployment.

 Explain how to manage user-driven deployments.

 Describe considerations for user-driven deployments.

Introduction to user-driven deployment


Users can perform self-service installation by
signing in to the Office 365 portal, and then
selecting Install Software. This approach does not
require much administrative setup, but provides
for limited control over the deployment (in
contrast with managed deployments). For
example, administrators cannot control where
computer users install Office 365 ProPlus, but they
can disable all Office 365 ProPlus deployments for
a specific user. In a user-driven deployment:

 Office always streams from the Internet to the


computer by using Click-to-Run technology;
local source locations are not supported.

 Users must have an Office 365 account and be provisioned for Office 365 ProPlus.

 Users must have administrative rights to the local computer.

 Office 365 ProPlus installs Office 365 updates automatically in the background from the Internet. You
cannot change this behavior.
MCT USE ONLY. STUDENT USE PROHIBITED
5-10 Planning and deploying Office 365 ProPlus

Managing user-driven installations


For user-driven installations of Office 365 ProPlus,
there are limited management options. You can
prevent users from installing Office 365 ProPlus
from the Office 365 portal; this can be useful if
the organization's policy is to deploy Office 365
ProPlus from an on-premises location in a
managed deployment. Please note that preventing
users from downloading and installing Office 365
ProPlus is a company-wide option. You cannot
single out one user when turning this option on
or off.

Similarly, administrators cannot control whether


users install the 32-bit or 64-bit version of Office 365 ProPlus in a user-driven deployment. We recommend
the 32-bit version, even on computers that have 64-bit operating systems. If users are installing from the
Office 365 portal, it is important that you clearly instruct users on which version to install. If they install a
64-bit version, you must fully uninstall all previous 32-bit Office packages.

Additional Reading: For more information, refer to 64-bit editions of Office 2013:
http://aka.ms/qovxa7.

Controlling application deployment


Office 365 administrators can use the user software page in the Office 365 admin center to control
whether or not users can install Office software from the Office 365 portal. For example, depending on the
subscription plan, an administrator could permit users to install Office 365 ProPlus packages (Word, Excel,
and PowerPoint), but not Visio. It is important to note, however, that this setting applies to all users. If an
administrator disables Office software installations for users, all users will see the following message on
their software page:

“The administrator has disabled Office installations. Contact your administrator for information about
how to install Office.”

Office 365 ProPlus installs as one package and, from the portal, it is not possible to exclude specific
applications. If an administrator wants to control installations down to an application level, there are two
options:

 You can use AppLocker policies to prevent a Click-to-Run application from running.

 You can use App-V 5.0 to customize the Office 365 configuration to include only specific applications.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-11

Considerations for user-driven deployments


When planning for user-driven deployments, it is
important to consider typical obstacles that
prevent successful deployments. These obstacles
include the following:

 Users do not have admin rights. This is a


requirement of user-driven deployment.
 Bandwidth limitations during deployment
prevent successful streaming of Office 365
ProPlus binaries. Ensure that all other updates
for the Windows operating system are
complete before deployment.

 Incorrect or unassigned licenses prevent successful user activation.


 Windows XP no longer has support and Office 365 ProPlus setup will fail.

 Outlook 2016 no longer has support when connecting to Exchange 2007.

Communication and training


Some of your planning should focus on a communication plan to tell stakeholders how the new Office 365
ProPlus will change their day-to-day work. Inform users about macros or other processes that the new
Office 365 ProPlus will change, eliminate, or improve. Ensure that users are aware of the schedule and any
expected downtime.

Depending on the type of deployment you are conducting, you should prepare training all those whom the
deployment will affect. Decide to what extent you need to create training materials. Can you rely entirely
on online training? Can you offer classroom courses? Without training, users might overload the support
team with calls regarding the easiest of tasks, which might jeopardize deployment schedules. Training and
communicating can be good tools to improve the success of your deployment and get immediate returns
in productivity.

Office for Mac


When Mac users select software deployment, Office for Mac 2016 is the default install, and they can install it
on up to five computers. Users can download and install Office for Mac 2011 through September 2016. PC
users can install Office 365 ProPlus on up to five computers. Also, keep in mind that there is full support for
Office Online on Macs, as long as the browser meets the requirements. Mac users can also use Office 365
with existing Microsoft Office for Mac 2011 Service Pack 3 or Microsoft Office 2008 for Mac 12.2.9 update or
a newer version, with Microsoft Entourage 2008 for Mac, Web Services Edition.

Mobile devices
You can use Office 365 on a wide range of mobile devices, including phones and tablets. Office Online is
available for Windows tablets, Windows Phone, iPhone, iPad, and Android devices. Light versions are
available for BlackBerry devices and Nokia (Symbian operating system). Users can use Office 365 on up to
five mobile devices and five PCs.

Additional Reading: For more information, refer to System requirements for Office:
http://aka.ms/ghq4zw.

Additional Reading: For more information, refer to Office 365 mobile setup – Help:
http://aka.ms/Ca6hpo.
MCT USE ONLY. STUDENT USE PROHIBITED
5-12 Planning and deploying Office 365 ProPlus

Lesson 3
Planning and managing centralized deployments of Office
365 ProPlus
In this lesson, students will learn how to manage an Office 365 ProPlus deployment, manage streaming
updates, use the Office deployment tool, and customize the Office 365 deployment.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe managed deployments.

 Describe the Office Deployment Tool.

 Manage and deploy Office with Group Policy.

 Manage Office 365 ProPlus updates.


 Plan for Office 365 ProPlus deployments.

Introduction to managed deployments


In a managed deployment, the Office 365 ProPlus
software first downloads to the local network, and
then some form of push mechanism deploys it to
users. The following software distribution tools are
examples of mechanisms that you can use to
manage push installations:
 Configuration Manager

 Intune

 Non-Microsoft software distribution


 Group Policy login scripts

 Scripted installation

In the lab for this module, you will use Group Policy computer startup scripts to deploy Office 365 ProPlus.
However, similar command lines and scripts are part of an electronic software distribution. You can build
them into System Center or Microsoft Deployment Toolkit (MDT) task sequences.

With Group Policy and the Office Deployment Tool, it is important to remember that you must run Click-
to-Run installations as a local admin. For example, Group Policy startup scripts must run from the computer
context and not the user context. You can use Configuration Manager or Remote Desktop in cases where
users do not have admin rights.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-13

Performing managed deployments


For Click-to-Run, you configure the Office client through Group Policy or the Office Deployment Tool. You
do not use the Office Customization Tool (OCT), as you might have done with past volume-licensed Office
2013 Professional Plus media. You can use the following tools to complement each other:

 Configuration.xml. Office Deployment Tool uses this to customize the deployment experience by:

o Assigning which products to install (Office 365 ProPlus, Office 365 Business Premium, Visio, or
others).

o Choosing 32-bit or 64-bit installations.

o Choosing which applications to exclude.

o Choosing which update branch to assign to the user.

o Adding specific language versions.


o Removing previous deployments or languages.

 Group Policy. You can use this to manage all other Office settings, including which applications to
block from certain users.

Overview and customization of Office Deployment Tool


You can download Office Deployment Tool from
the Office 365 admin center, or directly from the
Microsoft Download Center. You use Office
Deployment Tool to:
 Download Office source files (source URL:
http://officecdn.Microsoft.com). Blocked
use Download site
 Install or remove Click-to-Run or customize
installations.

 Apply software update policies.

Office Deployment Tool supports three command-


line switches:

 /download <path to configuration.xml> to specify the download.

 /configure <path to configuration.xml> to specify the Office source file location.

 /packager to prepare Office source files so that you can use Click-to-Run in an App-V infrastructure.

The Office Deployment Tool process involves the following key steps:

1. Edit Configuration.xml to specify the Office 365 software to download, such as Office 365 ProPlus or
Visio, and the shared location to use.

2. Use Office Deployment Tool with the download option to place source files in a software distribution
infrastructure; for example, setup.exe /download \\LON-CL1\Office16\Configuration.xml.
MCT USE ONLY. STUDENT USE PROHIBITED
5-14 Planning and deploying Office 365 ProPlus

3. Use Office Deployment Tool with the configure option to deploy the Office Deployment Tool
and the configuration file to clients; for example, setup.exe /configure \\LON-CL1\Office16
\Configuration.xml.

4. When client computers execute the Office Deployment Tool, it reads the configuration file, and then
streams Click-to-Run from the specified location (for example, where the source files downloaded
internally).

Note: When you use this method, you deploy the Office Deployment Tool and not the Office
source files. The Office Deployment Tool is a 3-megabyte (MB) executable.

Additional Reading: For information, refer to Office Deployment Tool for Click-to-Run:
http://aka.ms/uic22i.

Additional Reading: For more information, refer to Reference for Click-to-Run


configuration.xml file: http://aka.ms/clh5x3.

Managing and deploying Office with Group Policy


You can use Group Policy to manage general
Office settings and application-specific settings,
such as managed add-ins. At the application level,
you use Group Policy to control the user's first-run
experience. The following example includes the
procedure to remove all first-run experiences
resulting in a no-prompt deployment.

1. First, in Group Policy Editor, expand the User


Configuration to the following path:

User Configuration\Administrative
Templates\Microsoft Office 2016\First Run

2. Set the following settings:

 Disable First Run Movie: Enabled

 Disable Office First Run on application boot: Enabled

3. Then expand the User Configuration to the following path:

User Configuration\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center

4. Set the following settings:

 Disable Opt-in Wizard on first run: Enabled

 Enable Customer Experience Improvement Program: Disabled

 Allow, including screenshot with Office Feedback: Disabled


 Send Office Feedback: Disabled

 Automatically receive small updates to improve reliability: Disabled


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-15

Additional Reading: For more information, refer to Office 2016 Administrative Template
files (ADMX/ADML) and Office Customization Tool: http://aka.ms/bengwp.

Managing Office 365 ProPlus updates


Click-to-Run uses an optimized software-update
model that provides unobtrusive background
updates. This model results in simpler and smaller
updates. Every month, on Patch Tuesday (the
second Tuesday of the month), Microsoft releases
an updated Office build, comprising a full set of
source files. Unlike with traditional MSI-based
installations, these releases do not include separate
security fixes, private hotfixes, cumulative updates,
and service packs. You use the updated full set of
source files for new installations. For existing
installations, during the update process, the client
performs a delta comparison between the current and updated build, and only downloads the deltas or
differences.

Additionally, this model does not affect users, even if they are using an Office application when an update is
happening. When they close and reopen the Office application, they will be using the newer build
automatically.

Update options
Updating options include:

 Automatic from cloud. This is the default mode (typically used for home or small office installations)
where updates download from the cloud. A daily task checks for updates, and when a new build is
available, the client automatically receives the deltas.

 Automatic from network. In managed deployments, administrators can specify (by using Group Policy
or the configuration.xml file during setup) to check for updated builds from an internal source.
Typically, small or medium organizations use this option.

 Rerun setup.exe by using Electronic Software Delivery (ESD). In large organizations, using an ESD such
as Configuration Manager enables even more fine-grained control of update scheduling. You can use
scripts or task sequences in the ESD to re-execute setup.exe /configure. This will compare the current
version with the source (defined in the SourcePath attribute in the config.xml) and only install deltas.
By using an ESD, administrators can specify how many users receive a new build in a given time period.

The second and third options enable administrators to control when users receive updated builds. For these
two options, a best practice is to download the updated build to a test share initially, and to apply updates
to test or pilot computers only (as you configure these computers to receive updates from
\\Server\Testing$, for example). After the testing period, you move the updated build to a production
update share, and it begins to update production computers automatically (as they are configured to
receive updates from \\Server\Production$, for example).

Note: Although administrators can choose not to receive updates, it is important to note that
clients can be on an outdated build for only 12 months. After 12 months, clients will need to
download a newer build that Microsoft support will cover.
MCT USE ONLY. STUDENT USE PROHIBITED
5-16 Planning and deploying Office 365 ProPlus

Using Configuration.xml file to manage updates


Administrators can configure update behavior by using the Office Deployment Tool configuration.xml file
options. For example, we turn on updates and direct them to the shared folder:

<Updates Enabled="TRUE" UpdatePath="\\Server\Share\Office\" />

 Enabled. If set to TRUE (default), Click-to-Run will automatically detect, download, and install
updates.

 UpdatePath. Specifies a network, local, or HTTP path for a Click-to-Run installation source to use for
updates. If not set, or set to default, the Click-to-Run source on the Internet is used.

 TargetVersion. Sets a specific product build number (for example, 16.0.6366.2036) that the next
update cycle will update. If not set or set to default, Click-to-Run will update to the latest version
advertised at the Click-to-Run source.

Planning for Office 365 ProPlus deployments


When planning for Office 365 ProPlus
deployments, it is important to consider typical
obstacles that prevent successful deployment.
These obstacles include the following:

 Users without admin rights. This is a


requirement of Click-to-Run deployments.

 Bandwidth limitations during deployment.


Prevents successful streaming of Office 365
ProPlus binaries.

 Incorrect licenses. Prevents successful user


activation.
 End of support for Windows XP. This will cause Office 365 ProPlus setup to fail.

 Lack of information technology (IT) expertise in an enterprise software deployment. You need to
understand tools such as the Office Deployment Tool, Group Policy, and Configuration Manager
before you use them as part of enterprise Office 365 client rollouts.

Discussion: Planning for a Managed Office 365 deployment


What would you take into account while planning
for a managed deployment of Office 365 ProPlus
in your organization?
 Deployment method

 Update branch

 Best Office configurations

 Type and level of training


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-17

Lesson 4
Office Telemetry and reporting
In this lesson, students will learn how to set up the telemetry service, enable telemetry through Group
Policy, report user issues, and deploy the Office Telemetry Agent.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe Office Telemetry.

 Deploy and configure Office Telemetry.

 Describe how to deploy and configure Office Telemetry.

 Describe Office Telemetry considerations.

Overview of Office Telemetry


Office Telemetry provides inventory, usage, and
monitoring tools for Office 2016, Office 2013,
Office 2010, Office 2007, and Office 2003. Data is
collected whenever a user opens, edits, or closes a
monitored document type. Office Telemetry then
aggregates this data in a central database for
reporting and viewing. You can view data by using
an Excel solution, the Office Telemetry Dashboard,
and the Office Telemetry Log.
For Office 2013 and 2016 applications, Office
Telemetry can create records if certain error
situations occur, including a description of the
problem and a link to more information.

Office Telemetry agents are built into Office 2013 Professional, Office 2016 Professional, Office 365 ProPlus
2013, and Office 365 ProPlus 2016. If you enable data collection, information about installed add-ins, the
most recently used documents, and application event data will go to the Office Telemetry Logs and Office
Telemetry Database. However, for Office 2003, Office 2007, and Office 2010, you must first deploy an agent;
this agent collects information about add-ins and recently used documents, but does not provide
application event data.

Note: Another advantage of installing the 32-bit version of Office 365 ProPlus is the added
functionality of all the add-ins that you install and use with the Office applications. With the Office
Telemetry Dashboard, you can measure the use of these add-ins.
MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Planning and deploying Office 365 ProPlus

Office Telemetry uses


A key function of Office Telemetry is to help when planning an upgrade to Office 365 ProPlus. By deploying
agents to computers that run existing Office editions, collected data can provide inventory information,
and identify the business-critical Office documents and solutions in the organization. You should then
prioritize these solutions for compatibility testing with the newest version of Office 365 ProPlus.

Collecting this data prior to an Office 365 ProPlus rollout provides the information needed to help with
capacity and license planning. Data collection also helps to ensure that ProPlus network and storage
performance will be within acceptable limits. You can also use Office Telemetry after an Office 365 ProPlus
rollout to monitor performance against targets, to monitor user adaption of new features, and to identify
errors and problems with Office solutions.

Telemetry operations
Before data collection can begin, you must enable Office Telemetry client functionality, whether built into
Office 365 ProPlus or deployed to previous versions of Office, through Group Policy or by editing the local
registry. Data collection runs as a scheduled task and requires domain membership.

Office client data is first sent to a shared folder on the network (cloud storage is not an option for this data).
This folder must be accessible to all clients and users. The Office Telemetry processing service, known as the
Office Telemetry Processor, runs on a domain-joined computer running Windows Server 2008 or newer.
This service then reads the data and sends it to the Office Telemetry database.

Note: The telemetry processor can run in test or small environments on Windows 10,
Windows 8, or Windows 7; it is also possible to run the processor on a workgroup computer by
using a workaround.

The Office Telemetry database requires Microsoft SQL Server 2005 and newer versions. You can also run it
on Microsoft SQL Express editions in test or small environments.

Note: You can use a single computer for all the Office Telemetry components: database,
share, and processor.

The Office Telemetry Dashboard is an Excel 2016 tool that installs automatically as part of Office
Professional Plus 2016 and Office 365 ProPlus installations. You will find the dashboard in the Tools folder
under the Microsoft Office 2016 Start Menu folder. The dashboard connects to the database to enable
consolidated views of telemetry data, and multiple users can use the dashboard to view the data.

The Office Telemetry Log is an additional tool for developers and experienced users to use when
diagnosing compatibility issues on a specific Office 2016 client. As with the dashboard, the Office Telemetry
Log is also in the Office 2016 Tools folder and requires Excel 2016. It automatically installs with Office
Professional Plus 2013, Office Professional 2016, and Office 365 ProPlus. However, unlike the dashboard, the
Office Telemetry Log connects to the local data store on the client, and not the central database.

Telemetry management
Telemetry data collection is managed separately for each client through Group Policy settings. Office 2016
administrative templates include these settings, as part of Office16.admx and Office16.adml. They are
located under the User Configuration\Administrative Templates\Microsoft Office 2016\Telemetry
Dashboard node. If you cannot use Group Policy, you can also configure these settings on the local
computer by editing the registry, or by deploying registry files. There are also several telemetry test settings
that update only through the registry editor.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-19

Deploying and configuring Office Telemetry


You first deploy the Office Telemetry Dashboard
and components on user computers. These
components are part of Office Professional 2016
and Office 365 ProPlus installations, and do not
require additional installation. The Office
Telemetry Dashboard Getting Started worksheet
then provides a step-by-step guide and links to
configure all the required Office Telemetry
components.

Note: You can find the Office Telemetry


Dashboard Getting Started worksheet by starting
the Office Telemetry Dashboard in the Office 2016 Tools folder. This opens an Excel spreadsheet
with two tabs for the worksheets at the bottom of the window. The Getting Started and Telemetry
Dashboard Guide are the two worksheets that are available.

You must perform the following steps to install and configure Office Telemetry:

1. Prepare the database. The first step is to deploy SQL Server (Express or full version), or to connect to an
existing SQL Server installation. If a new database is necessary, the Getting Started worksheet provides
download links for SQL Server Express Edition.

Note: When configuring the database, you must not select Mixed Mode authentication,
because the Office Telemetry Dashboard does not support SQL Server authentication.

2. Set up the Office Telemetry Processor. The second step is to set up the Office Telemetry Processor,
which reads information that Office Telemetry Agents store in the shared folder. It then connects and
adds records to the Office Telemetry database. The Office Telemetry Processor setup wizard provides
guidance for installing the processor, setting up the share, and making the database connection.

3. Deploy Office Telemetry Agents. The third step is to deploy any required agents for versions that are
older than Office 2013. The dashboard Getting Started worksheet provides download links for x86 and
x64 Office Telemetry Agents. You can deploy agents by using scripts, Group Policy, electronic software
distribution, or application virtualization management features of Configuration Manager.

4. Configure Office Telemetry Agents. The fourth step is to configure Office Telemetry Agents and enable
data logging. The dashboard Getting Started worksheet provides a download link for the Office 2016
Administrative Template files. You should then import the office16.admx file and language-specific
office16.adml file into the Active Directory domain for use with Group Policy Management tools.

o The Office Telemetry Group Policy settings cover the following options:

o Enabling data collection.

o Enabling data upload to the shared folder.

o Location or Universal Naming Convention (UNC) path of the shared folder that the client will use
to store its data.

o Any applications or solutions to ignore during data collection.


MCT USE ONLY. STUDENT USE PROHIBITED
5-20 Planning and deploying Office 365 ProPlus

o Custom tags to use to help during data viewing. These tags can include user location, department,
and Active Directory security group. The next topic provides more information on tagging.

o Enabling privacy settings.

When you have deployed the Group Policy settings to Office clients, the telemetry configuration is
complete, and data collection will begin.

The dashboard Getting Started worksheet provides two additional post-configuration steps:

1. Connect the dashboard to the database. The fifth step on the dashboard Getting Started worksheet is
to connect the dashboard to the database to enable viewing of the data. This step creates and
populates additional worksheets. A later topic will describe this.

2. Configure any required privacy settings. The final configuration step is to optionally configure any
required privacy settings. By default, data collection includes full file names, file paths, and document
titles. Administrators should not always be able to view such detailed information. If you enable the
Turn on privacy settings in Telemetry Agent Group Policy setting, file names, file paths, and titles
will be obscured. For example, a document named Merger_Contoso.docx will be recorded as
Me********.docx in the shared folder, and the document's location and title will be <location>\********
and ********.

Additional Reading: For more information, refer to Manage the privacy of data monitored
by telemetry in Office: http://aka.ms/qhi35p.

Office Telemetry considerations


When planning for Office Telemetry, it is important
to consider typical obstacles that you might
encounter. These obstacles include:

 Permissions. The computers that run the


Office Telemetry Processor, shared folder, and
SQL database must be domain-joined, so that
you can configure the appropriate security
settings. If there is a firewall between the
dashboard and the telemetry database, you
must enable the SQL port in the firewall
configuration. The default port for SQL Server
is 1433.

Note: It is important to check the user permission role for the Office Telemetry Dashboard,
and ensure you have added the user to the td_readonly role.

 Infrastructure issues. Various telemetry infrastructure issues can affect successful deployment. Examples
include a corrupt telemetry database, and connectivity issues between agent and shared folder,
between the telemetry processor and the database, or between the telemetry dashboard and the
database.

 Unreported data. For various reasons, there might be Office data that never goes to the shared folder,
and is therefore never stored in the database. For example, offline machines or mobile machines that
cannot receive Group Policy might never be enabled for data logging or be able to report back their
data.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-21

If you overlook computers that are running versions older than Office 2013, you might assume that all
computers running Office are reporting data. However, if you have not deployed agents, data will never be
sent. Office 2013 and Office 2016 have agents automatically installed, but earlier Office packages do not.

Windows XP–based computers do not support the Office Telemetry Agent scheduled task; therefore, they
only report data at each user sign-in.

 Missing data. It is important to remember that data reporting is a background activity, and that after
the random initial upload interval, Office Telemetry collects data only every eight hours. Therefore, it
might take some time before all computers are reporting data.

 Performance and capacity planning. You can maximize telemetry performance by setting data
thresholds, so that only essential information is reported. You can set thresholds by using the
Telemetry Dashboard Administration Tool (Tdadm.exe).

When planning for capacity, note the following data collection upload sizes:

o Office 365 ProPlus: typically, 64 KB at each upload

o Office 2003+: typically, 50 KB at each upload


Even with these small upload sizes, significant data collections can result in larger organizations. For
example, 25,000 users reporting data over an eight-hour period can result in 11 GB of data. Make sure
that all computers with installed agents have at least 11 GB of free space for temporary storage of this
data.

Additional Reading: For more information, refer to Troubleshooting Telemetry Dashboard


deployments: http://aka.ms/ovxlg9.
MCT USE ONLY. STUDENT USE PROHIBITED
5-22 Planning and deploying Office 365 ProPlus

Lab: Managing Office 365 ProPlus installations


Scenario
Most users in your organization are using Office 2013 on their desktops. As part of the Office 365 pilot
project, you would like to upgrade the clients to Office 365 ProPlus to take advantage of the new features
available in Office 2016.

The project steering committee has not yet decided whether they will allow users to install Office 365
ProPlus, or whether they will use a centralized installation mechanism. As part of the pilot project, you need
to evaluate each option for deploying and managing Office 365 ProPlus.

Objectives
After completing this lab, you will be able to:

 Prepare an Office 365 ProPlus managed installation.

 Manage user-driven Office 365 ProPlus installations.

 Manage centralized Office 365 ProPlus installations.

Lab Setup
Estimated Time: 60 minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, 20347A-LON-CL3, and


20347A-LON-CL4

User name: Adatum\Administrator on LON-DC1 and LON-DS1, Adatum\Holly on LON-CL1,


Adatum\Roman on LON-CL3, and Adatum\Maira on LON-CL4
Password: Pa$$w0rd

In all tasks:

 In references to Adatumyyxxxxx.onmicrosoft.com, use your unique Adatumyyxxxxx Office 365 name


displayed in the Lab Page of your web browser.

 In references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com Name displayed in the online lab portal.

This lab requires the following virtual machines:

 LON-DC1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-DS1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-CL1

o Sign in as Adatum\Holly using the password Pa$$w0rd

 LON-CL3

o Sign in as Adatum\Roman using the password Pa$$w0rd

 LON-CL4

o Sign in as Adatum\Maira using the password Pa$$w0rd


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-23

Exercise 1: Preparing an Office 365 ProPlus managed installation


Scenario
One of the Office 365 ProPlus installation options that you are evaluating is using a managed deployment.
To start, you will download and install the Office Deployment Tool, and start the download for Office 365
ProPlus.

The main tasks for this exercise are as follows:

1. Download the Office 365 deployment tool.

2. Modify an Office 365 ProPlus installation.

 Task 1: Download the Office 365 deployment tool


1. On LON-CL1, create a network shared folder at the root of the C: drive with the name Office16. All
users should have Read Only rights.

2. Sign in to the Office 365 portal as holly@Adatumyyxxxxx.hostdomain.com, with the password


Pa$$w0rd.

3. From the Office 365 admin center, use the User software page to download Office Deployment Tool
software (version 2016).

4. Review the settings and options of Office Deployment Tool before downloading it.

5. Run the Office Deployment Tool install.


6. Install to the Office16 shared folder.

7. Confirm that the files successfully installed.

8. On LON-CL1, on the taskbar, click File Explorer.

9. In File Explorer, click Local Disk (C:) in the left navigation pane.

10. In File Explorer, click the Home tab, and then click New Folder.

11. Type Office16, and then press Enter.


12. In File Explorer, right-click Office16, click Share with, and then click Specific people.

13. In the File Sharing dialog box, click the drop-down list box, select Everyone from the list, click Add,
and then click Share.

14. In the File Sharing dialog box, click Done.

15. From the taskbar, open the Microsoft Edge browser.

16. In the address bar, type https://portal.microsoftonline.com, and then press Enter.

17. Sign in as holly@Adatumyyxxxxx.hostdomain.com, with the password Pa$$w0rd.

18. On the Office 365 home page, click Admin. Click Switch back to the old admin center to switch to
previous Office365 admin center.

19. In the Office 365 admin center, in the left panel, click SERVICE SETTINGS, and then click User
software.

20. Under the Manually deploy user software area, click Learn how to download and deploy
software.

21. On the How admins can download Office 365 user software to deploy to users page, click
Manage user software in Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Planning and deploying Office 365 ProPlus

22. In the Manually download and install the Office apps by using the Office Deployment Tool
section, click the Office Deployment Tool (Office 2016 version) link to open the Office Deployment
Tool download page.

23. On the download page, expand Details, System Requirements, and Install Instructions.

24. Read and familiarize yourself with each section. You can mark this page as a favorite to refer to later.

25. Click Download and notice the information bar at the bottom of the browser.

26. Once the download is completed, click Run.

27. In the User Account Control dialog box, click Yes.


28. Accept the license agreement and click Continue.

29. Browse to the Office16 folder on This PC’s C: drive.

30. Click OK. You should see that the files were extracted successfully. Click OK.
31. Navigate to the Office16 folder with File Explorer. You should see two files in the newly created Office
Deployment Tool folder named configuration and setup.

 Task 2: Modify an Office 365 ProPlus installation


1. On LON-CL1, back up the Office Deployment Tool configuration.xml file in the C:\Office 16 folder
created earlier by saving another copy.

2. By using Notepad, open the configuration.xml file and edit the first Add line after <Configuration> to
read <Add SourcePath=\\LON-CL1\Office16\OfficeClientEdition=”32” Branch=”Current”>.

3. Remove all comments from the code.

4. Comment out the VisioProRetail from the code and save the file.

5. From File Explorer, open a command window.


6. Type Setup /? to see options available.

7. Type setup.exe /download \\LON-CL1\Office16\AdatumConfiguration.xml to start the download


of Office 365 ProPlus.
8. Verify that the download has started in File Explorer.

Results: You will have downloaded a copy of the Microsoft Office 365 ProPlus install for managed
deployment to a shared folder. You will also download and install the Office Deployment Tool on the same
machine.

Exercise 2: Managing user-driven Office 365 ProPlus installations


Scenario
As part of the pilot project, you need to understand the process of installing Office 365 ProPlus directly
from the Office 365 portal. You must also explore options for managing the installation. A. Datum
Corporation plans to use a combination of user-driven and managed deployments, depending on the
employment relationship and working practices of individual users. Associates, those who have brought
their own devices, and remote employees will all install Office 365 ProPlus manually from the Office 365
website. Holly, the administrator, will then determine what happens to users when she activates and
deactivates Office 365 ProPlus subscriptions. She will also explore the different ways licensing effects the
user.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-25

The main tasks for this exercise are as follows:

1. Manage user rights to install Office 365 ProPlus.

2. Install Office 365 ProPlus from the Office 365 portal.

3. Manage office licenses.

4. Reactivate Office 365 ProPlus.

 Task 1: Manage user rights to install Office 365 ProPlus


1. On LON-CL1, if required, connect to the new Office 365 admin center as Holly with the password of
Pa$$w0rd to assign various combinations of licensing to Office 365 users.

2. Edit user Brad Sutton by adding Office 365 Enterprise E3 license using a location of United Kingdom,
but removing the Office 365 ProPlus option.

3. Edit user Maira Wenzel and assign an Office 365 Enterprise E3 license using the location of the United
Kingdom.

4. Repeat the previous step for Roman Miler.

5. In the Office 365 admin center, on the Settings menu, access the Apps page.
6. On the Software download settings page, disable downloads for both Office 2013 and Office 2016.
7. Sign out, and then sign in as Brad Sutton with the user name
brad@Adatumyyxxxxx.hostdomain.com and the password Pa$$w0rd.

8. Access Brad’s Office 365 settings and verify that he does not have the option to install the Office 365
apps.

9. Sign out as Brad Sutton, and then sign in as Roman Miler with the user name
roman@Adatumyyxxxxx.hostdomain.com with the password of Pa$$w0rd.

10. Navigate to the Office 365 settings page, and then click Install software.

11. Note that the users looked similar, but Brad is not assigned a license. Roman has a license, but Holly
deactivated version 2016 for all users.
12. Before signing out, verify that Phone & tablet apps are available.

13. Sign out as Roman and close the browser.

14. Open a new browser, and then sign in to the Office 365 environment with the administrator Holly’s
credentials and password.

15. Go back to the Office 365 admin center and enable downloads for Office 2016.

16. Sign out of Office 365 as Holly and sign in as Brad.


17. Verify that Brad does not have any software to install, due to licensing.

18. Switch to LON-CL3 and sign in as Roman.

19. Open a browser and go to https://portal.office.com.

20. Sign in as Roman and navigate to the Install software page.

21. Do not install, but notice what is available.

22. Notice how to change from 32-bit to 64-bit options on the Office 365 ProPlus advanced menu.
23. You will install the software in the next lab.
MCT USE ONLY. STUDENT USE PROHIBITED
5-26 Planning and deploying Office 365 ProPlus

 Task 2: Install Office 365 ProPlus from the Office 365 portal
1. On LON-CL3, on the Office365 portal, select the appropriate language and version, and then install on
the local computer.

2. Make sure to accept licensing agreements and decline reporting options.

3. Check on the status of the download from the taskbar.

4. When installed, open Word 2016 from the Windows start menu.
5. In Word, in the upper-right corner, switch accounts by signing out as Roman and adding the account
for Holly.

6. Create a document with some content and save to an Adatum Publishing Team Site folder in the
Documents folder with the file name Meeting Agenda.

7. Switch back to Roman’s Office 365 session in the browser.

8. Notice the new option of Manage installs on the Install software page.

9. Check the Tools & add-ins page to see what is installable.

 Task 3: Manage Office licenses


1. On LON-CL3, sign in as Holly Dickson, the administrator.

2. From the Office 365 admin center, disable Roman Miler’s license to Office 365 ProPlus.
3. Sign out of Office 365 as Holly and sign in as Roman.

4. Navigate to the Install software page to confirm that Office is no longer available for download. What
will happen to the Office software that is already installed?

 Task 4: Reactivate Office 365 ProPlus


1. On LON-CL3, sign in to Office 365 as Holly, the administrator, and then reactivate Roman Miler’s
Office 365 ProPlus software license.

Results: When completed, you should be able to activate Office 365 ProPlus for self-service installations.
You should also be able to set licensing options correctly for end users so that deployment and installation
is possible.

Exercise 3: Managing centralized Office 365 ProPlus installations


Scenario
In addition to the user-driven installations, you also need to evaluate using a centralized means to install
Office 365 ProPlus.

The main tasks for this exercise are as follows:

1. Configure a Group Policy Object (GPO) to distribute the custom installation.

2. Verify the installation.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 5-27

 Task 1: Configure a Group Policy Object (GPO) to distribute the custom installation
1. Using an administrative sign in on the LON-DC1 server, use Server Manager tools to create a new
organizational unit (OU) named Adatum_Computers.

2. Move LON-CL4 to the new OU.

3. Open Group Policy Management from Server Manager.

4. Create a Group Policy Object (GPO) linked to the newly created Adatum_Computers.
5. Name the GPO DeployO365.

6. By using the Group Policy Management Editor, expand Policies, expand Windows Settings, and then
open Scripts (Startup/Shutdown).

7. Create a new text document with the following line: \\LON-CL1\Office16\setup.exe /configure
\\LON-CL1\Office16\AdatumConfiguration.xml.

8. Save the file as DeployO365.cmd.

9. Delete New Text Document.

10. In Group Policy Management Editor, in the Startup Properties dialog box, add a script.

11. Add the DeployO365.cmd file, and then click OK.

Note: Where and how do you think this might start up?

 Task 2: Verify the installation


1. On LON-CL4, sign in as Maira Wenzel.

2. Open the Command Prompt as Adatum\Holly and run gpupdate /force.


3. Restart LON-CL4.

4. Wait five minutes after the restart to allow the Group Policy settings to take effect.

5. Sign in as Maira and navigate to the start menu.


6. Verify that Microsoft Office 2016 Tools folder installed.

7. Open Word 2016 and activate with Maira’s Office 365 credentials.

8. In the First things first dialog box, click No thanks, click Accept, and then close the dialog box.

9. Open a blank document, type some text, and then save it.

10. In Task Manager, check the processes, details, and services for Click-to-Run.

11. Close all open programs.

Results: You will have enabled centralized managed deployment of Office 365 ProPlus and implemented a
standardized Microsoft Office configuration by using one version of Office.

Question: Why do you need to edit the configuration.xml file when preparing to use
managed deployments of Office 365 ProPlus?

Question: How can you verify that the Click-to-Run service is running?
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
6-1

Module 6
Planning and managing Exchange Online recipients and
permissions
Contents:
Module Overview 6-1

Lesson 1: Overview of Exchange Online 6-2

Lesson 2: Managing Exchange Online recipients 6-9


Lesson 3: Planning and configuring Exchange Online permissions 6-25

Lab: Managing Exchange Online recipients and permissions 6-30

Module Review and Takeaways 6-36

Module Overview
Microsoft Exchange Online in Microsoft Office 365 provides users with a messaging and collaboration
platform, giving them a single location for composing, reading, and storing email, calendar, contact, and
task information. Users can access their personal information from many different device types, including
those running Windows 10, iOS, Android, and Windows Phone. This module describes Exchange Online and
explains how to create and manage recipient objects and how to manage and delegate Exchange security.

Objectives
After completing this module, you will be able to:
 Describe Exchange Online.

 Manage Exchange Online recipients.

 Plan and configure delegated administration.


MCT USE ONLY. STUDENT USE PROHIBITED
6-2 Planning and managing Exchange Online recipients and permissions

Lesson 1
Overview of Exchange Online
Microsoft Exchange Online is a hosted messaging solution that delivers the capabilities of Microsoft
Exchange Server as a cloud-based service. It gives users single sign-on (SSO) access to email, calendar,
contacts, and tasks from PCs, the web, and many types of mobile device. In addition, Exchange Online
integrates fully with Microsoft Azure Active Directory (Azure AD), enabling administrators to use group
policies and other administration tools to manage Exchange Online features across their environment. You
can also integrate Exchange Online with existing Exchange on-premises installations, either by using simple
coexistence or as a long-term hybrid deployment.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe Exchange Online features.


 List the Exchange Online subscription options.

 Summarize the planning issues with an Exchange Online implementation.

 Describe how to connect to Exchange Online from Windows PowerShell.

Exchange Online features


Exchange Online is a hosted messaging solution
that delivers many of the same features as
Exchange Server. It provides your users with access
to email and collaboration functionality from a
variety of client device types and platforms. The
following table describes the high-level
components of Exchange Online.

Exchange Online component Features

Planning and deployment  Hybrid deployment


 Internet Message Access Protocol (IMAP) migration
 Cutover migration
 Staged migration

Permissions Role-based permissions, role groups, and role assignment policies


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-3

Exchange Online component Features

Message policy and  Archiving Exchange Online–based mailboxes and cloud-based


compliance archiving of on-premises mailboxes
 Retention tags and retention policies
 BitLocker
 Information Rights Management (IRM) using Azure Rights
Management Services (Azure RMS) and Active Directory Rights
Management Services (AD RMS) in Windows Server
 Office 365 message encryption
 Secure/Multipurpose Internet Mail Extensions (S/MIME)
 In-place hold and litigation hold
 In-place electronic discovery (eDiscovery)
 Transport rules
 Data loss prevention
 Journaling

Security features  Built-in anti-spam and anti-malware protection


 Customize anti-spam and anti-malware policies
 Quarantine: administrator management and end-user
self-management
 Advanced threat protection

Mail flow tools  Custom routing of outbound mail


 Secure messaging with a trusted partner
 Conditional mail routing
 Inbound safe list
 Hybrid email routing

Recipient features  Capacity alerts, clutter, MailTips


 Delegate access, inbox rules, connected accounts
 Inactive mailboxes
 Offline address book, address book policies, hierarchical address
book
 Address lists and global address list
 Distribution groups, external contacts (global), universal contact
card, contact linking with social networks
 Resource mailboxes, room management
 Out-of-Office Replies
 Calendar Sharing
MCT USE ONLY. STUDENT USE PROHIBITED
6-4 Planning and managing Exchange Online recipients and permissions

Exchange Online component Features

Reporting and troubleshooting  Office 365 admin center reports


tools  Microsoft Excel reporting
 Web services reports
 Message Trace
 Auditing reports
 Unified Messaging reports

Sharing and collaboration  Federated sharing (including calendar publishing)


 Site mailboxes
 Public folders

Clients and mobile devices  Microsoft Outlook, Outlook for Mac, and Outlook Web App
 Exchange ActiveSync
 Point of presence, IMAP, and Simple Mail Transfer Protocol (SMTP)
 Exchange Web Services application support

Voice messaging  Voicemail


 Integration between voicemail and non-Microsoft FAX
 Non-Microsoft voicemail interoperability
 Skype for Business integration

High availability  Mailbox replication at datacenters


 Deleted mailbox recovery, deleted item recovery, single item
recovery

Interoperability, connectivity,  Skype for Business presence in Outlook Web App and Outlook
and compatibility  Microsoft SharePoint interoperability
 EWS connectivity support
 SMTP relay support

The particular functions and features in Exchange Online vary according to the Office 365 subscription plan
or Exchange Online subscription that you have, which the next topic will cover.

Latest features
Similar to Office 365, Exchange Online is constantly evolving to meet the needs of its users. You can find the
latest features of Exchange Online on the Microsoft TechNet website.

Additional Reading: For more information on the new features in the latest version of
Exchange Online, refer to What's new in Exchange Online: http://aka.ms/S44j3g.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-5

Exchange Online subscription options


Exchange Online is a part of Office 365 and comes
in several subscription plans, designed to suit the
needs of organizations of different types and sizes
of organization. Each plan includes different
components and features, and includes several
services, such as Office 365 ProPlus or Azure RMS.

However, all plans include Exchange Online,


although the specific features vary depending on
the plan you have selected. Consequently, it is
important that when you are planning your
Exchange Online solution, you choose the
appropriate subscription plan for your needs. The
following table identifies the important Exchange Online features of each plan. Advanced email features
include advanced archiving, legal hold, and compliance features.

Office 365
Office 365 Office 365 Office 365
Business
Enterprise E1 Enterprise E3 Enterprise K1
Exchange Essentials Office 365
Office 365
Online Enterprise
Education Office 365 Office 365 Office 365
feature Office 365 E5
Government Government Government
Business
E1 E3 K1
Premium

Mailbox 50 GB 50 GB 50 GB Unlimited Unlimited 2 GB

Advanced Yes Yes Yes


email

Voicemail Yes Yes


integration

Note: Microsoft plans to retire the Office 365 Enterprise E4 and Office 365 Government E4
plans in the summer of 2016 and replace them with the Office 365 Enterprise E5 and Office 365
Government E5 plans.

You also can obtain Exchange Online as a stand-alone subscription plan. The following Exchange Online
plans are available:

 Exchange Online Plan 1. Provides a 50-gigabyte (GB) mailbox per user.

 Exchange Online Plan 2. The same as Plan 1, but also includes hosted voicemail integration.
 Exchange Online Protection. Helps protect against spam and malware, and helps to provide a clean
and reliable message stream.

 Exchange Online Advanced Threat Protection. Helps to protect your email system from online attacks
from malicious persons.

 Exchange Online Archiving. Enables archiving, compliance, and eDiscovery within your messaging
system.

 Exchange Online Kiosk. Provides a 2-GB mailbox per user and provides support for Exchange
ActiveSync clients. Does not support role-based administration.
MCT USE ONLY. STUDENT USE PROHIBITED
6-6 Planning and managing Exchange Online recipients and permissions

Planning an Exchange Online implementation


Diapo 7 Office 365 enables companies to outsource their
email to an Exchange-based service that offers
significant functionality improvements over other
cloud-based and on-premises email systems.
When planning Exchange Online and determining
whether it is the right choice for your organization,
you should consider the following factors:

 Architecture. Email organizations, domains,


trusts, and multiforest considerations.
 Current email system. Type, version, features,
support, and mail clients.

 Features. Email, calendar, contacts, tasks, and public folders.


 User requirements. Access, device support, message handling, and rule configuration.

 Usability. Integration with other services, authentication, and ease of connection.

 Reliability. Uptime guarantees, and mailbox and message protection.

 Security. Authentication, authorization, delegation, and proxy addresses.

 Manageability. Administration, ease of access, policy enforcement, and user and group management.

 Regulatory. Compliance and eDiscovery.

Regardless of the migration or coexistence option that you identify after analyzing your organization’s
environment, you should plan for several common factors. These include:
Diapo 8  Mailbox sizes. Create and implement a plan to reduce the size of users’ mailboxes. Mailbox sizes have a
major impact on the time it will take to migrate to Exchange Online. You should discuss options within
your organization on how to reduce mailbox sizes, including clearing out old emails, archiving
messages to Personal Folders (PST) files, deleting sent files (particularly larger ones), and using rules.
Review the organization’s tools that will assist you in identifying the largest mailboxes.

 Bandwidth. Internet bandwidth, especially the uplink speed, is the second limiting factor that controls
how long it takes to migrate to Exchange Online. Talk to the information technology (IT) department
about their link speed, the link’s quality, and whether this is a good time to upgrade to a faster link or
to a symmetric technology.

 Directory health. It is vital that you plan for a clean directory service before starting the Deploy phase.
This is also the time to remove duplicate accounts, old groups, unnecessary organizational units (OUs),
retired servers, and old client computers, and generally perform housekeeping on the directory service.
You should also check for errors in the log files and ensure that replication is functioning correctly.

 Mail delivery. If you are implementing coexistence, you must plan where to deliver incoming mail.
Delivery will initially be to the on-premises server, but you will need to determine if this is the best
long-term arrangement in a coexistence scenario. You must also identify the point at which you will
switch over in a cutover or staged migration.

 Domain Name Services (DNS) settings. You will need to plan for DNS configuration changes during the
migration process, such as mail exchange records (MX records), canonical name records (CNAME
records), and Autodiscover settings. Remember that DNS settings can take time to propagate globally
and that changing the Time to Live (TTL) setting can help speed up this process.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-7

 Communications. It is essential that you communicate relevant and timely information about the
migration plan to users. The pilot users can help assure people that the migration will go smoothly, but
you must not overlook this factor in your planning.

 Training. If your organization’s users are moving from one mail client to Outlook 2013, they will require
a significant amount of training on this new client. If they are updating from an earlier version of
Outlook, they will not require as much training, but you must still include training as a consideration in
your plan.

 File types. SharePoint Online blocks some file types. Ensure that your users appreciate the implications
of these blocked file types.

Connect to Exchange Online from Windows PowerShell


Although you can manage your Exchange Online
environment by using the Exchange admin center,
it is sometimes quicker to use Windows
PowerShell. Additionally, you can perform some
tasks only with Windows PowerShell.

Before you can use Windows PowerShell to


manage Exchange Online, you must connect to it
by using the following procedure:

1. Install the Azure AD module. Because


Exchange Online requires Azure AD, you will
need the Azure PowerShell modules. You need
to complete these two steps only once:
a. First, install the Microsoft Online Services Sign-In Assistant for IT Professionals from the Microsoft
Download Center.

b. Then, install the Azure Active Directory Module for Windows PowerShell (64-bit version), and click
Run to run the installer package.

Additional Reading: You can obtain the Microsoft Online Services Sign-In Assistant for IT
Professionals RTW from the Microsoft Download Center: http://aka.ms/vl42dg.

Additional Reading: You can download the Azure Active Directory Module for Windows
PowerShell (64-bit version) here: http://aka.ms/Pwx3a9.

Now you must connect to the Exchange Online environment. Complete the following procedure each
time you want to connect to Exchange Online:

2. Run Windows Azure Active Directory Module for Windows PowerShell as an administrator, and in
the Windows PowerShell window, run the following cmdlets in the same sequence as shown:

$credential = Get-Credential
MCT USE ONLY. STUDENT USE PROHIBITED
6-8 Planning and managing Exchange Online recipients and permissions

Note: When prompted, enter the global admin account credentials for your subscription.

Import-Module MsOnline
connect-msolservice –credential $credential
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
"https://outlook.office365.com/powershell-liveid/" -Credential $credential
-Authentication "Basic" –AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking

Note: We recommend that you add these commands to a Windows PowerShell script for
convenience.

3. Finally, in the Windows PowerShell window, type the following command, and then press Enter:

Get-AcceptedDomain

Note: This command returns the list of accepted domains and verifies that you can connect
to your Office 365 subscription.

Question: How will your organization use Exchange Online?


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-9

Lesson 2
Managing Exchange Online recipients
An important part of managing your Exchange Online tenant involves creating and managing recipient
objects, including mailboxes, groups, resources, shared mailboxes, contacts, and mail users. You also must
know how to perform bulk management of these objects. In addition, you should know how to use both
the Exchange admin center and Windows PowerShell to manage these objects.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe how to manage Exchange Online mailboxes.

 Explain how to configure Exchange Online email addresses.

 Explain how to configure Exchange Online distribution groups.

 Explain how to configure Exchange Online resources.


 Explain how to configure Exchange Online shared mailboxes.

 Explain how to configure Exchange Online contacts.

 Explain how to bulk import contacts.


 Explain how to configure mail users.

 Create and manage Exchange Online recipients.

Managing Exchange Online mailboxes


When you create a new user in Office 365 by using
the Office 365 admin center, and assign that user
an Office 365 license that includes Exchange
Online, a mailbox is created automatically for the
user. Having created the user account and mailbox,
you can manage the mailbox by using either
Windows PowerShell or the Exchange admin
center.

Preparing to modify Exchange Online


objects
Before you are able to create or modify objects on
Exchange Online, you might be prompted to run
the following Windows PowerShell cmdlet: Enable-OrganizationCustomization.

Note: You will only be required to run this cmdlet once.


MCT USE ONLY. STUDENT USE PROHIBITED
6-10 Planning and managing Exchange Online recipients and permissions

You might encounter this prompt when you attempt to perform the following tasks:

 Creating a new role group or creating a new management role assignment.

 Creating a new role assignment policy or modifying a built-in role assignment policy.

 Creating a new Outlook on the web mailbox policy or modifying a built-in Outlook on the web mailbox
policy.
 Creating a new sharing policy or modifying a built-in sharing policy.

 Creating a new retention policy or modifying a built-in retention policy.

Managing mailbox properties by using Exchange admin center


From the Exchange admin center, click recipients, select the appropriate user, and then click Edit. You can
then configure the following properties of the mailbox by selecting the various tabs described below:

 General. Configure the mailbox’s names, display name, and the option to hide the mailbox from the
address list.

 Mailbox usage. Provides information on the last sign-in and mailbox space usage.

 Contact information. Enables you to configure the postal address and telephone contact details.
 Organization. Configure the mailbox user’s title, department, company, manager, and employees who
report to the user.

 Email address. Configure additional email addresses for the mailbox (the next topic will discuss this in
detail).

 Mailbox features. Configure settings such as sharing policy, role assignment policy, retention policy,
address book policy. In addition, enable and configure phone and voice features, mobile device types,
and email access protocols (such as POP and IMAP).

 Member of. Manage the mailbox group memberships. You can also do this from the group objects in
the Exchange admin center.
Info that shows in Outlook when typing a recipient address
 MailTip. Configure a MailTip of up to 175 characters for the mailbox. Users corresponding with the
mailbox see the MailTip.

 Mailbox delegation. Configure delegate access for the mailbox. You can configure Send As, Send on
Behalf, and Full Access permissions.

Managing mailbox properties by using Windows PowerShell


You can configure the same properties for a mailbox by using the Azure AD Windows PowerShell Set-
Mailbox cmdlet. For example, the following cmdlet configures mailbox forwarding for the mailbox of
Adam Barr. In this instance, the email will be delivered to both Adam’s mailbox and Manuel’s mailbox:

Set-Mailbox -Identity "Adam Barr" -DeliverToMailboxAndForward $true


-ForwardingSMTPAddress manuel@Adatum.com
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-11

Configuring email addresses


To configure additional email addresses in
Exchange Online, you need to follow a slightly
different process than with on-premises versions of
Exchange Server. The key difference is that
Exchange Online does not provide an email policy,
like Exchange Server. As a result, you have to use
alternative approaches for configuring these
additional email addresses.

Email address assignment in Exchange


Online
When you create a new tenant account in Office
365, you automatically receive a default domain
name in the form companyname.hostdomain.com. The administrator account sign-in details and the
primary email address are set to administratorname@companyname.hostdomain.com for the account.

When you add a new user account to a simple Office 365 account that does not have any external domains
configured, the mailbox for that user is automatically assigned an SMTP email address that uses this default
domain. This email address is in the form SMTP:username@domainname.

For example, assume the default domain is adatum.hostdomain.com. The default email address policy will
assign a user named Remi Desforges an email address with an @adatum.hostdomain.com address, such as
rdesforges@adatum.hostdomain.com. Typically, this email address will match his user sign-in to Office 365.

If you then register an external domain with Office 365, you can create email addresses that use that
domain. New users will get a primary address of @companyname.hostdomain.com and a secondary email
address of @externaldomain. You can then allocate the second address at the primary or reply-to address
for a user, either manually through the Exchange admin center, or in bulk by using Windows PowerShell.

Note: The primary (or reply-to) SMTP address for a mailbox always contains the acronym
SMTP: in upper case. Secondary and subsequent addresses contain smtp in lower case. For
example, SMTP:user@domain.microsoftonline.com is the primary address, and
smtp:user@domain.com is the secondary address.

Slide 13 Configuring email addresses with the Exchange admin center


To configure additional email addresses, perform the following procedure:

1. In Exchange admin center, click recipients.

2. Under mailboxes, click the mailbox you want to change, and then click Edit.

3. On the User Mailbox page, click email address.

4. Under Email address, click the + sign.

5. Under email address type, ensure that SMTP is selected, and then in Email address, enter the address
by using a registered domain name.

6. Optionally, click Make this the reply address to make this address the primary address.

7. Click OK.

Messages sent to this new address will now be delivered to this mailbox. If you selected Make this the
reply address, then this is the address that will receive reply messages.
MCT USE ONLY. STUDENT USE PROHIBITED
6-12 Planning and managing Exchange Online recipients and permissions

Configuring email addresses with Windows PowerShell


To configure additional proxy addresses with Windows PowerShell in the form alias@content.adatum.com,
connect to Exchange Online, list all the mailboxes into a variable, and then run the command on each of
the items in the variable. Use the following commands to perform these steps:

$users = Get-Mailbox
foreach ($a in $users) {$a.emailaddresses.Add("smtp:$($a.alias)@thenewdomainname")}
$users | %{Set-Mailbox $_.Identity -EmailAddresses $_.EmailAddresses}

Note: You must connect to the Exchange Online service before running these commands.

Slide 14 Managing email addresses with directory synchronization


When you configure directory synchronization to synchronize on-premises Active Directory accounts with
Office 365, there is a flow of information from Active Directory Domain Services (AD DS) to Office 365. This
information includes fields such as SMTP addresses and user principal names (UPNs).

It important to note that the UPNs and the verified domain names in Office 365 must match. For the sake of
this discussion, let us assume that you are trying to synchronize the ADATUM on-premises domain with
Office 365. In this scenario, the best approach is to set up a UPN suffix of adatum.com in Active Directory
Domains and Trusts, and ensure that all users have that UPN suffix applied. The users then have primary
on-premises SMTP addresses that match their UPNs. In Office 365, you register the adatum.com domain to
Office 365 and set it up for use with Exchange Online.

When you run the first directory synchronization, Office 365 creates the mailboxes in Office 365 and assigns
a primary SMTP address of user@adatum.com. It also creates a secondary address of
user@adatum.hostdomain.com. Users can now sign in to Office 365 and access their mailboxes.

If you then either set up password synchronization or implement SSO, typically by using Active Directory
Federation Services (AD FS), users can sign in to Office 365 by using the same credentials that they use for
on-premises sign -ns.

Note: In the case of password sync, there are still two separate accounts, one online and one
in the cloud, but they have the same user name (user@adatum.com) and the password is
synchronized between the two environments.

Configuring distribution groups


In the Office 365 admin center, you can create
security groups and add users to those security
groups. You can then assign permissions to that
security group, such as in SharePoint Online. If you
synchronize your Office 365 account with your on-
premises AD DS, security groups created in AD DS
also synchronize across to Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-13

Exchange Online provides additional group features, which enable the creation of the following group
types:

 Mail-enabled security groups

 Mail-enabled distribution groups

 Mail-enabled dynamic distribution groups


The main difference between security and distribution groups is that security groups can specify
permissions in Office 365, whereas distribution groups cannot. With dynamic distribution lists, the
membership of the group is query-based and depends on how many users meet the selected criteria, as
opposed to a static membership as in distribution groups.

Note: If you create a mail-enabled security group in Exchange Online, it appears in the Office
365 Admin center under security groups. However, Office 365 security groups do not appear in
Exchange Online.

Mail-enabled security groups


A mail-enabled security group enables you to distribute messages and grant access permissions in Azure
AD. To create a mail-enabled security group, perform the following procedure:

1. In Exchange admin center, click recipients, and then click groups.

2. In groups, click the + icon, and then click Security group.

3. In the Display Name box, enter the name of the group that you want to appear in the Address Book.

4. In the Alias box, enter a unique alias for the group. This value autopopulates the first part of the Email
Address field.

5. Select the domain for the email address from the drop-down list.

6. In the Notes field, give the group a description so that other administrators know what the purpose of
the group is.
7. Under Owners, note that by default, the group creator is an owner. However, you can remove yourself
as an owner and assign ownership to someone else, including to security groups.

8. To add an owner, click the + icon, select users or security groups, click add, and then click OK.

9. Under Members, note that by default, the group owner is a member. However, you can clear the Add
group owners as members check box, and add other members to the group. Alternatively, you can
let the group owner select members.

10. To add a member, click the + icon, select users or security groups, click add, and then click OK.

11. Select the option for Owner approval is required if you want the group owners to receive requests to
join the group. If you do select this option, only group owners can remove members (not the
administrator).

12. Click Save to save the new group.

After creating the mail-enabled security group, you can change the following settings:

 General. Change the display name, alias, email address, description, and the option to hide the group
from address lists.

 Ownership. Modify the owners of the group.

 Membership. Modify the group membership.


MCT USE ONLY. STUDENT USE PROHIBITED
6-14 Planning and managing Exchange Online recipients and permissions

 Membership approval. Specify whether owner approval is required.

 Delivery management. Specify whether external addressees can email this group or only internal
users, and other settings.

 Message approval. Configure moderation, specifying who can moderate the group and who can send
messages to the group without moderation.

 Email options. Add additional email addresses for the group.

 MailTip. Add a MailTip to specify what displays when users send messages to the group.

 Group delegation. Specify Send As and Send on Behalf Of permission for users or groups.

Managing mail-enabled security groups with Windows PowerShell


To create a mail-enabled security group in Windows PowerShell called IT Administrators, run the following
cmdlet:

New-DistributionGroup -Name "File Server Managers" -Alias fsadmin -Type security

To show information about this new security group, run the following cmdlet:

Get-DistributionGroup <Name> | FL Name,RecipientTypeDetails,PrimarySmtpAddress

Mail-enabled distribution groups


A mail-enabled distribution group enables you to distribute messages and grant access permissions in
Azure AD. To create a mail-enabled distribution group, perform the following procedure:

1. In Exchange admin center, click recipients, and then click groups.

2. In groups, click the + icon, and then click Distribution group.


3. In the Display Name box, enter the name of the group that you want to appear in the Address Book.

4. In the Alias box, enter a unique alias for the group. This value autopopulates the first part of the Email
address field.
5. Select the domain for the email address from the drop-down list.

6. Give the group a description in the Notes field so that other administrators know what the purpose of
the group is.
7. Under Owners, note that by default, the group creator is an owner. However, you can remove yourself
as an owner and assign ownership to someone else, including to distribution groups.

8. To add an owner, click the + icon, select users or distribution groups, click add, and then click OK.

9. Under Members, note that by default, the group owner is a member. However, you can clear the Add
group owners as members check box, and add other members to the group. Alternatively, you can
let the group owner select members.

10. To add a member, click the + icon, select users or distribution groups, click add, and then click OK.

11. Under Choose whether owner approval is required to join the group, you now have the following
options:
o Open. Anyone can join this group without the approval of the group owners.

o Closed. Only the group owners can add members. All requests to join will be rejected
automatically.

o Owner approval. The group owners approve or reject all requests.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-15

12. In addition, under Choose whether the group is open to leave, you can specify the following options
for leaving the group:

o Open. Anyone can leave this group without the approval of the group owners.

o Closed. Only the group owners can remove members. All requests to leave will be rejected
automatically.

13. Click Save to save the new group.

After creating the mail-enabled distribution group, you can change the following settings:

 General. Change the display name, alias, email address, description, and the option to hide the group
from address lists.

 Ownership. Modify the owners of the group.

 Membership. Modify the group membership.

 Membership approval. Specify the options for joining or leaving the group.

 Delivery management. Specify whether external addressees or only internal users can email this group.

 Message approval. Configure moderation, specifying who can moderate the group and who can send
messages to the group without moderation.

 Email options. Add additional email addresses for the group.

 MailTip. Add a MailTip to specify what displays when users send messages to the group.

 Group delegation. Specify Send As and Send on Behalf Of permission for users or groups.

Managing mail-enabled distribution groups with Windows PowerShell


To create a mail-enabled distribution group in Windows PowerShell called IT Administrators, run the
following cmdlet:

New-DistributionGroup -Name "IT Administrators" -Alias itadmin -MemberJoinRestriction


open

Dynamic distribution groups


Dynamic distribution groups change their membership depending on a query against account types and
additional criteria. Because dynamic distribution lists can be quite large, it is important to design them
correctly. Creating dynamic distribution lists in Exchange admin center is similar to creating a distribution
list, and differs only in how you set up the criteria. When selecting members, you can select any or all of the
following options:

 Users with Exchange mailboxes


 Mail users with external email addresses

 Resource mailboxes

 Mail contacts with external email addresses

 Mail-enabled groups
MCT USE ONLY. STUDENT USE PROHIBITED
6-16 Planning and managing Exchange Online recipients and permissions

You can then add further criteria to refine the number of accounts that will appear in the results. The
following table lists the additional options.

Variable Condition

State or province A match on the recipient’s State or province


property.

Company A match on the recipient’s Company property.

Department A match on the recipient’s Department property.

Custom attribute N (where N is a number from 1 to 15) A match on the recipient’s CustomAttributeN
property.

Note: Filtering based on organizational unit or domain is not available in Exchange Online.

Managing dynamic distribution groups with Windows PowerShell


You can create a dynamic distribution group by using Windows PowerShell with the following cmdlet:

New-DynamicDistributionGroup -IncludedRecipients MailboxUsers -Name "Sales Users Dynamic


Group" -Department Sales

To view information about a dynamic distribution list, enter the following cmdlet:

Get-DynamicDistributionGroup -Identity "Marketing" | Format-List

Configuring resources
Resource mailboxes in Office 365 enable you to
assign a mailbox to a room or an item of
equipment and then book that item by sending it
a meeting request. These mailboxes are similar to
those in on-premises Exchange Server and come in
two different types:

 Equipment mailboxes. These mailboxes are for


communal use, for booking discrete, portable
items of equipment, such as portable
projectors, computer monitors, laptops, and
other items. Typically, if a mailbox moves and
does not belong to a nominated person, then
an equipment mailbox is a good way to manage it.

 Room mailboxes. These mailboxes are for booking immovable objects, such as conference rooms,
meeting rooms, cinemas, sports halls, and swimming pools. In fact, you can create any physical space as
a room and then book it through Exchange Online. If a room has fixed equipment, such as a ceiling-
mounted projector, then that equipment is part of that room. We recommend that you set up a
movable room, such as a portable cabin or a caravan, as a room mailbox.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-17

Note: We recommend that you have a structured and consistent way to label room or
equipment mailboxes so that it is immediately apparent where a room is located or what the piece
of equipment is.

Creating a new room mailbox


To create a new room mailbox in Exchange admin center, perform the following procedure:

1. In Exchange admin center, click recipients, and then click resources.

2. Under resources, click the + (add) icon, and then select Room mailbox.

3. In the Room name field, enter a descriptive name for the room. For example, type Conference Room
11 306 if the room is in building 11 and identified on the door as room 306.

4. Under Email address, enter the room’s email address and select the domain from the list of registered
domain names. Again, make the email address consistent and easy to identify, such as conf-room-11-
306@Adatum.com.

5. Add a Location for the room, such as Building 11, Third Floor.

6. If there is a phone in the room, such as a conference phone, enter that number in the Phone field.
7. Enter a Capacity for the room, such as 25.

8. Click Save to save the new room mailbox.

Note: When you create a room mailbox, the option to Accept or decline booking requests
automatically is enabled.

After creating the room mailbox, you can configure the following settings:
 General. Specify the name, capacity, department, company, address book policy, custom attributes,
and the option to hide from address lists.

 Booking delegates. Accept booking requests automatically, select delegates, or customize acceptance
policy for this mailbox.

 Booking options. Allow repeated meetings, only schedule during working hours, maximum booking
lead time, maximum meeting duration, and a customized reply to the meeting organizer.

 Contact information. Add street, ZIP code, city, and other information, if required.

 Email address. Add additional addresses, if required.

 MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.

 Mailbox delegation. Configure Send As, Send on Behalf Of, and Full Access permission for this
mailbox, as with shared mailboxes.

Managing room mailboxes with Windows PowerShell


To create the mailbox by using Windows PowerShell, run the following cmdlet:

New-Mailbox -Name "Second Floor Conference Room" –Room

To configure the room mailbox to process booking requests automatically, run this cmdlet:

Set-CalendarProcessing <Identity> -AutomateProcessing AutoAccept


MCT USE ONLY. STUDENT USE PROHIBITED
6-18 Planning and managing Exchange Online recipients and permissions

Creating a new equipment mailbox


To create a new equipment mailbox in Exchange admin center, perform the following procedure:

1. In Exchange admin center, click recipients, and then click resources.

2. Under resources, click the + (add) icon, and then select Equipment mailbox.

3. In the Equipment name field, enter a descriptive name for the equipment. For example, type Portable
Projector S/N 32011044 if the equipment is a projector with that serial number. Alternatively, provide
a tag number if there is one.

4. Under Email address, enter the equipment’s email address and select the domain from the list of
registered domain names. Again, make the email address consistent and easy to identify, such as
projector-32011044@adatum.com.

5. Click Save to save the new equipment mailbox.

Note: When you create an equipment mailbox, the option to Accept or decline booking
requests automatically is enabled.

After creating the room mailbox, you can configure the following settings:

 General. Specify the name, capacity, department, company, address book policy, custom attributes,
and the option to hide from address lists.

 Booking delegates. Accept booking requests automatically, select delegates, or customize acceptance
policy for this mailbox.

 Booking options. Allow repeated meetings, only schedule during working hours, maximum booking
lead time, maximum meeting duration, and a customized reply to the meeting organizer.

 Contact information. Add street, Zip/post code, city, and other information, if required.

 Email address. Add additional email addresses, if required.


 MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.

 Mailbox delegation. Configure Send As, Send on Behalf Of, and Full Access permission for this
mailbox, as with shared mailboxes.

Managing resource mailboxes with Windows PowerShell


To create the mailbox by using Windows PowerShell, run the following cmdlet:

New-Mailbox -Name "Demonstration Laptop” –Equipment

To configure the equipment mailbox to process booking requests automatically, run this command:

Set-CalendarProcessing <Identity> -AutomateProcessing AutoAccept


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-19

Configuring shared mailboxes


Shared mailboxes are special types of mailboxes
that multiple users can access to send and receive
email messages. You also can use shared mailboxes
to set up shared calendars where employees can
schedule their vacation time or plan shifts. Shared
mailboxes provide:

 A generic email address, such as


marketing@adatum.com or
sales@adatum.com, to field customer
enquiries.

 A way for departments that provide


centralized services to respond to requests
from employees or customers, like the helpdesk, human resources department, or printing.

 Support for multiple users to monitor and reply to external or internal email addresses.

When a user replies to a message sent to a shared mailbox, the reply appears to come from the shared
mailbox address. In addition, all users who have access to that shared mailbox can see the messages that
have been sent to that account. Shared mailboxes can have the following delegate permissions:

 Full Access. Users with Full Access permission can sign in and carry out actions consistent with a
mailbox owner. However, to send mail, users with Full Access permission must also have Send As or
Send on Behalf Of permission. You can configure Full Access permission through Exchange admin
center or by using Windows PowerShell.
 Send As. Users with Send As permission can impersonate the mailbox when sending mail. Messages
received are from the mailbox, so they appear to come directly from marketing@adatum.com, for
example. You can configure Send As permission through Exchange admin center or through Windows
PowerShell.

 Send on Behalf Of. Send on Behalf Of permission grants the right to send messages, but those
messages are stamped as from Remi Desforges on behalf of Marketing. You can configure Send on
Behalf Of permission from Windows PowerShell only.

Note: Typically, you use shared mailboxes with security groups. You create a security group,
add users to that group, and then grant the security group Full Access and Send As control on the
mail. To change access rights, you then simply add or remove users from the security group.

Shared mailboxes do not require user licenses, so you can grant both mailbox users and mail users Send As
and Full Access permission. However, you should be aware that, with mail users, you could potentially be
granting someone outside the organization the right to send mail on behalf of the organization.

To create a shared mailbox in Exchange admin center, perform the following procedure:

1. In Exchange admin center, click recipients, and then click shared.

2. Under shared, click the + (add) icon.

3. In the Display name field, enter the name for the mailbox that you want recipients to see. For example,
Marketing if the shared mailbox is to send out mailings from the marketing department.
4. Under Email address, enter the shared mailbox’s email address and select the domain from the list of
registered domain names; for example, marketing@adatum.com.
MCT USE ONLY. STUDENT USE PROHIBITED
6-20 Planning and managing Exchange Online recipients and permissions

5. Under Users, add the users or groups that you want to have the right to send mail as
marketing@adatum.com. Click the + icon, and from the list of names, click add, and then click OK.

6. Click Save to save the new mailbox.

Users whom you have set up with Send permission can now enter that address in the From field when they
send emails. The reply comes back to the Marketing mailbox.

After creating the shared mailbox, you can edit the details to add or change further information in the
following tabs:

 General. Hide from the address list, and add custom attributes.
 Mailbox delegation. Configure Full Access and Send As permissions.

Note: Users that you added when creating the mailbox have both Full Access and Send As
permissions.

 Mailbox usage. View current size of the mailbox.

 Contact information. Add street, Zip/post code, city, and more information, if required.
 Organization. Add manager and department information.

 Email address. Add additional email addresses, if required.

 Mailbox features. Apply policies, enable and disable protocols, apply litigation hold, set up archiving,
control message delivery, and set message sizes.

 Member of. Add to distribution groups.

 MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.

Managing shared mailboxes with Windows PowerShell


To create a shared mailbox in Office 365 by using Windows PowerShell, run the New-Mailbox cmdlet:

New-Mailbox -Name "Corporate Printing Services" -Alias corpprint -Shared

To edit the mailbox, use the Set-Mailbox cmdlet, just as with a user mailbox:

Set-Mailbox corpprint -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB


-IssueWarningQuota 4.5GB
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-21

Configuring contacts
Mail contacts are similar to contacts in AD DS.
When you create mail contacts, they consist of
name fields, an alias, and an external email
address.

Mail contacts do not have a user account in Office


365, and therefore, they cannot sign in. However,
they do appear in the global address list (GAL)
throughout the organization. You can add them to
mail-enabled security groups, distribution groups,
or dynamic distribution groups (but not security
groups). Therefore, you can use contacts just as
you would use entries in your contacts folder in
Outlook, with the difference that you can manage Office 365 contacts centrally.

You can also use contacts within your own hierarchy and assign them a manager. This approach is useful if
your organization engages external contractors or associates.
After creating a contact, you can add some optional fields, such as contact information, phone numbers,
notes, title, department, company, manager, and direct reports. Finally, you can configure a MailTip that
appears when someone sends a message to that person.
To create a contact, perform the following procedure:

1. In Exchange admin center, click recipients, and then click contacts.

2. Click the + (new) icon, and then click Mail contact.


3. In the new mail contact page, enter a First name, Initials, and Last name.

4. The Display name is autogenerated based on those first three fields in the form of First name, Middle
initial, Last name, but you can change that format.
5. In the Alias box, enter a unique value.

6. In the External email address box, enter the address to which you want to send mail for that user.

7. Click Save.

Note: Typically, it can take a minute or two for the item to update in Office 365. As a result,
you might see an error message stating that the object does not exist the first time you attempt to
edit the new contact.

The new mail contact now appears in the GAL. After creating the new mail contact, you can edit the details
to add or change further information in the following tabs:

 General. Name fields, alias, and external SMTP address.

 Contact information. Add street, Zip/post code, city, and other information, if required.

 Organization. Add manager and department information.

 MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.

Deleting a contact is as simple as selecting the contact and clicking the Delete icon. You can also export
contact information to a .csv file and display additional columns in the Exchange admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
6-22 Planning and managing Exchange Online recipients and permissions

Managing mail contacts with Windows PowerShell


To create a contact in Office 365 by using Windows PowerShell, run the New-MailContact cmdlet:

New-MailContact -Name “Fred” -DisplayName “Frederick” -ExternalEmailAddress


fred@lucernepublishing.com

To edit the contact, use the Get-MailContact cmdlet:

Get-MailContact -Identity Fred | Format-List

Bulk importing contacts


Adding multiple contacts individually can be a
time-consuming process. Therefore, if you have a
large number of contacts to import, you can use
Windows PowerShell to perform a bulk import by
using the Import-CSV file cmdlet.
To import contacts in bulk, perform the following
steps:

1. Create a .csv file containing the necessary


information.

2. Use Windows PowerShell to create the


contacts.
3. Customize the newly created contacts by using Windows PowerShell.

The Office 365 community site provides a sample .csv file that you can use as a starting point.

Additional Reading: To download the sample .csv file, refer to Sample CSV file to bulk-
create external contacts in Exchange Online: http://aka.ms/t6ip2e.

In the .csv file, do not delete the header row, but you can delete the sample data. You can then populate
the spreadsheet with your own information. At a minimum, you must provide values for the following
fields:

 FirstName

 LastName

 Name

 ExternalEmailAddress

You can connect to Exchange Online by using Windows PowerShell and run the following command to
create the contacts:

Import-Csv .\ExternalContacts.csv|%{New-MailContact -Name $_.Name -DisplayName $_.Name


-ExternalEmailAddress $_.ExternalEmailAddress -FirstName $_.FirstName -LastName
$_.LastName}
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-23

The contacts will now appear in the GAL. Next, you can add further information about each contact by
running the import-CSV cmdlet again. This time, it is a two-stage process, beginning with this cmdlet:

$Contacts = Import-CSV .\externalcontacts.csv

This command imports all the entries in the .csv file into a variable called $Contacts. Next, the following
script replaces each value in the contact record with the new value in the .csv file:

$contacts | ForEach {Set-Contact $_.Name -StreetAddress $_.StreetAddress -City $_.City


-StateorProvince $_.StateorProvince -PostalCode $_.PostalCode -Phone $_.Phone
-MobilePhone $_.MobilePhone -Pager $_.Pager -HomePhone $_.HomePhone -Company $_.Company
-Title $_.Title -OtherTelephone $_.OtherTelephone -Department $_.Department -Fax $_.Fax
-Initials $_.Initials -Notes $_.Notes -Office $_.Office -Manager $_.Manager}

Note: If you are not adding the Manager variable for the contacts, then delete the $_.Office
-Manager $_.Manager element from the command.

Configuring mail users


A mail user combines some of the attributes of a
full mailbox user with the characteristics of a
contact. By configuring mail users, administrators
can provide users with the ability to sign in to
Office 365, while continuing to provide them with
an external email address. Organizations that use
associates often use mail user accounts to provide
sign-in facilities to these personnel while
forwarding their emails to their external email
addresses. You can assign the mail user accounts to
a manager and department for administrative
purposes.

Note: Administrators use mail users extensively in hybrid Exchange environments. They
configure users with on-premises mailboxes as mail users in Office 365, and configure their email
address as their on-premises mailbox. These users then appear in the online GAL as contacts.

The characteristics of mail users are as follows:

 They can sign in to Office 365 and access resources such as Microsoft OneDrive for Business or
SharePoint Online.

 They have email addresses that are external to Office 365, registered against the
ExternalEmailAddress attribute.

 They can have secondary email addresses for the default companyname.hostdomain.com domain.
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Planning and managing Exchange Online recipients and permissions

To create a new mail user, perform the following procedure:

1. In Exchange admin center, click recipients, and then click contacts.

2. Click the + (new) icon, and then click Mail user.

3. In the New mail user page, enter a First name, Initials, and Last name.

4. The Display name is autogenerated based on those first three fields in the form of First name, middle
initial, Last name, but you can change that format.

5. In the Alias box, enter a unique value.

6. In the External email address box, enter the address to which you want to send mail for that user.

7. In the User ID box, enter the sign-in information for that user and from the drop-down box, select his
or her domain from the list of registered domains.

8. In the New password and the Confirm password boxes, enter the user’s sign-in password.

9. Click Save.

After creating the new mail user, you can edit the details to add or change further information in the
following tabs:

 General. Hide from the address list, and add custom attributes.

 Contact information. Add street, Zip/post code, city, and other information, if required.

 Organization. Add manager and department information.


 Email address. Add further email addresses, if required.

 Mail flow settings. Restrict who can and cannot send email to this account.

 Member of. Add to distribution groups.

 MailTip. Create MailTip to provide additional information that users can see when they select this
address in an email.

Managing mail users with Windows PowerShell


To use Windows PowerShell to create a new mail user, run the following command:

New-MailUser -Name <name> -WindowsLiveID <Microsoft ID> -Password (ConvertTo-SecureString


-String '<password>' -AsPlainText -Force)

You can then use the Set-MailUser cmdlet to change attributes. The following example changes the
external email address:

Set-MailUser adambarr -ExternalEmailAddress adambarr@contoso.com

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

A mail user is the same as a mailbox user. F


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-25

Lesson 3
Planning and configuring Exchange Online permissions
Planning for Exchange Online administration is an important part of the overall planning process. To deliver
the efficiencies that Exchange Online can provide, you must identify how you want to administer Exchange
Online. If you do not define your Exchange Online administration processes properly, you might fail to
meet your requirements for security, feature take-up, and data protection.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the concept of role-based access control (RBAC) and describe the Exchange Online admin
roles.

 Describe how to configure delegated permissions.

 Explain how to use user roles.

 Configure delegated administration in Exchange Online.

Plan for Exchange Online admin roles


Exchange Online uses the RBAC permissions model
to restrict the administrative tasks that users can
perform within your Exchange organization. With
RBAC, you can control the resources that
administrators can configure and the features that
users can access. You must plan the RBAC
permissions carefully to ensure that your
administrative model meets your organizational
needs. To ensure that your Exchange Online
administration is working as it should, we
recommend that you apply the following process:

1. Identify the goals you want to achieve by


using Exchange Online.

2. Create or apply a change management framework.

3. Set up a change log system to record changes and record any changes to the environment in the
documentation system.

4. Identify administrative roles and tasks.

5. Map roles and tasks to existing role groups.


6. Define additional administrative role groups as required.

7. Identify training requirements for administrators and deliver training.

8. Assign users to administrative role groups.


9. Monitor the environment.
MCT USE ONLY. STUDENT USE PROHIBITED
6-26 Planning and managing Exchange Online recipients and permissions

Identify the goals you want to achieve by using Exchange Online


Before you start administering Exchange Online or delegate that task to other administrators, you must
identify what you want the new environment to achieve. For example, if you want to reduce administrative
costs by implementing Exchange Online, you would not want to create an administrative setup that is as
complex as your current on-premises one.

Create or apply a change management framework


Regardless of whether you have a change management framework such as Microsoft Operations
Framework in place, you should implement one with Exchange Online. You need to have a process for
identifying, testing, approving, and making changes to the Office 365 configuration.

Set up a change log system to record changes


It is essential that you maintain and update comprehensive documentation of your Office 365 settings. This
is probably the most challenging aspect of systems management, as administrators often neglect
documenting this type of information. However, setting up a documentation system and specifying that it
record configuration changes is an essential part of the change management process.

Identify administrative roles and tasks


You must identify the roles and tasks that you want your administrators to perform. For example, you might
have people in your organization who have unusual job responsibilities and require unique combinations
of access rights to Office 365.

Map roles and tasks to existing role groups


When you have finished defining the administrative requirements, you take those roles and map them to
the existing admin role groups. Office 365 provides several admin role groups, which the next topic will
cover.

Define additional administrative roles as required


If you still have accounts that you cannot map to the existing roles, you need to create new ones,
combining the RBAC permissions so that each account has the rights it needs.

Identify training requirements for administrators and deliver training


Once you have identified the roles and responsibilities of each administrator, you should ensure that the
people assigned to specific roles have the skills and training they need to carry out those tasks. Review
online training resources and official Microsoft training courses that might meet their needs.

Assign users to administrative roles


Once you have identified the administrator roles and personnel, and ensured that they have the requisite
knowledge and skills that they need to perform their tasks (including documenting their actions), you can
now map those people to their respective roles and let them resume their responsibilities.

Monitor the environment


You should ensure that you monitor the Exchange Online environment to check that your team is
performing their responsibilities satisfactorily and recording changes. Remember that one of the best
sources of real-time monitoring will be your users. If you have an Exchange Online service outage, check
with the Office 365 admin center first to eliminate the service itself as a source of failure.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-27

Manage delegated permissions with admin roles


After identifying the administrative tasks your
administrators must perform, you must map those
administrative tasks to the Exchange admin role
groups. Office 365 provides the following admin
role groups:

 Compliance Management. Members can


configure and manage compliance settings
within Exchange Online.

 Discovery Management. Members can


perform mailbox searches in the Exchange
organization.

 Help Desk. Members can manage the configuration for individual recipients and view recipients in an
Exchange organization. Members can only manage the configuration that each user can manage on
his or her own mailbox.

 Help Desk Administrators (HelpdeskAdmins_<unique value>). Membership in this role group is


synchronized across services and managed centrally. You cannot manage this role group through
Exchange Online.

 Hygiene Management. Members can manage Exchange anti-spam features and grant permissions for
antivirus products to integrate with Exchange Online.

 Organization Management. Members have permissions to manage Exchange objects in the Exchange
organization and can also delegate role groups and management roles in the organization.
 Recipient Management. Members have rights to create, manage, and delete recipient objects.

 Records Management. Members can configure compliance features, including retention policy tags,
message classifications, and transport rules.
 Tenant Admins (TenantAdmins <unique value>). Membership in this role group is synchronized across
services and managed centrally. You cannot manage this role group through Microsoft Exchange.

 UM Management. Members can manage Unified Messaging organization, server, and recipient
configuration.

 View-Only Organization Management. Members can view recipient and configuration objects and
their properties in the Exchange organization.
There are also the admin roles as defined in Office 365, such as Billing Admin, Global Admin, and other
roles. In Exchange Online, these administrator types have the following mapping and equivalent rights.

Office 365 Administrator type Exchange Online equivalent rights

Global Administrator Organization Management

Password Administrator Help Desk Administrator

To assign a user or group to these predefined roles, select the role in Exchange admin center and click Edit.
Then under Members, click the + icon, and add the appropriate members. Click OK and then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Planning and managing Exchange Online recipients and permissions

You can also create your own admin roles. In Exchange admin center:

1. Click permissions, and then on the admin roles tab, click add.

2. In the new role group window, in the Name and Description fields, type a meaningful name and
description that will help identify the function of the role group.

3. Next, under Roles, click the + icon.


4. In the Select a Role window, in the DISPLAY NAME list, select the various roles that you wish to assign,
click add for each, and then click OK.

5. Under Members, click the + icon.

6. In the Select Members window, select the mailboxes and groups that you want to assign to the role,
click add for each, and then click OK.

7. Click Save.

Managing admin roles with Windows PowerShell


To create a new admin role group by using Windows PowerShell, run the new-rolegroup cmdlet:

New-RoleGroup –Name BranchOfficeAdmins –roles “Mail Recipients”, “Distribution Groups”,


“Move Mailboxes”, “Mail Recipient Creation”–RecipientOrganizationalUnitScope
Adatum.com/BranchOffice

The preceding cmdlet does the following:

 Creates a new role group named BranchOfficeAdmins.


 Assigns the Mail Recipients, Distribution Groups, Move Mailboxes, and Mail Recipient Creation
management roles to the BranchOfficeAdmins role group.

 Configures a management role scope limited to the BranchOffice OU in the Adatum.com domain.

To add a user to a role group, run the Add-RoleGroupMember cmdlet:

Add-RoleGroupMember "Recipient Management" -Member Adam

To see who belongs to a role group, use the Get-RoleGroupMember cmdlet:

Get-RoleGroupMember "Recipient Management"

Overview of user roles


You can use user roles in Exchange Online to
enable users to manage aspects of their own
mailboxes and the distribution groups of which
they are owners. To enable this, Exchange Online
uses role assignment policies.

Note: The Default Role Assignment Policy


exists automatically in your Exchange Online
organization. This policy grants users the
permission to set their options in Outlook on the
web and perform other self-administration tasks.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-29

You can create and customize your own role assignment policies to achieve your organizational
requirements. To do this, from the Exchange admin center:

1. Click permissions, and then click user roles.

2. In user roles, click the + icon.

3. In the role assignment policy window, in the Name and Description fields, type a meaningful name
and description that will help identify the function of the role assignment policy.

4. Select the various check boxes beneath the following headings to configure the necessary permissions:

a. Contact information

b. Profile information

c. Distribution groups

d. Distribution group memberships


e. Other roles

5. Click Save.

Once you have created the policy, you can assign it to specific users or groups of users. To do this, in the
Exchange admin center:

1. Click recipients, and then click mailboxes.

2. Select the appropriate mailbox, and then click Edit.


3. In the User Mailbox window, click the mailbox features tab, in the Role assignment policy list, click
the policy you want to assign, and then click Save.

Note: You can assign the policy to multiple mailboxes by selecting multiple mailboxes in the
Exchange admin center and then, in the action pane, beneath Role Assignment Policy, clicking
Update.

Managing user role groups with Windows PowerShell


To create a new role assignment policy, use the New-RoleAssignmentPolicy cmdlet:

New-RoleAssignmentPolicy "Limited Mailbox Configuration" -Roles MyBaseOptions,


MyAddressInformation, MyDisplayName

Question: What requirements does your organization have for assigning Exchange Online
permissions? Does your organization use a centralized or decentralized administration model?
What special permissions will you need to configure?
MCT USE ONLY. STUDENT USE PROHIBITED
6-30 Planning and managing Exchange Online recipients and permissions

Lab: Managing Exchange Online recipients and permissions


Scenario
A. Datum Corporation is ready to move a second group of pilot users to Office 365. Before completing the
move, you must ensure that you can manage Exchange recipients in Exchange Online. You also must
ensure that you can delegate permissions in Exchange Online.

Objectives
After completing this lab, you will be able to:

 Configure Exchange Online recipients.

 Delegate administrative permissions.

Lab Setup
Estimated Time: 60 minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1

User names: Adatum\Administrator, Adatum\Holly


Password: Pa$$w0rd

In all tasks:

 In references to Adatumyyxxxx.hostdomain.com, replace Adatumyyxxxxx with your unique Office 365


name displayed in the online lab portal.

 In references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com name displayed in the online lab portal.

This lab requires the following virtual machines:

 LON-DC1

o Sign in as Adatum\Administrator using the password Pa$$w0rd


 LON-DS1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-CL1
o Sign in as Adatum\Holly using the password Pa$$w0rd

Exercise 1: Configuring Exchange Online recipients


Scenario
In preparation for migrating more users to Office 365, you need to ensure that you can manage Exchange
Online recipients by using the Exchange admin center and Windows PowerShell.

The main tasks for this exercise are as follows:

1. Create user mailboxes.

2. Create groups and assign mailboxes.

3. Connect to Exchange Online with Windows PowerShell.

4. Create resource mailboxes.

5. Configure additional Exchange Online recipients.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-31

 Task 1: Create user mailboxes


1. On LON-CL1, in Internet Explorer, navigate to https://login.microsoftonline.com/ and sign in as
holly@Adatumyyxxxxx.hostdomain.com, with the password Pa$$w0rd.

2. Open the Office 365 admin center.

3. Create the following user accounts:

o Martina Blair
o Matt Villagomez (since Matt@adatumyyxxxxx.hostdomain.com is in use, use the username MattV)

o Olivia Emerson

o Kendra Sexton

4. For each user:

a. Type password: Pa$$w0rd

b. Make this person change their password the next time they sign in: Not selected
c. Select licenses for this user: Office 365 Enterprise E3

5. Open the Exchange admin center and click recipients.

Note: It might take a few minutes for the mailboxes to appear. Click the refresh icon
periodically until they do.

 Task 2: Create groups and assign mailboxes


 Create the following distribution groups with the following members:
o IT
 Olivia Emerson
o Managers
 Martina Blair
o Development
 Matt Villagomez
o Sales
 Kendra Sexton

 Task 3: Connect to Exchange Online with Windows PowerShell


1. On the desktop, right-click Windows Azure Active Directory Module for Windows PowerShell, and
then click Run as administrator.

Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.

2. In the Windows PowerShell window, run the following cmdlet:

$credential = Get-Credential
MCT USE ONLY. STUDENT USE PROHIBITED
6-32 Planning and managing Exchange Online recipients and permissions

3. Sign in as holly@Adatumyyxxxxx.hostdomain.com with the password Pa$$word.

4. In the Windows PowerShell window, run the following cmdlet:

connect-msolservice –credential $credential

5. In the Windows PowerShell window, run the following cmdlet:

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri


"https://outlook.office365.com/powershell-liveid/" -Credential $credential
-Authentication "Basic" -AllowRedirection

6. In the Windows PowerShell window, run the following cmdlet:

Import-PSSession $exchangeSession -DisableNameChecking

7. In the Windows PowerShell window, run the following cmdlet:

Get-AcceptedDomain

Note: This command returns the list of accepted domains and verifies that you can connect
to your Office 365 subscription.

 Task 4: Create resource mailboxes


1. In the Exchange Admin center, open resources.
2. In the Windows PowerShell window, run the following cmdlet:

New-Mailbox -Name "Conference Room" –Room

3. In the Windows PowerShell window, run the following cmdlet:

Set-CalendarProcessing "Conference Room" -AutomateProcessing AutoAccept

4. In the Windows PowerShell window, run the following cmdlet:

New-Mailbox -Name "Demonstration Laptop” –Equipment

5. In the Windows PowerShell window, run the following cmdlet:

Set-CalendarProcessing "Demonstration Laptop” -AutomateProcessing AutoAccept

Note: If you receive an error when you run the set-calendarprocessing cmdlet for either of
these objects, wait a few moments and repeat.

6. In the Exchange Admin center, click Refresh. You should be able to see both resources.

7. In the Windows PowerShell window, run the following cmdlet:

Set-mailbox “Conference room” –resourcecapacity “25”

8. In Exchange Admin center, click Refresh. You should be able to see the changes you made in the
details pane on the right.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-33

 Task 5: Configure additional Exchange Online recipients


1. On LON-CL1, open C:\Labfiles\ExternalContacts.csv and review its contents. Close the file.

2. In Exchange Admin center, click contacts.

3. In the Windows PowerShell window, run the following cmdlet:

CD C:\Labfiles

Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.

4. In the Windows PowerShell window, run the following cmdlet:

Import-Csv .\Externalcontacts.csv | %{New-MailContact -Name $_.Name -DisplayName


$_.Name -ExternalEmailAddress $_.ExternalEmailAddress -FirstName $_.FirstName
-LastName $_.LastName}

5. In the Windows PowerShell window, run the following cmdlet:

$Contacts = Import-CSV .\externalcontacts.csv

6. In the Windows PowerShell window, run the following cmdlet:

$contacts | ForEach {Set-Contact $_.Name -StreetAddress $_.StreetAddress -City


$_.City -StateorProvince $_.StateorProvince -PostalCode $_.PostalCode -Phone $_.Phone
-MobilePhone $_.MobilePhone -Pager $_.Pager -HomePhone $_.HomePhone -Company
$_.Company -Title $_.Title -OtherTelephone $_.OtherTelephone -Department
$_.Department -Fax $_.Fax -Initials $_.Initials -Notes $_.Notes -Office $_.Office
-Manager $_.Manager}

7. In the Exchange Admin center, click Refresh. You can see the newly created objects.

Results: After completing this exercise, you will have created and configured Microsoft Exchange Online
recipients.

Exercise 2: Configuring delegated administration


Scenario
A. Datum has delegated some administrative tasks in Exchange Server 2016 on-premises and would like to
duplicate this configuration in Exchange Online.

The main tasks for this exercise are as follows:

1. Assign users to built-in role groups.

2. Create a new admin role and assign a user to it.

3. Create a new role assignment policy.


MCT USE ONLY. STUDENT USE PROHIBITED
6-34 Planning and managing Exchange Online recipients and permissions

 Task 1: Assign users to built-in role groups


1. In the Exchange admin center, on the permissions tab, on the admin roles tab, click Organization
management, and then click Edit.

2. Add Olivia as a member of the role.

 Task 2: Create a new admin role and assign a user to it


1. Switch to Windows PowerShell.

Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.

2. In the Windows PowerShell window, run the following cmdlets:

Enable-OrganizationCustomization
New-RoleGroup –Name BranchOfficeAdmins –roles “Mail Recipients”, “Distribution
Groups”, “Move Mailboxes”, “Mail Recipient Creation”

3. In the Windows PowerShell window, run the following cmdlet:

Add-RoleGroupMember "BranchOfficeAdmins" -Member Martina

4. In the Windows PowerShell window, run the following cmdlet:

Get-RoleGroupMember "BranchOfficeAdmins"

5. In the Exchange admin center, click Refresh. Ensure that you can see the new BranchOffice Admins
role group.

 Task 3: Create a new role assignment policy


1. In the Exchange Admin center, click user roles.

2. Switch to Windows PowerShell.

Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.

3. In the Windows PowerShell window, run the following command:

New-RoleAssignmentPolicy "Limited Mailbox Configuration" -Roles MyBaseOptions,


MyAddressInformation, MyDisplayName

4. To change the default role assignment policy for new mailboxes, in the Windows PowerShell window,
run the following command:

Set-RoleAssignmentPolicy "Limited Mailbox Configuration" -IsDefault

5. When prompted, type Y, and then press Enter.


6. In the Exchange admin center, click Refresh. You can see the new role assignment policy.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 6-35

Results: After completing this exercise, you will have configured delegated administration of your
Exchange Online organization.

 To prepare for the next module


When you have finished the lab, leave all of the virtual machines running.
MCT USE ONLY. STUDENT USE PROHIBITED
6-36 Planning and managing Exchange Online recipients and permissions

Module Review and Takeaways


Review Questions
Question: What do you need to do to manage your Exchange Online tenant by using
Windows PowerShell?

Question: What types of groups can you use in Exchange Online?


MCT USE ONLY. STUDENT USE PROHIBITED
7-1

Module 7
Planning and configuring Exchange Online services
Contents:
Module Overview 7-1

Lesson 1: Planning and configuring email flow in Office 365 7-2

Lab A: Configuring message transport in Exchange Online 7-11

Lesson 2: Planning and configuring email protection in Office 365 7-15

Lesson 3: Planning and configuring client access policies 7-25

Lesson 4: Migrating to Exchange Online 7-30

Lab B: Configuring email protection and client policies 7-42

Module Review and Takeaways 7-46

Module Overview
The Exchange Online functionality in Office 365 is a complete replacement for an on-premises email
solution. However, you should consider several factors when configuring an on-premises solution, much as
you would when configuring Exchange Online. You need to configure email flow to allow reception and
delivery of Internet messages, and messages from applications and partners. You also need to configure
anti-malware and anti-spam settings to meet your organization’s needs. To manage Outlook on the web
and mobile devices, you can create policies that you can apply to individual users. Finally, your organization
likely is using an email solution, so you must plan how to migrate from that existing solution to Exchange
Online.

Objectives
After completing this module, you will be able to:

 Plan and configure email flow in Office 365.

 Plan and configure anti-malware and anti-spam settings in Office 365.

 Plan and configure policies for Exchange clients.

 Plan and configure a migration to Exchange Online.


MCT USE ONLY. STUDENT USE PROHIBITED
7-2 Planning and configuring Exchange Online services

Lesson 1
Planning and configuring email flow in Office 365
When you create your Office 365 tenant or subscriber (typically an organization) that utilizes your cloud
services, it can send and receive Internet messages automatically. However, to configure the reception of
Internet messages, you need to add the email domains that you own to Office 365 and configure the
necessary Domain Name System (DNS) records to support it. Adding your email domains configures the
reception of Internet messages.
You can modify the default mail flow by using connectors, transport rules, and journal rules. Connectors
define settings for sending and receiving messages. Typically, you need to create additional connectors
only to support specialized communication that requires enhanced security, such as Transport Layer
Security (TLS). You can use transport rules to modify messages based on matching conditions, such as
adding a disclaimer to all outbound messages. Journal rules send a copy of selected messages to a journal
mailbox for archiving. You typically would use journaling to meet compliance requirements.

If there are problems with message delivery, you can use message traces to identify the issue. Message
traces allow you to search logs, find specific messages, and display information about the message’s
delivery, including if there were errors during delivery.

Lesson Objectives
After completing this lesson, you will be able to:
 Describe email flow with Office 365.

 Describe accepted and remote domains.

 Plan and configure connectors.


 Plan and configure transport rules.

 Plan and configure journal rules.

 Plan message flow for Office 365.

 Track message flow by using message trace.

Overview of email flow in Office 365


Email flow on the Internet is based on DNS
records. When you add a domain to Office 365, a
list of the DNS records that you must add to your
domain appears. You must add these DNS records
to support all of the Office 365 services, and it
contains all of the records for sending and
receiving email.

Receiving email
Email servers on the Internet use mail exchanger
(MX) records to identify the server to which email
should be delivered. Each domain name that
receives email needs to have at least one MX
record. You can provide redundancy by using multiple MX records to identify multiple email servers that
can receive a specific domain’s messages.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-3

For Office 365, you create only one MX record for each domain, and this MX record identifies a host record
that is unique to your domain, and which uses the following format:

 domain.mail.protection.outlook.com

When an email is addressed to an address in your domain, the email server delivers the message to this host
record. This host record resolves to multiple IP addresses to provide redundancy. Office 365 creates and
manages the host record automatically when you add the domain.

Office 365 includes antivirus and anti-spam functionality in the Exchange Online Protection (EOP) feature,
which scans all incoming email automatically.

Sending email
Office 365 requires no configuration to send outbound email to the Internet. A mailbox in Office 365 can
send email to the Internet automatically. However, to minimize the chance that a server classifies your
outbound messages as spam, you should configure a sender policy framework (SPF) record.

An SPF record is a text record that you create in DNS for your email domain, and it identifies the sources
that can send messages for your domain. You need to create an SPF record that identifies Office 365 as an
allowed source for your domain’s email messages.

You can create different types of SPF records, and you should verify the SPF record that Microsoft
recommends when you add your domain. In most cases, the text value will be similar to the following:
 v=spf1 includes:spf.protection.outlook.com –all

The preceding text record indicates that email recipients should query spf.protection.outlook.com for an
SPF record that identifies the acceptable email sources from your domain and prohibits all other sources.

Additional Reading: For information about customizing SPF records, refer to Customize an
SPF record to validate outbound email send from your domain: http://aka.ms/Bg0478.

Configuring accepted and remote domains


Office 365 uses accepted and remote domains to
control message flow and formatting. An accepted
domain identifies a domain for which your Office
365 tenant receives email. A remote domain
specifies formatting options that the server uses
when sending messages to an external domain.

Accepted domains
When you add a domain to Office 365, and prove
ownership of it, Office 365 adds it automatically as
an accepted domain in Exchange Online. After you
assign email addresses in that domain to
mailboxes, the mailboxes can receive messages
immediately.

In Exchange Online, an accepted domain can be:

 Authoritative. An authoritative domain is one for which Exchange Online is completely responsible.
Exchange Online hosts all recipients for that domain. This is the most common configuration for an
accepted domain.
MCT USE ONLY. STUDENT USE PROHIBITED
7-4 Planning and configuring Exchange Online services

 Internal relay. An internal relay domain is used when some mailboxes are in Exchange Online and some
mailboxes are in an external organization. Messages received for an internal relay domain are first
evaluated to identify whether there is a matching recipient in Exchange Online. If there is a matching
recipient, Exchange Online delivers the message to that recipient. If no matching recipient is found,
Exchange Online forwards the message through a send connector that is defined for the internal relay
domain. The send connector for the internal relay domain defines how to deliver the messages to
another organization.

You can use the Windows PowerShell Set-AcceptedDomain cmdlet to manage accepted domains.

Note: On-premises Exchange Server organizations can have external relay domains.
However, external relay domains are not available in Exchange Online.

Remote domains
Remote domains define settings for message delivery to SMTP domains that are external to your tenant in
Exchange Online. When you create a remote domain, you control the types of messages that are sent to
that domain. You also can apply message-format policies and acceptable character sets for messages that
your organization’s users send to the remote domain.

There is one remote domain named Default that exists after you enable Exchange Online for your tenant.
This remote domain is defined for the domain name *, which applies to all messages. You can create
remote domains for additional domains, as necessary, and often will create them for partner domains
where you want to allow automated messages that you typically do not allow. For example, a remote
domain for a partner organization may allow users to forward messages automatically that the Default
remote domain blocks.

Some of the settings that you can configure for a remote domain include:

 AllowedOOFType. Defines whether external or internal out-of-office messages are delivered to the
remote domain. The default is External.

 AutoReplyEnabled. Defines whether automatic replies are sent to the remote domain. The default is
$false.

 AutoForwardedEnabled. Defines whether messages can be forwarded automatically to the remote


domain by using a rule. The default is $false.

 DeliveryReportEnabled. Defines whether delivery reports that clients request are sent to the remote
domain. The default is $true.

 NDREnabled. Defines whether nondelivery reports are sent to the remote domain. The default is
$true.

 ContentType. Defines the format for messages that are sent to the remote domain. The default is
MimeHtmlText, which formats all messages as HTML unless they are text-formatted.

You can use the Windows PowerShell New-RemoteDomain and Set-RemoteDomain cmdlets to create
and manage remote domains.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-5

Planning and configuring connectors


Exchange Online automatically accepts email
messages from, and sends email messages to, the
Internet. However, you can create additional
connectors to meet your needs for specific
scenarios. One of the most common scenarios
requires TLS for inbound or outbound email to a
partner organization.

In Exchange admin center, the interface does not


reference inbound and outbound connectors, but
does provide scenarios in which you choose a
source and destination for the messages. When
Office 365 is the source, it is an outbound
connector. When Office 365 is the destination, it is an inbound connector.

Inbound connectors
Your Exchange Online organization already accepts all incoming messages from the Internet anonymously.
However, you must create additional inbound connectors if you want different security settings, and some
available options for inbound connectors include:

 SenderDomains. Use to define specific sender domains to which a connector applies without knowing
specific IP addresses of the senders’ servers.

 SenderIPAddress. Use to define specific source IP addresses to which a connector applies.

 AssociatedAcceptedDomains. Use to define specific accepted domains to which a connector applies.


 RequireTLS. Use to specify that TLS must be used for all communication in this inbound connector.

You can use the Windows PowerShell New-InboundConnector and Set-InboundConnector cmdlets to
manage inbound connectors.

Outbound connectors
Your Exchange Online organization already sends outbound messages to the Internet anonymously.
However, you must create additional outbound connectors if you want different security settings, and some
available options for outbound connectors include:

 IsTransportRuleScoped. Use to define that Exchange Online directs messages to this outbound
connector, if a transport rule selects it.
 RecipientDomains. Use to define a list of recipient domains that use this outbound connector.

 UseMXRecord. Use to specify that messages that this outbound connector delivers use MX records to
determine the delivery destination.

 SmartHosts. Use to specify a list of IP addresses that are the destination for messages that this
outbound connector delivers.

 TlsSettings. Use to specify how the send connector uses TLS. The options are for encryption only, for
certificate validation, and for domain validation.

You can use the Windows PowerShell New-OutboundConnector and Set-OutboundConnector cmdlets
to manage outbound connectors.
MCT USE ONLY. STUDENT USE PROHIBITED
7-6 Planning and configuring Exchange Online services

TLS for SMTP


By default, Exchange Online uses opportunistic TLS when sending or receiving email messages. This means
that if the destination server has a certificate installed to support TLS, it will use TLS. However, you have no
guarantee that TLS will be used. Therefore, to ensure that security requirements are met, you can specify
TLS for inbound or outbound connectors.

Planning and configuring transport rules


You can use transport rules to restrict message
flow or modify message contents when messages
are in transit. Transport rules can apply to internal
or external messages, and Exchange Online
evaluates every to determine whether it matches
the conditions in a transport rule.

When you use transport rules, you can:


 Prevent specified users from sending or
receiving email from other specified users.

 Prevent inappropriate content from entering


or leaving your organization.

 Apply restrictions, based on message classifications, that restrict the flow of confidential organizational
information.
 Redirect incoming and outgoing messages for inspection before delivery.

 Apply disclaimers to messages as they pass through your organization.

 Apply message encryption to all outgoing messages.

Transport rules include conditions, actions, and exceptions, and the combination of these parts defines
what messages Exchange Online selects for processing and what action is taken on those messages.

The following section describes the various parts of a transport rule:

 Conditions. These indicate the email message attributes, headers, recipients, senders, or other message
parts that Exchange Online uses to identify the email messages to which it applies a transport rule
action. If the email message data that the condition is inspecting matches the condition’s value,
Exchange Online applies the rule, as long as the condition does not match an exception. You can
configure multiple transport rule conditions to narrow a rule’s scope to very specific criteria. However,
you do not need to apply any conditions, which means that the transport rule applies to all messages.

Note: If you configure multiple conditions on the same transport rule, it will not apply to an
email message unless that message applies to all of its conditions. When you specify multiple
values on a single condition, the messages satisfy the condition if it meets at least one of the
values.

 Actions. Exchange Online applies actions to email messages that match conditions you specify and for
which no exceptions are present. Each action affects email messages in a different way, such as
redirecting an email message to another address, or dropping the message.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-7

 Exceptions. Exceptions determine which email messages to exclude from an action. You base transport
rule exceptions on the same predicates that you use to create transport rule conditions. Transport rule
exceptions override conditions, and they prevent Exchange Online from applying a transport rule
action to an email message, even if the message matches all transport rule conditions that you
configure. You can configure multiple exceptions on a transport rule to expand the criteria for which
Exchange Online should not apply a transport rule action.

Note: If you configure multiple exceptions on the same transport rule, only one exception
must match for Exchange Online to cancel the transport rule action. When you specify multiple
values on a single exception, it a message meets at least one of the values, Exchange Online
considers the exception satisfied.

Planning and configuring journal rules


You can use journaling to retain messages for
compliance reasons. Exchange Online sends copies
of messages that you identify for journaling to a
journaling mailbox, which you can review.

Journal reports
Exchange Online performs envelope journaling,
which means that it does not simply copy
journaled messages to the journaling mailbox.
Instead, it creates a journal report that it sends to
the journaling mailbox, with the original message
as an attachment. The journal report has
information about the message, such as the
subject, sender, recipient, and message-id, which is a unique Internet-message identifier However, it does
not modify the original message.

Journal rules
You create journal rules to identify messages for journaling, on the basis of journal recipient and scope.
The journal recipients available for journal rules are:

 A specific user or group

 Apply to all messages

The scopes available for journal rules are:

 All messages

 Internal messages only

 External messages only

Journaling mailbox
When you apply journaling rules, you need to define a mailbox to which Exchange Online delivers journal
reports. You can send all journal reports to the same mailbox, or you can have multiple mailboxes. A journal
mailbox must be a mailbox that is hosted in an external email system, and it cannot be a mailbox in
Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
7-8 Planning and configuring Exchange Online services

When you create journaling mailboxes, remember that you must:

 Create dedicated journaling mailboxes. Journal reports should not be sent to a mailbox that your
organization uses for other purposes, such as a user’s mailbox.

 Identify how to perform data removal from journaling mailboxes that meets your compliance goals.
Journaling mailboxes gather large amounts of data quickly, so this is important. Alternatively, if you
have an unlimited archive, you can store messages from a journaling archive indefinitely.

 Limit and monitor access to journaling mailboxes. A journaling mailbox typically contains sensitive
information that should not be viewed except for compliance reasons. If you use multiple journal rules
for different purposes, it might be appropriate to have multiple journaling mailboxes so that you can
control access.

You can configure an alternate journaling mailbox, so that you avoid undeliverable messages in queues
when your journaling mailboxes are unavailable. You can configure only one alternate journaling mailbox,
and Exchange Online uses it when any journaling mailbox is unavailable. This is most likely to be used when
a mailbox on an external system is used as the journaling mailbox and the alternative is a mailbox in
Exchange Online.

Planning message flow for Office 365


Some organizations use only the default Exchange
Online message flow, in which Exchange Online
accepts anonymous messages from the Internet
and uses opportunistic TLS to secure messages.
However, many organizations have additional
needs that might require you to modify the default
message flow.

On-premises applications
Many organizations have on-premises applications
that deliver email messages, such as:

 Accounting systems that send invoices.

 Scanners that deliver PDF copies of scanned documents.

 Fax servers that deliver PDF copies of faxes.

If an application sends messages only to users in your Exchange Online tenant, the default configuration
might be sufficient. You only need to point the application at Office 365 for message delivery. This allows
anonymous message delivery in your organization. However, consider the following scenarios:

 The application might need to send messages to external users. The simplest solution for this problem
is to have the application authenticate to Exchange Online to send these messages. If you cannot
configure the application to authenticate, you can configure an inbound connector that allows relaying
to external addresses that a source IP address secures. However, you should avoid unauthenticated
relaying whenever possible.

 The application messages need to be secured. To enforce message security, you can require TLS on an
inbound connector.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-9

Partner organizations
You may have unique requirements when dealing with partner organizations. You can use inbound and
outbound connectors to enforce specific security requirements. You also can use outbound connectors to
deliver messages to email servers that do not have MX records configured. For example, you might:

 Require TLS for communication. Typically, financial organizations require TLS because they deal with
confidential information, such as payroll or insurance claims.

 Relay messages through a non-Microsoft partner for compliance.

Integration with on-premises Exchange Server


A hybrid configuration integrates Exchange Online with an on-premises Exchange organization, which
allows mailboxes for the same domain to exist in Exchange Online and the on-premises Exchange
organization. When you enable a hybrid configuration, connectors are created to secure message flow
between Exchange Online and the on-premises Exchange server.

Tracking message flow by using message trace


It is quite common to get reports from users that a
message has not been delivered. The message
trace functionality in Exchange Online allows you
to view a message’s progress through the
Exchange Online servers, and identify whether a
message has been delivered. If the message has
not been delivered, you can investigate based on
the error messages in the message trace.

Message trace in Exchange admin center


Exchange admin center provides a simple user
interface that you can use to perform a message
trace. When you perform a message trace, you can
specify the following search criteria:

 Date range

 Delivery status

 Message ID

 Sender

 Recipient

Note: When you add a sender or recipient, it might appear that you are unable to add email
addresses that are not part of your organization. However, you can add any email address by
typing it in the box next to the Check names button.

Message trace in Windows PowerShell


You can use the Windows PowerShell Get-MessageTrace cmdlet to search for messages that have been
sent or received. You then can use the Get-MessageTraceDetail cmdlet to view the same details that are
available in Exchange admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
7-10 Planning and configuring Exchange Online services

Some of the parameters that you can use with the Get-MessageTrace cmdlet include:

 StartDate

 EndDate

 MessageID

 SenderAddress

 RecipientAddress

 FromIP

Note: There often is a delay of 5 to 30 minutes before message trace information is available
after a message is sent. This applies to both Exchange admin center and Windows PowerShell.

Check Your Knowledge


Question

You have a trouble ticket to resolve that indicates that automatic replies and
automatically forwarded messages are being delivered outside of your Exchange
organization. Furthermore, the ticket indicates that this behavior needs to stop, and
that you should not allow rule generated messages outside your organization. What is
the best way to implement these changes?

Select the correct answer.

Modify the default remote domain to block automatic replies and automatic
X
forwarding.

Create a new remote domain that blocks automatic replies and automatic
forwarding.

Use Set-OrganizationConfig to block automatic replies and automatic


forwarding.

Use a script to block automatic replies and automatic forwarding for all users.

Create a transport rule to block automatic replies and automatic forwarding.

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

After adding a domain to Office 365, you need to configure it as an accepted F


domain before Exchange Online can use it for email reception.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-11

Lab A: Configuring message transport in Exchange Online


Scenario
The pilot project is going well at A. Datum Corporation. However, before you finish the pilot project and
perform a full deployment, you need to confirm that you can configure Exchange Online settings to match
the on-premises settings for options such as message transport.

Objectives
After completing this lab, you will be able to:

 Configure message transport settings.

Lab Setup
Estimated Time: 35 minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, 20347A-LON-CL2

User names: Adatum\Administrator, Adatum\Holly, Lon-CL2\Francisco

Password: Pa$$w0rd
In all tasks:

 In references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with your unique Office 365


name that displays in the online lab portal.

 In references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com name that displays in the online lab portal.

This lab requires the following virtual machines:

 LON-DC1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-DS1
o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-CL1

o Sign in as Adatum\Holly using the password Pa$$w0rd


 LON-CL2

o Sign in as LON-CL2\Francisco using the password Pa$$w0rd

Exercise 1: Configuring message-transport settings


Scenario
A. Datum has several email transport settings configured in their on-premises Exchange environment. You
need to ensure that you also can configure the same settings in Exchange Online, including:

 A custom send and receive connector that will enforce TLS when sending email messages to, or
receiving them from, a partner organization.

 A transport rule that will apply a disclaimer to all messages sent to external users
MCT USE ONLY. STUDENT USE PROHIBITED
7-12 Planning and configuring Exchange Online services

 A transport rule that requires moderator approval for all messages sent to the manager distribution list.

 A journal rule that will retain a copy of all messages sent to and from members of the Development
department.

You also need to verify that you can track messages sent between users on Office 365 and sent to external
users.

The main tasks for this exercise are as follows:

1. Connect to Exchange Online in Windows PowerShell.

2. Create a custom send and receive connector to enforce TLS.

3. Create transport rules.

4. Create a journal rule for members of the research department.

5. Track internal and external message delivery.

 Task 1: Connect to Exchange Online in Windows PowerShell


1. On LON-CL1, open Windows Azure Active Directory Module for Windows PowerShell.

Note: You might have a Windows PowerShell connection to Office 365 open from a previous
lab. If so, you can use the existing connection and skip this step.

2. Run the following command, and then sign in as Holly@adatumyyxxxxx.hostdomain.com with the
password Pa$$w0rd.

$cred=Get-Credential

3. Run the following command:

$Session=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri


https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication
Basic –AllowRedirection

4. Run the following command:

Import-PSSession $Session

 Task 2: Create a custom send and receive connector to enforce TLS


1. Use Microsoft Edge to sign in to Exchange admin center as
Holly@adatumyyxxxxx.hostdomain.com with the password of Pa$$w0rd.

2. Browse to connectors in mail flow.

3. Create a new connector with the following settings:

o Name: Humongous Insurance Outgoing

o From: Office 365

o To: Partner organization

o For email sent to: humongousinsurance.com


o Use MX records for delivery
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-13

o Require TLS using a certificate from a trusted CA

o Validation email: postmaster@humongousinsurance.com

Note: Validation of mail flow will fail because the connector is to a fictitious organization.
This is expected behavior for this lab.

4. Create a new connector with the following settings:

o Name: Humongous Insurance Incoming

o From: Partner organization


o To: Office 365

o For email received from: humongousinsurance.com

o Reject messages that do not use TLS

 Task 3: Create transport rules


1. On LON-CL1, in the Exchange admin center, create a new disclaimer rule with the following settings:

o Name: A. Datum Disclaimer

o Apply the rule if: The recipient is located Outside the organization

o Disclaimer text: <HR> If you are not the intended recipient of this message, you must delete
it

2. Create a new rule that sends messages to a moderator, with the following settings:

o Name: Moderate Managers

o Apply the rule if: The recipient is a member of Managers

o Do the following: Forward the message for approval to Holly Dickson


3. On LON-CL2, use Microsoft Edge to sign in to Outlook on the web as
Francisco@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

4. Send a message to alias@outlook.com, where alias@outlook.com is the Microsoft account that you
configured at the beginning of this course, and then verify that the disclaimer was added.

5. Send a message to Martina to test the moderation rule.

6. On LON-CL1, open Outlook 2016, read the approval request, and then approve it.

 Task 4: Create a journal rule for members of the research department


1. On LON-CL1, in the Exchange admin center, browse to journal rules in compliance management.

2. Configure undeliverable journal reports to be sent to Holly Dickson.

3. Create a new journal rule with the following settings:

o Send journal reports to: journal@humongousinsurance.com

o Name: Development messages

o If the message is sent to or received from: the Development group


o Journal all messages
MCT USE ONLY. STUDENT USE PROHIBITED
7-14 Planning and configuring Exchange Online services

 Task 5: Track internal and external message delivery


1. On LON-CL1, in the Exchange admin center, browse to message trace in mail flow.

2. Perform a search with the default settings.

3. Review the most recent message sent from Francisco to alias@outlook.com, and then verify that the
disclaimer was applied.

4. Review the most recent message sent from Francisco to Martina, and then verify that the message was
sent for moderation.

Results: After completing the exercise, you will have configured message-transport settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-15

Lesson 2
Planning and configuring email protection in Office 365
An unprotected mailbox can become filled with spam and malware quickly, so email protection is an
important component of Office 365, which provides it through the EOP feature.

In EOP, you can configure filters to meet your organization’s needs, including the malware filter, the
connection filter, and the spam filter. The malware filter specifies how Exchange Online handles messages
that include malware and whether it sends notifications about the malware. The connection filter allows
you to block or allow connections from specific IP addresses. The spam filter has various settings that you
can configure so that you can specify how Exchange Online handles potential spam. You can use reports to
monitor email protection and identify patterns that require further action.

Lesson Objectives
After completing this lesson, you will be able to:
 Describe the EOP feature.

 Configure the malware filter.

 Configure the connection filter.


 Configure the spam filter.

 Manage the message quarantine.

 Describe EOP reports.

 Integrate EOP with on-premises Exchange servers.

 Describe considerations for configuring email protection.

Overview of EOP
EOP is a cloud service in Exchange Online that
provides both anti-spam and antivirus protection.
However, you also can subscribe to EOP as a
standalone product for use with on-premises
Exchange organizations.
The service level agreement for EOP is:

 Anti-spam effectiveness > 99%

 False positive ratio < 1:250,000

 Blocking of known viruses 100%

 Uptime 99.999%

EOP scans inbound and outbound messages. Scanning inbound messages helps protect your organization,
as infected inbound messages are a common malware delivery mechanism. Scanning outbound messages
helps prevent a computer in your organization that may be infected with malware from sending messages
to your colleagues or clients.
MCT USE ONLY. STUDENT USE PROHIBITED
7-16 Planning and configuring Exchange Online services

In the default configuration of EOP for Exchange Online:

 The malware filter deleted all messages with malware detected.

 The spam filter moves spam messages to the Junk Email folder.

 Outbound spam detection is enabled

Note: To help improve the spam detection process, you can submit spam that was not
detected to junk@office365.microsoft.com. Examples of phishing scams can be sent to
phish@office365.microsoft.com

Exchange Online Advanced Threat Detection


You can add Exchange Online Advanced Threat Detection to an Exchange Online tenant. Advanced Threat
Detection increases protection against zero-day threats that are not identified currently.

Advanced threat detection:

 Scans suspicious attachments by using real-time behavioral malware analysis to identify previously
unidentified threats.

 Scans links in email messages to verify that they are safe.


 Provides additional reporting about unknown malware and malicious links.

Configuring the malware filter


Exchange Online uses the EOP malware protection
to protect user mailboxes against infected
messages. EOP uses multiple industry-leading,
malware-detection engines to scan incoming and
outgoing mail, and it updates these engines
regularly as new virus definitions appear.
You can use anti-malware policies to control what
happens when EOP detects malware. One default
anti-malware policy applies to all messages, unless
you create additional anti-malware policies. In
each anti-malware policy, you can select the
messages to which you want a policy to apply by
specifying a recipient, an accepted domain, or a group.

Detection response
The detection response defines the action that EOP performs when it detects malware in a message. You
can select:

 Delete the entire message. EOP deletes the message, and the recipient receives no notification that the
message was blocked.

 Delete all attachments and use default alert text. EOP deletes all attachments, but the message is sent
to the user with alert text that notifies them that the attachments were deleted.

 Delete all attachments and use custom alert text. This option allows you to customize the alert text sent
when malware is detected. You can use this to provide contact information for your help desk, in case
the user has additional questions, or you can provide instructions for further actions that the user
should perform.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-17

Sender notifications
By default, senders are not notified when the malware filter blocks their messages. You can enable
notifications for internal senders and external senders separately. Notifying senders alerts them that there is
a problem. However, there is a high likelihood that malware from external senders has a spoofed email
address, so when you send the notification, it is sent to an email address that had nothing to do with
sending the infected message.

Administrator notifications
By default, administrators are not notified when the malware filter blocks a message. You can enable
notifications for messages from internal and external senders separately, and you also can specify separate
administrators to notify for internal and external senders.

You might want to be notified when the malware filter blocks internal senders because someone in your
organization should be informed that an internal computer is sending malware. Notifications about
incoming malware are less likely to be useful.

Customizing notifications
You can customize the notifications that are sent for sender and administrator notifications, and you also
can customize the From name and From address, but EOP uses the same name and address for all
notifications.
The notification messages sent to senders and administrators are the same. However, you can configure a
separate subject and message for messages from internal and external senders.

Configuring the connection filter


Each Exchange Online tenant has one connection
filtering policy that applies to all incoming
messages. You can use the connection filtering
policy to block or allow specific IP addresses from
sending messages to your organization.
The connection filter has three settings:

 IP Allow list. EOP allows IP addresses that are


on this list to pass through the anti-spam filter.
You can use this to ensure that EOP does not
block email messages from partner
organizations.
 IP Block list. EOP prevents IP addresses that are on this list from sending messages to your
organization. You can use this to block the IP addresses of spammers that are not automatically
detected by EOP’s anti-spam scanning. For example, a computer infected with malware might be
sending spam because you are in a contact list. After you identify this it, you can block the IP address of
the infected computer.

 Enable safe list. When you enable this option, EOP uses a list of trusted senders that Microsoft
maintains to minimize the risk of a false-positive detection of spam. We recommend enabling this
option.
MCT USE ONLY. STUDENT USE PROHIBITED
7-18 Planning and configuring Exchange Online services

CIDR ranges
In the IP Allow and IP Block lists, you can enter individual IP addresses or Classless Interdomain Routing
(CIDR) ranges such as 23.103.191.0/24. However, you cannot enter a CIDR range larger than /24 in the
connection filter. If you need to enter a larger address space, you need to enter multiple /24 ranges or use a
transport rule to the set the spam confidence level (SCL) setting to Bypass spam filtering.

Configuring the spam filter


Spam filters control the detection of spam and
what happens to detected spam. Each Exchange
Online tenant includes Default, a single, default
spam filter that applies even if you do not apply
other spam filters. You can modify the Default
spam filter or create additional spam filters. By
creating additional spam filters, you can control
the spam filter settings based on recipient,
recipient domain, or recipient group membership.

You can manage spam filters in the Exchange


admin center or by using the following Windows
PowerShell cmdlets:

 New-HostedContentFilterPolicy
 Set-HostedContentFilterPolicy

Spam and bulk actions


Exchange Online analyzes incoming messages and assigns them a spam confidence level (SCL) between -1
and 9, as follows:

 SCL of four or less is not spam.

 SCL of 5 or 6 is spam, which indicates it likely is spam, but could include false positives.
 SCL of 7 or more is high-confidence spam, which means it definitively is spam.

You can set different actions for spam and high confidence spam. By default, Exchange Online moves both
categories to the user’s Junk Email folder, but you could decide to delete all high-confidence spam instead
of putting it in the Junk Email folder.

The actions that you can perform on spam and high-confidence spam are:

 Move message to the Junk Email folder. Keeps spam messages from cluttering user inboxes, but still
allows users to access false positive messages.

 Add X-header. Adds a header to the message with text of your choosing. You can create transport rules
that perform further processing on these messages.

 Prepend subject line with text. Adds text to the beginning of the message subject. You can use this
setting when you want users to know about spam messages, so they can evaluate them, and ensure
users do not ignore them or inadvertently not receive important messages that have been sent to the
Junk Email folder.

 Redirect message to an email address. Redirects the message to an email address that you define. You
can use this to have a shared mailbox where spam is stored for later evaluation if required.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-19

 Delete message. Deletes the spam message without delivering it to the user or an alternate location.
You can use this to delete messages that have a high likelihood of being spam with a low risk of being a
false positive.

 Quarantine message. Places the message in quarantine, from which either the user or an administrator
can release it. This keeps spam out of user mailboxes, and it provides an easy way to release false
positives.

Bulk email is not necessarily spam. EOP maintains a list of bulk email senders and rates them with a Bulk
Complaint Level (BCL) value based on the number of complaints that are received. A BCL of 0 indicates that
a message is not from a bulk sender, while a BCL of 8 or 9 indicates a high number of complaints, and
indicates that the message likely is spam.

You have the option to mark messages with a specific BCL value as spam. By default, EOP marks messages
from senders with a BCL of 7 as spam, but you can raise or lower this value.

Block and allow lists


You can use the block and allow lists to control whether EOP marks messages as spam. EOP always marks
messages from a sender or domain on a block list as high-confidence spam. However, it never marks
messages from a sender or domain on an allow list as spam.

International spam
If your organization has known patterns of messaging that uses only specific languages or receives
messages only from specific regions, you can use international spam settings, which allow you to:

 Mark messages in specific languages as high-confidence spam.


 Mark messages from specific regions as high-confidence spam.

Advanced options
The advanced options allow you to enable and disable additional scanning criteria that can be used to
identify spam more accurately. By default, all of the options are disabled

You can enable the following criteria to increase a message SCL:

 Image links to remote sites


 Numeric IP address in URL

 URL redirect to another port

 URL to .biz or .info websites

You can enable the following criteria to mark messages as spam:

 Empty messages

 JavaScript or VBScript in HTML

 Frame or IFrame tags in HTML

 Object tags in HTIML

 Embed tags in HTML

 Form tags in HTML

 Web bugs in HTML

 Apply sensitive word list


 SPF record: hard fail
MCT USE ONLY. STUDENT USE PROHIBITED
7-20 Planning and configuring Exchange Online services

 Conditional Sender ID filtering: hard fail

 NDR backscatter

To monitor advanced options rather than block messages, you can enable test mode. You can add an X-
header to the message, which indicates which advanced option was matched, or you can include a bcc line
to a specific email address.

Note: You can test spam filtering by inserting the following text in a message without any
spaces or line breaks: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-
EMAIL*C.34X.

Outbound spam preferences


Outbound messages always are scanned by anti-spam engines. However, you can enable the following
settings for outbound spam:

 Send a copy of all suspicious outbound email messages to the following email address or addresses.

 Send a notification to the following email address or addresses when a sender is blocked for sending
outbound spam.

Managing message quarantines


If you set your content policy to direct spam
messages into quarantine, and your organization
then receives a message that your content policy
classifies as spam, that message will go into a
quarantine area. Messages from transport rule
matches also can be placed into quarantine.

Putting messages into quarantine is an alternative


to deleting spam or routing it to a user’s Junk
Email folder. If you are concerned about false
positives, we recommend using a quarantine
rather than deleting spam. If you delete it, you
never actually identify whether it was a false
positive. However, if you place a message in quarantine, you can retrieve and evaluate it if a user needs it.

Expiration
If you do nothing with messages in quarantine, by default, messages expire and are removed by EOP after
15 days. However, you can configure your spam filter to define how long you want to keep messages in
quarantine before they expire. Each message has an expiry time based on the spam filter that identified the
message as spam.

Analyzing messages
To determine what you should do with a message, you can view the message header or preview the
message. Message headers show information such as the servers through which the message was
transferred. When viewing a message header, there is a link to the Microsoft Message Header Analyzer,
which takes the content from the message header and displays it in a more readable format. If you preview
the message, it displays in text instead of HTML, to ensure that any bad code embedded in the message is
not processed.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-21

If you determine that a message is not spam, you can do the following with messages in quarantine:

 Release message to specific recipients.

 Release selected message(s) to all recipients.

 Release selected message(s) and report as false positive.

Searching for messages


If there are many items in the quarantine, you will want to search for specific messages rather than
browsing the entire list. You can use the advanced search function to search based on the following criteria:

 Message ID

 Sender email address

 Recipient email address

 Subject
 Received time

 Expires time

 Message type (spam or transport rule)

End-user spam notifications


If you are placing messages into quarantine instead of the Junk Email folder, you should consider sending
end-user spam notifications, which tells a user that messages addressed to them are waiting in quarantine.
The notification includes a list of quarantined messages.

End-user spam notification is disabled by default, but you can enable them for each spam-filter policy.
When you enable them, you can select how often notifications are sent. The default value is every three
days.

Note: End users can access their quarantine and release messages by going to
https://admin.protection.outlook.com/quarantine.

Exchange Online Protection reports


You will not find reports for EOP in the Exchange
admin center, but you can access them from the
previous Office 365 admin center in the Reports
node. The Reports node includes the following
protection reports:

 Top senders and recipients. Shows the top


senders and recipients for messages, spam,
and malware.

 Top malware for mail. Shows the most


commonly received malware.

 Malware detections. Shows the number of


messages with malware that EOP has detected.
MCT USE ONLY. STUDENT USE PROHIBITED
7-22 Planning and configuring Exchange Online services

 Spam detections. Shows the number of spam messages that EOP has detected.

 Sent and received mail. Shows the number of messages sent and received, categorized as good mail,
malware, spam, and rules.

When you view these reports, you can specify a date selection for the data that you want to display. You
can select 7 days, 14 days, and 30 days, but you also can define a custom time range.

Some reports also have data selections from which you can choose. For example, in the Top senders and
recipients report, you can select to report on:

 Top mail recipients


 Top mail senders

 Top spam recipients

 Top malware recipients

For greater convenience, you can configure EOP to send reports to a central mailbox from which you can
review or archive the messages, and you can schedule EOP to generate reports weekly or monthly. Each
report also has options that you can modify. For example, you can filter the mail traffic report by sender,
recipient, or mail flow direction.

Integrating EOP with on-premises Exchange servers


Office 365 includes EOP, but you also can it as a
standalone solution to protect an on-premises
Exchange organization. This provides the same
email protection that Office 365 includes.

Inbound mail flow


When you use EOP with an on-premises Exchange
organization, you first configure email delivery for
your domain to EOP, and EOP then forwards
messages to the on-premises Exchange
Organization.

To enable the correct mail flow, you need to:

1. Add your email domain in Office 365.


2. Create a connector from Office 365 to your organization’s email server.

3. Change the MX record for your domain to point to Office 365.

When you create a connector to your on-premises organization, EOP will send all messages for all accepted
domains to your on-premises mail server. This means that the messages for all domains you add in Office
365 are directed to your on-premises mail server. You can specify your email server in the connector by IP
address or fully qualified domain name (FQDN).

Securing connectivity
The connector for connectivity to the on-premises mail server requires TLS by default. To support this, your
on-premises mail server must have a certificate installed. You can allow TLS to use any certificate, but by
default, it also requires a certificate from a trusted certification authority (CA). You also have the option to
enforce a specific subject in the certificate.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-23

The firewall in front of your on-premises mail server must forward port 25 to the mail server. To enhance
security, you can restrict connectivity to the mail server, thereby allowing only messages from EOP email
addresses. You also can use a Simple Mail Transfer Protocol (SMTP) relay in your perimeter network, such as
an Exchange Edge server.

Additional Reading: For a list of IP addresses that EOP uses, refer to Exchange Online
Protection IP addresses: http://aka.ms/Jbnjfg.

The Directory Based Edge Blocking feature


The Directory Based Edge Blocking feature in Exchange can reduce the number of messages sent to your
on-premises mail server significantly. When you implement Directory Based Edge Blocking, only messages
to valid email addresses in your Exchange organization are forwarded to your on-premises mail server. EOP
blocks all messages addressed to invalid email addresses.

To enable Directory Based Edge Blocking, you need to create users in Office 365. You can do this by
implementing directory synchronization with Office 365. Once you create users in Office 365, you can use
transport rules based on recipient, and access messages in end-user spam quarantine.

Note: It is possible to use the New-EOPMailUser cmdlet to create user accounts manually.
However, we recommend directory synchronization for all but the smallest environments. You also
can create new mail users in the Exchange admin center.

Outbound mail flow


You can have your on-premises Exchange organization send message directly to the Internet or relay
messages through EOP. If you relay outbound messages through EOP, you need to create a connector from
your organization’s email server to Office 365.

To secure mail flow from your on-premises Exchange organization to Office 365, you can specify the source
IP address for the messages, or you can use a certificate. When you use a certificate, you specify a subject
name in the certificate installed on your on-premises mail server.

Configuring email protection


The default configuration of EOP does a good job
of blocking unwanted spam and malware.
However, you can fine-tune the configuration to
meet your organization’s needs. When configuring
EOP, consider the following:
 Identify appropriate malware notifications.
Plan out the scenarios for which you want to
notify senders, recipients, or administrators
that EOP has detected malware. In most cases,
you want to notify an administrator when EOP
detects malware internally.

 Enable the safe list setting in connection


filtering. To prevent false positives for spam filtering, you should enable the safe list setting in
connection filtering. This prevents EOP from marking known safe sources as spam.
MCT USE ONLY. STUDENT USE PROHIBITED
7-24 Planning and configuring Exchange Online services

 Delete or quarantine high-confidence spam. It is unlikely that EOP is detecting high-confidence spam
as a false positive. To avoid cluttering your Junk Email folders, delete or quarantine messages that EOP
detects as high-confidence spam.

 Enable international spam options. If you know that you are unlikely to receive legitimate messages in
certain languages or from certain regions, configuring this option can reduce spam.

 Use the test mode when you first implement advanced options for spam. Using the test mode enables
you to monitor the messages that the advanced option identifies, and ensure that it is not generating
false positives.

 Identify groups of users with different protection needs. You can apply malware and spam filter policies
for specific user groups. This allows you to fine-tune the policies to your users’ needs, such as having
less spam filtering on a mailbox that receives job applications from the public.

 Create a transport rule to block specific file extensions. If you want to block specific file types, you can
create a transport rule that blocks that file type’s file extension, so that you can help guard against
users opening high-risk file types.
 Run scheduled reports to monitor protection activity. Monitoring protection activity may provide you
with insight about how to improve email protection. For example, if you see that one particular sender
or domain is the source of significant spam, you can investigate why.
Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

Selecting the Enable safe list option in the connection filter reduces the risk of
T
false positives.

Question: What is the difference between spam and high-confidence spam?


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-25

Lesson 3
Planning and configuring client access policies
You can use client access policies to control settings for Outlook on the web and mobile devices. You can
assign Outlook Web App policies to users, which control the features that are available, access to
attachments, and offline access. For mobile devices, you can create rules that determine the types of mobile
devices that are allowed to connect by using Exchange ActiveSync. You also have the option to quarantine
devices until they are approved. Mailbox policies for mobile devices enforce security settings on those
devices.

Lesson Objectives
After completing this lesson, you will be able to:

 Configure Outlook Web App policies.

 Configure access for mobile devices.


 Configure mailbox policies for mobile devices.

Configuring policies for Outlook on the web


Outlook on the web, formerly known as Outlook
Web App, allows users to access their mailboxes by
using a web browser. The feature set in Outlook on
the web closely mimics the features that are
available in Microsoft Outlook 2016, and provides
features that are not available in previous Outlook
versions. In some cases, when you do not have a
locally installed email client, it might be possible to
use Outlook on the web.
After you create your Office 365 tenant with
Exchange Online, there is a single Outlook Web
App policy named OWAMailboxPolicy-Default.
This policy defines Outlook on the web settings for all users. However, you have the option to create
additional Outlook Web App policies, and you can configure each user to use a specific Outlook Web App
policy. This allows you to vary the Outlook on the web settings for users with different needs.

Features
The OWAMailboxPolicy-Default policy enables all Outlook on the web features. Your organization may
decide to simplify Outlook on the web, and disable features that your organization has decided not to
support. Some of the features that are used less often are:

 Instant messaging

 Text messaging

 Unified messaging

 LinkedIn contact sync

 Journaling
MCT USE ONLY. STUDENT USE PROHIBITED
7-26 Planning and configuring Exchange Online services

File access
Direct file access allows users to access documents that are attached to email messages. If you do not
enable direct file access, users can see that a message has an attachment, but they cannot open or save it.
Direct file access is enabled by default, but you can disable it.

When you enable direct file access, you can allow, block, or force a save for specific file types. You can
specify file types based on file extension or Multipurpose Internet Mail Extensions (MIME) type. By default,
Outlook blocks file types that are likely to contain malicious code that is executable in a web browser, but it
allows unknown file types by default.
You cannot modify the specific file types in the Exchange admin center. You need to use the Set-
OwaMailboxPolicy cmdlet to modify the following properties:

 AllowedFileTypes

 AllowedMimeTypes

 ForceSaveFileTypes

 ForceSaveMimeTypes
 BlockedFileTypes

 BlockedMimeTypes

Offline access
Outlook on the web can work in offline mode, which means that users can sign in to Outlook on the web
and access mailbox content even when they are not connected to Exchange Online. Everything that the
user does in the mailbox synchronizes with Exchange Online when Outlook on the web reestablishes a
connection to Exchange Online, which means that users have a seamless, faster experience when they are
working on a slow network or one that connects intermittently.

Offline access for Outlook on the web is enabled on a computer-by-computer basis. This means that users
need to enable it on each computer where they want to use this feature. Due to security concerns, we
recommend that you enable offline access for Outlook on the web only on private computers.

Offline access for Outlook on the web has limitations. For example, you cannot access your online archive,
team folders, or tasks. You also cannot perform full-text search in your mailbox. To use Outlook on the web
offline, you should use Internet Explorer 10 or newer, Google Chrome 24 or newer, or Safari 5 or newer.

You can control the ability to enable offline access for Outlook on the web on the Outlook Web App virtual
directory or in the Outlook Web App policies. You can enable offline access:

 Always. This is the default option that allows users to enable offline access from any computer.

 Private computer. Allows offline access only on private computers.

 Never. Offline access is not allowed.

Public and private computers


Outlook Web App policies have several properties that differentiate between public and private computers.
In Exchange Online, the default configuration treats all computers as private computers. If you use Set-
OrganizationConfig to configure PublicComputersDetectionEnabled as $true, then computers can be
either public or private.

Unlike an on-premises implementation of Exchange Server, users do not get to define whether a computer
is public or private for Exchange Online. For Exchange Online, authentication to Active Directory Federation
Services (AD FS) defines whether a computer is public or private. This is based on the location of the
computer that is initiating authentication rather than the device. If your organization does not use AD FS
for single sign-on with Exchange Online, it is not possible to use public computer detection.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-27

Configuring access for mobile devices


The default configuration of Exchange Online
controls access by using Exchange ActiveSync only
at the user level. If you allow users to use Exchange
ActiveSync, users can connect from any device that
supports it, which means they could have their
mailbox connect to a company mobile phone and
their personal tablet simultaneously. There are no
limits on the types of devices to which users can
connect.

You can configure the following states for


Exchange ActiveSync devices:

 Allowed. In the Allowed access state, a mobile


device can synchronize through Exchange ActiveSync and connect to Exchange Online to retrieve
email and manipulate calendar information, contacts, tasks, and notes. This continues as long as the
device complies with the configured mobile-device mailbox policy. This is the default state for all
devices, because Exchange Online does not define any quarantine policies.

 Blocked. If the device access rule specifies that a device that should be blocked, that device cannot
connect to Exchange Online, and receives an HTTP 403 forbidden error. You can block a device based
on the device family, or you can block a specific device model. The user receives an email message
from Exchange Online that indicates that the mobile device was blocked from accessing their mailbox.
Exchange Online also might block a device because it fails to apply the mobile device mailbox policies.

If this is the case, users cannot receive an email message that indicates that the mobile device was blocked
from accessing their mailbox. However, the mobile device information that displays in Outlook on the web
indicates that it is blocked because of the device’s failure to apply the mobile device mailbox policies.

 Quarantined. When a mobile device is in a quarantined state, it is allowed to connect to Exchange


Online. However, it will have limited data access. The user can add content to their calendar, contacts,
tasks, and notes folders, but the server will not allow the device to retrieve any content from the user’s
mailbox. The user receives a single email message that indicates that the mobile device is in quarantine.
The device receives this message, which Exchange Online also makes available in the user’s mailbox.
You can add customized text to this message to provide instructions for users whose devices are
quarantined. A device remains in quarantined state until an administrator decides whether to block it
or allow it to connect.

If you are placing devices into quarantine, it is important to notify an administrator, who then can evaluate
whether to allow the device to connect. In Windows PowerShell, you can specify who is notified about
quarantined devices, and set the default state for new devices with the following command:

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients


Administrator@adatum.com

You can create and manage mobile device access rules by using the Exchange admin center or the New-
ActiveSyncDeviceAccessRule cmdlet. The Exchange admin center provides limited options for rules based
on device family and model. By using the New-ActiveSyncDeviceAccessRule cmdlet, you can create rules
based on the device model, device type, device operating system, user agent, and XMSWL header. The
following example creates a new mobile device access rule:

New-ActiveSyncDeviceRule -Characteristic DeviceOS -QueryString “Android 4.4.2”


-AccessLevel Allow
MCT USE ONLY. STUDENT USE PROHIBITED
7-28 Planning and configuring Exchange Online services

Note: When you create mobile device access rules in the Exchange admin center, the families
and models from which you can select populate the list based on the device families and models
that have contacted your Exchange Online tenant. Until Exchange ActiveSync devices connect, the
only value listed is All families.

Configuring mailbox policies for mobile devices


Mobile clients, such as Exchange ActiveSync
clients, are difficult to secure because the devices
are small and portable, and there is a higher
likelihood that users will lose them or they will be
stolen. However, they can contain highly
confidential information, because the storage
cards that fit into the mobile device expansion
slots can store increasingly large amounts of data.
This data-storage capacity is important to users,
but it can increase security risks for your
organization, as malicious users might be able to
get hold of the device and access this data.

Mobile clients also are difficult to manage by using centralized policies because the devices might rarely, or
never, connect to the internal network. The devices also do not require Active Directory accounts, so you
cannot use GPOs to manage client settings.

Implementing mailbox policies for mobile devices


Mailbox policies for mobile devices provide one option for securing mobile devices. When you apply a
policy to a user, the mobile device downloads the policy automatically the next time that the device
connects through Exchange ActiveSync. Exchange ActiveSync allows you to force password requirements
on a mobile device, and to configure several other security options that are mandatory, so that users
cannot change them from the client side.

You apply mobile device mailbox polices on a user-by-user basis, which means that you can create different
policies for different users. You can modify the default mobile device mailbox policy to meet your
organization’s security standards. You then can create additional mobile device mailbox policies that are
exceptions to that baseline.

You can apply mobile device mailbox policies only to the level that the mobile device supports. Policy
settings that the mobile platform does not support on the client side are ignored. Each user is assigned a
default policy that does not enforce any security settings. To ensure that mobile devices are as secure as
possible, you should configure mobile device mailbox policies that require device passwords, and encrypt
the data that users store on their mobile devices.

When implementing a mobile device mailbox policy, you can configure the following options:

 This is the default policy. Sets a default policy, and applies it to all users that are not assigned another
policy.

 Allow mobile devices that do not fully support these policies to synchronize. Allows devices that do not
support all policy options to synchronize.

 Require a password. Enables you to specify password requirements.

 Allow simple passwords. Allows users to use passwords, such as 1111 or 1234.

 Require an alphanumeric password. Requires a password that includes both numbers and letters, such
as A1B2.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-29

 Require encryption on device. Requires the storage on a device to be encrypted.

 Minimum password length. Specifies the minimum characters in the password.

 Number of sign-in failures before device is wiped. Specifies the number of times users can enter a
device’s password incorrectly before your device removes all local data, or performs a wipe. Local
device wipe is the mechanism by which a mobile phone wipes itself, without the request coming from
the server. The result of a local device wipe is the same as that of a remote device wipe. The wipe resets
the device to its factory default settings. When a mobile phone performs a local device wipe, no
confirmation is sent to the Exchange Online.

 Require sign in after device has been inactive for (minutes). Specifies the time, in minutes, of device
inactivity after which the password is required.

 Enforce password lifetime (days). Specifies the maximum time a user can use a password on a device.

 Password recycle count. Specifies how many different passwords a user must use before repeating one
of the earlier used passwords.

Question: How does Office 365 differentiate between public and private computers that
attempt to connect to it?

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

The default configuration for mobile devices quarantines all devices until an F
administrator approves them.
MCT USE ONLY. STUDENT USE PROHIBITED
7-30 Planning and configuring Exchange Online services

Lesson 4
Migrating to Exchange Online
If you have an existing email deployment, you need to plan how to migrate to Exchange Online. Depending
on your existing mail deployment, you have various migration options. For Exchange organizations, you
can perform a cutover Exchange migration, a staged Exchange migration, or a hybrid migration. Exchange
organizations also might need to migrate public folders. For non-Microsoft email systems, you can perform
an Internet Message Access Protocol (IMAP) migration or a PST import.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe options for migrating to Exchange Online.

 Implement a cutover Exchange migration.

 Implement a staged Exchange migration.


 Implement an IMAP migration.

 Implement a PST import.

 Implement a public folder migration.

 Describe the Exchange Online hybrid mode.

Options for migrating to Exchange Online


Most organizations already have email configured
as either an on-premises or cloud service. Before
you begin using Exchange Online, it is crucial that
you have a migration plan. A well-planned
migration minimizes downtime, and it ensures that
messages are not lost during the migration.
When planning a migration to Exchange Online,
you need to consider the volume of data that you
need to migrate. This includes the number of
mailboxes that you need to migrate, and the
amount of data in each mailbox. Typically, a very
small organization that has limited data can do a
cutover from its old email system to Exchange Online. Larger organizations that have more data generally
need to perform an incremental migration process, where the mailboxes for the domain coexist in
Exchange Online and the old email system.
The user requirements for historical information are another important consideration. If your organization
determines it is acceptable for users to use a new, empty Exchange mailbox, and you can migrate historical
data later, you likely can use a cutover migration.

The common migration scenarios are:

 Cutover Exchange migration. In this type of migration, you move all mailboxes, in a single step, to
Exchange Online from an on-premises Exchange organization.

 Staged Exchange migration. In this type of migration, you move mailboxes, in batches, to Exchange
Online from an on-premises Exchange organization.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-31

 IMAP migration. In this type of migration, you can migrate data from any IMAP-enabled email system.

 PST migration. In this type of migration, you export mailbox data to PST files, and import the PST files
in Exchange Online.

 Hybrid mode. In this type of migration, you use hybrid mode to enable coexistence between Exchange
Online and an on-premises Exchange organization. After you enable hybrid mode, you can move the
mailboxes individually or in groups.

Implementing a cutover Exchange migration


A cutover migration moves mailbox data, in a
single step, from an on-premises Exchange
organization to Exchange Online. This type of
migration is appropriate only for a small
organization with a limited amount of data.
Exchange Online supports this type of migration
for up to 2,000 mailboxes, but we recommend
using this migration type for organizations with
150 mailboxes or less.

The main benefit of a cutover migration is its


simplicity. Because there is no coexistence between
email systems, you simply have to copy data, and
switch to Exchange Online.

Prepare for a cutover Exchange migration


During a cutover Exchange migration, Exchange Online uses a set of credentials to sign in to your on-
premises Exchange organization and access mailboxes. To allow this to happen, you need to configure a
migration administrator account with Full Access and Receive As permissions to all of the mailboxes that
you are migrating.
When Exchange Online accesses the mailboxes in your on-premises Exchange organization, it uses Outlook
Anywhere. Therefore, if you need to enable Outlook Anywhere for your on-premises Exchange
organization.

In Office 365, you need to add the email domain that you are migrating, and you need to create the
necessary DNS records to prove domain ownership.

Connect Office 365 to on-premises Exchange


Before you migrate mailboxes, you need to connect Office 365 to your on-premises Exchange organization
by creating a migration endpoint, which contains the information necessary to connect to the on-premises
Exchange organization for migration. This information includes:
 An email address in the on-premises Exchange organization. Office 365 uses this to perform an
Autodiscover and identify the connectivity information for the on-premises Exchange organization.

 An account with the necessary privileges to access mailboxes and migrate the mailboxes in the on-
premises Exchange organization.

 Exchange server. If Autodiscover did not discover the FQDN for Outlook Anywhere properly, you can
enter it.

 RPC proxy server. If Autodiscover did not discover the FQDN of the remote procedure call (RPC) proxy
server properly, you can enter it.
MCT USE ONLY. STUDENT USE PROHIBITED
7-32 Planning and configuring Exchange Online services

 Maximum concurrent migrations. Defines the number of mailbox migrations that occur
simultaneously. If you leave this blank, default values are used.

 Maximum concurrent incremental syncs. Defines the number of incremental mailbox synchronizations
that can occur simultaneously after mailbox migration occurs. If you leave this blank, default values are
used.

Run a cutover migration batch


A cutover migration batch does more than just move mailbox data from the on-premises Exchange
organization to Office 365. The cutover migration batch also creates the users and mailboxes in Office 365.
Additionally, when the mailbox move is complete, the cutover migration batch performs incremental
synchronization of new mailbox data that the on-premises Exchange organization receives.

When you create a new cutover migration batch, you are prompted to confirm the migration endpoint-
connectivity information. Verify that this is correct, and then you can start the cutover migration batch at
the end of the new migration batch wizard or manually at a specific time. You can run a cutover migration
batch during business hours, but ensure that the Internet connection has sufficient capacity.
To verify that the initial data migration is complete, you can verify that the user accounts have been created
in Office 365 and that the status of the cutover migration batch is Synced. If there are errors, you can view
the log to determine the cause of the errors, and then restart the cutover migration batch.

Change email routing to Office 365


After the initial synchronization is complete, you need to change mail routing to Office 365. Use the DNS
information that you obtained, when you added the domain to Office 365 to complete modifying the MX
record and direct other email server to deliver messages to Office 365.

Typically, hosts and other DNS servers cache the DNS records on the Internet. It is critical that you verify
email is being delivered directly to Office 365 before you delete the cutover migration batch. At minimum,
you should wait for the time defined in the Time to Live (TTL) of the MX record.

Note: To speed up the cutover process, consider shortening the TTL of your MX record
several days before the migration. A TTL of 30 or 60 minutes is significantly better than 24 hours.

Delete the cutover migration batch


After mail starts flowing directly to Office 365, you can remove the cutover migration batch. However,
before you remove the cutover migration batch, confirm that every mailbox has synchronized at least once
since you changed the mail flow. This ensures that no messages are left behind in the on-premises
Exchange organization. Monitor the Last Synced Time value for the cutover migration batch.

Additional tasks
After you remove the cutover migration batch, you should perform the following tasks:

 Assign licenses to the user accounts. If you have not assigned any licenses to user accounts, users
cannot access their mailboxes.

 Update Autodiscover. You need to update the Autodiscover DNS record to point to Office 365 for
external users. For internal users, you should configure the AutoDiscoverInternalURI value on the
service connection object to $null.

 Decommission on-premises Exchange Server. After the migration is complete, you can remove
Exchange Server from your on-premises organization. Remember to do a proper removal rather than
just turning off the Exchange server.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-33

Additional Reading: For additional detailed information about performing a cutover


migration, refer to Perform a cutover migration email to Office 365: http://aka.ms/jhw5t9.

Implementing a staged Exchange migration


You can use a staged Exchange migration for large
Exchange Server 2003 or Exchange Server 2007
organizations where a cutover Exchange migration
is not appropriate. This type of migration allows
you to move mailboxes incrementally, and there is
coexistence between the on-premises Exchange
organization and Office 365.

Note: You cannot configure a staged


Exchange migration for Exchange Server 2010 and
newer versions. You must use hybrid mode to
provide similar functionality.

Prepare for a staged Exchange migration


During a staged Exchange migration, Exchange Online uses a set of credentials to sign in to your on-
premises Exchange organization and access mailboxes. To allow this to happen, you need to configure a
migration administrator account with FullAccess permissions to all of the mailboxes that are being
migrated, and WriteProperty permission to the TargetAddress property on the user accounts.

When Exchange Online accesses the mailboxes in your on-premises Exchange organization, it uses Outlook
Anywhere. You need to enable Outlook Anywhere for your on-premises Exchange organization if Outlook
Anywhere is not already enabled.

In Office 365, you need to add the email domain that you are migrating. As part of this, you need to create
the necessary DNS records to prove domain ownership.

Create users in Office 365


To create the users and groups in Office 365, you need to configure directory synchronization. To do this,
use Azure AD Connect. After you create users in Office 365, you need to license them so that users can sign
in.

Create a staged migration batch


To create a staged migration batch, you need to create a comma separated values (.csv) file that lists the
users to migrate. The .csv file must contain an EmailAddress column and a Password column. A
ForceChangePassword column is optional. The wizard for creating a staged migration batch verifies the
format of the file, including a maximum of 2,000 rows.

Before you create a staged migration batch, you need to create a migration endpoint that defines how to
connect to the on-premises Exchange organization. This process is the same for a staged migration batch
and for a cutover migration batch.
MCT USE ONLY. STUDENT USE PROHIBITED
7-34 Planning and configuring Exchange Online services

Convert on-premises mailboxes to mail-enabled users


After a staged migration batch is complete, the migration batch sets the TargetAddress property for the
on-premises user account as the Office 365 tenant, and delivery of all new mail for the user is to Office 365.
However, the mailbox still exists in the on-premises Exchange organization. You need to remove the on-
premises mailbox and convert the user to a mail-enabled user. This directs the user to Office 365 for email
instead of the on-premises Exchange organization.

Additional Reading: For more detailed information, refer to Convert Exchange 2007
mailboxes to mail-enabled users after a staged Exchange migration: http://aka.ms/nncsic. This link
also has scripts to simplify the conversion process. X - Gone
All guides downloaded to my XPS1

Change email routing to Office 365


Similar to completing a cutover migration, after all staged migration batches are complete, you need to
change mail routing to Office 365. Use the DNS information provided when you added the domain to
Office 365 to complete modifying the MX record and direct other email server to deliver messages to Office
365.
Hosts and other DNS servers typically cache DNS records on the Internet. It is critical that you verify email is
being delivered directly to Office 365 before you delete the staged migration batch. At minimum, you
should wait for the time defined in the TTL of the MX record.

Delete the staged migration batches


After mail starts flowing directly to Office 365, you can remove the staged migration batches. However,
before you remove the staged migration batches, confirm that every mailbox has synchronized at least
once since the mail flow change. This ensures that no messages are left behind in the on-premises
Exchange organization. Monitor the Last Synced Time value for the staged migration batch.

Additional tasks
After you remove the cutover migration batch, you should perform the following tasks:

 Assign licenses to the user accounts. If you have not assigned licenses to user accounts, the users
cannot access their mailboxes.

 Update Autodiscover. You need to update the Autodiscover DNS record to point to Office 365 for
external users. For internal users, you should configure the AutoDiscoverInternalURI value on the
service connection object to $null.

 Decommission on-premises Exchange Server. After the migration is complete, you can remove
Exchange Server from your on-premises organization. Remember to do a proper removal rather than
just turning off the Exchange server.

Additional Reading: For additional detailed information about performing a staged


Exchange migration, refer to Perform a staged migration of email to Office 365:
http://aka.ms/m3lpyu.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-35

Implementing an IMAP migration


If you are migrating from a non-Exchange Server
email system, you cannot use a cutover Exchange
migration or a staged Exchange migration. If the
non-Exchange Server email system supports IMAP,
you can consider doing an IMAP migration. In this
type of migration, Exchange Online logs on to
mailboxes and uses IMAP migrate messages.

Considerations for an IMAP migration include:

 You can migrate only mail items.


 You can migrate a maximum of 500,000 items
per mailbox (newest first).

 You can migrate a maximum message size of 35 megabytes (MB).

 Folders with a forward slash in the name are not migrated.

Office 365 Setup wizard


If you perform a small IMAP migration, the simplest method to accomplish that is by using the Office 365
Setup wizard. The wizard takes you through the process for adding the email domain that you are
migrating, and it prompts you to create user accounts and copy data. The main limitation of the wizard is
that you can migrate a maximum of 150 mailboxes only using IMAP.
In the Office 365 Setup wizard, you can create user accounts individually or import them from a .csv file.
After you create the user accounts, you are prompted to enter the source email address and password for
each user. You can enter the same address for the source and destination, but they do not have to be the
same. After entering the user information, you are prompted for the IMAP server address.

The Exchange admin center


You also can use the Exchange admin center to create an IMAP migration batch. In this case, you need to
ensure that you add the email domain to Office 365 and create the user accounts in Office 365.

Once you create the accounts, you then create a .csv file with IMAP user information. The .csv file must
contain the EmailAddress, UserName, and Password columns. The migration batch uses this information to
sign in to the IMAP accounts and move the messages. The .csv file can contain up to 50,000 rows.

When you are ready to perform a migration, you create a migration endpoint that specifies connectivity
information for the source IMAP server. You then create a new IMAP migration batch, and you provide the
.csv file with IMAP user information. When you create the IMAP migration batch, you have the option to
specify folders, such as Deleted Items, that you do not want to migrate.

After the migration is complete, the migration batch continues to perform incremental synchronization
until you delete the IMAP migration batch. Do not delete the IMAP migration batch until your mail routing
points directly to Office 365.

Optimize IMAP migrations


If possible, implement the following guidelines to optimize IMAP migrations:

 Use test batches to optimize network settings. If you have the option to modify the number of
connections allowed to your IMAP server, use test batches with varying settings to identify how to
obtain the best throughput.
MCT USE ONLY. STUDENT USE PROHIBITED
7-36 Planning and configuring Exchange Online services

 Migrate data by using an administrator account. If your IMAP server supports the using an
administrator account to access multiple mailboxes, then use an administrator account for credentials
in the CSV file. This avoids the need to collect or reset user passwords on the IMAP server.

 Prevent users from changing passwords during the migration. If you use individual user accounts in the
.csv file, this prevent users from changing their passwords during the migration process. If passwords
are changed during the migration process, the migration for the mailbox fails.

 Ask users to delete unnecessary messages. This reduces the amount of data to be migrated and can
significantly speed up the overall migration process.

Additional Reading: For additional information about IMAP migration, refer to What you
need to know about migrating your IMAP mailboxes to Office 365: http://aka.ms/crn236.

Implementing a PST migration


A PST migration imports mailbox data from PST
files into Office 365 mailboxes. As an
administrator, you can perform the PST imports for
users in the Exchange admin center or Windows
PowerShell. In very small environments, you also
can import .pst files in Outlook.

No matter which method you use to import .pst


files into Office 365 mailboxes, you must make
preparations for your migration, including that
you have:
 Configured Office 365 to receive email for the
email domain, which means that you have
added the domain to Office 365. It also means that you edited the domain’s MX record to ensure that it
is pointing to Office 365.

 Created .pst files for mailboxes on your previous email system. You can create the .pst files by exporting
directly from the previous email system, if supported. Conversely, you can create the .pst files by using
Outlook to perform an export of each mailbox.

 Created the user accounts in Office 365. You must create user accounts in Office 365, and you must
assign licenses to allow users to sign in and access their new mailbox.

These preparations ensure that users have a new empty mailbox that they can use to send and receive new
messages. Historical data is in the .pst files, and you need to import it into the new mailboxes.

Import PST files with Outlook


In a very small environment, you can use Outlook to import .pst files into an Office 365 mailbox. After you
import the .pst file, Outlook caches the data locally and begins synchronizing it to Office 365. Outlook must
remain open until the data synchronizes fully.

This process is simple, but can be very slow. It also is decentralized, because you must perform it on each
user desktop.

Import PST files into Office 365


You can import .pst files directly into Office 365 mailboxes without using Outlook or any other client
software. This is the most ideal .pst import solution for most organizations.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-37

To prepare for a .pst import, you need to:

 Assign the Mailbox Import Export role to a user. This role provides the permissions to perform a .pst
import for mailboxes in Office 365. No users are assigned to this role by default.

 Create a PST to user mapping file. This file identifies the mailbox into which each .pst file should be
imported.

Before you import .pst files into Office 365, you need to move the .pst files to Microsoft Azure in one of two
ways. You can:
In Office 365
 Ship data on a physical hard drive. Use the Microsoft Azure Import/Export Tool to copy and encrypt the
PST files on an external hard drive. You then can ship the external hard drive to Microsoft. Microsoft
imports the data into Windows Azure, and you then can import it.

 Upload data over the network. Use the Microsoft Azure AZCopy Tool to copy the .pst files to Windows
Azure. Files are encrypted while in transit.

Your choice depends on the volume of data that you have and the speed of your network connection. If
you have a large amount of data or a slow network connection, shipping the data on a physical hard drive
may be faster.

Additional Reading: For detailed information about Importing PST files into Office 365,
refer to Import PST files to Office 365: http://aka.ms/G2n2p7.

Implementing a public-folder migration


If your organization uses legacy public folders in
Exchange Server 2007 or Exchange Server 2010,
you can migrate them to Office 365, and Microsoft
provides scripts for the migration process.
However, if your organization has public folders in
Exchange Server 2013, there is no process for
migrating them.

Note: If you need to migrate public folders


from Exchange Server 2013 to Office 365, you can
use non-Microsoft tools. You also can migrate
public folders from Exchange Server 2013 by
exporting to a .pst file from Outlook, but this has important limitations on size. A .pst file import for
public folders in Office 365 has a limit of 30 gigabytes (GB).

Migration process
The migration process for public folders requires that you run several scripts to generate configuration files
and data that the migration process requires. In general, you need to:

1. Download the migration scripts. These are the scripts that you run to complete the steps in the
migration process.

2. Prepare for the migration. This involves verifying that proper message routing is in place, verifying that
public folder names are valid, and ensuring that a previous migration attempt is not in progress.
MCT USE ONLY. STUDENT USE PROHIBITED
7-38 Planning and configuring Exchange Online services

3. Generate a .csv file for folder mapping. In the legacy Exchange organizations, you run Export-
PublicFolderStatistics.ps1 and PublicFolderToMailboxMapGenerator.ps1 to generate a .csv file
that the migration requires.

4. Create a public folder mailbox in Exchange Online. In Office 365, to create the public folder mailbox,
run Create-PublicFolderMailboxesForMigration.ps1, and then specify the .csv file.

5. Start the public-folder migration. In the legacy Exchange organization, you run Sync-
MailPublicFolders.ps1 to synchronize mail-enabled public folders with Exchange Online, create a new
migration batch for public folders, and then start it. You can view the migration’s details in the
Exchange admin center.

6. Lock down legacy public folders. After the initial synchronization is complete, in the legacy Exchange
organization, you run Set-Organization –PublicFoldersLockedForMigration $true. This prevents
users from accessing the legacy public folders while a final synchronization occurs.

7. Finalize the public-folder migration. In Office 365, run Complete-MigrationBatch to perform a final
synchronization.
8. Test the public folder migration. Configure an Office 365 mailbox to use the migrated public folders to
verify that the data is present and that they are functional. If there are any problems, you can roll back
the migration.
9. Complete the migration. In the legacy Exchange organization, run Set-OrganizationConfig
–PublicFolderMigrationComplete $true. In Office 365, run Set-OrganizationConfig
–PublicFoldersEnabled Local.

Additional Reading: For detailed information about migrating public folders to Office 365,
refer to Use batch migration to migrate legacy public folders to Office 365 and Exchange Online:
http://aka.ms/F6ncbt.

The Exchange Online hybrid mode


Hybrid mode is a way to integrate an existing
Exchange organization with Exchange Online. You
also can use it for an incremental migration of
mailboxes from an existing Exchange organization
to Exchange Online. However, hybrid mode allows
the permanent coexistence of an on-premises
Exchange organization with Exchange Online.

Hybrid mode benefits


Implementing hybrid mode offers the following
benefits:

 Exchange Online mailboxes and on-premises


mailboxes can share domain names for message routing.

 Users can perform Free/busy searches for meeting requests between Exchange Online mailboxes and
on-premises mailboxes.

 Distribution groups can contain a combination of Exchange Online mailboxes and on-premises
mailboxes.

 Both Exchange Online and on-premises mailboxes can access public folders.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-39

 The global address list (GAL) synchronizes for Exchange Online mailboxes and on-premises mailboxes.

 You can move mailboxes between Exchange Online and on-premises Exchange servers.

Note: Permissions for sharing mailboxes or mailbox folders is not supported between
Exchange Online mailboxes and on-premises mailboxes.

Directory synchronization
Hybrid mode requires directory synchronization between your on-premises AD DS and Office 365. To
implement directory synchronization, download and install Azure AD Connect. The synchronization process
creates users and groups in Office 365 that correspond with the users and groups in your on-premises AD
DS.

When you implement directory synchronization, AD DS becomes the authoritative source for information
about your users in Office 365. Many user properties are not editable in Office 365 for synchronized users.
Instead, you edit the user properties in the on-premises AD DS and allow synchronization to update the
objects in Office 365.
When you implement directory synchronization, you have the option to enable password synchronization,
which allows users to have the same password for their on-premises user account and Office 365. When the
password is changed in on-premises AD DS, it is synchronized to Office 365 within about 2 minutes. It also
is possible to allow password resets from Office 365 to synchronize to the on-premises AD DS.

Note: You also can use AD FS to provide single sign-on for Office 365 accounts, but this adds
significant complexity.

Hybrid configuration wizard


After you have enabled directory synchronization and added the hybrid domain to Office 365, you can run
the Hybrid Configuration wizard in the Exchange admin center, which allows you to:

1. Enable federation for the selected domains. To enable federation, you need to create a DNS TXT record
for each domain to provide ownership. This is different from the TXT record created to provide
ownership when adding the domain to Office 365.

2. Select on-premises servers for mail flow. You must select the Exchange servers that will be responsible
for mail flow between Office 365 and your on-premises Exchange organization. Connectors are created
automatically to secure inbound and outbound mail flow.

3. Identifies URLs for web services. The hybrid configuration wizard uses Autodiscover to determine the
URLs required for web services connectivity used by free/busy sharing.

4. Creates an organizational sharing policy. This policy contains the configuration information required to
allow free/busy sharing between the on-premises Exchange organization and Office 365.

Decommissioning on-premises Exchange servers


Many organizations use hybrid mode as an interim step to perform an incremental migration to Office 365.
When the migration of mailboxes to Office 365 is complete, they wonder how to complete the migration
process and remove all Exchange server from their on-premises environment. In most cases, it is not
advisable to remove all Exchange servers from the on-premises environment even though all of the
mailboxes have been migrated.
MCT USE ONLY. STUDENT USE PROHIBITED
7-40 Planning and configuring Exchange Online services

If you remove all Exchange servers from the on-premises environment, you lose access to the Exchange
management tools that allow you to modify Exchange attributes. If you continue to use directory
synchronization to perform password synchronization and automatically create Office 365 users, then you
need access to a local copy of the Exchange management tools because the local AD DS is authoritative.
You cannot directly modify many attributes, such as email addresses, in the Office 365 Exchange admin
center.

Note: You may find blog postings about how to manage synchronized user attributes in the
local AD DS by editing the user object in ADSI Edit or Active Directory Users and Computers.
However, direct editing of user objects is not supported.

Check Your Knowledge


Question

Your organization currently is using Gmail and Google Docs, and has decided to migrate
to Office 365 for email and file sharing. Which migration type should you use so your end
users experience the least amount of downtime?

Select the correct answer.

Cutover Exchange migration

Staged Exchange migration

x IMAP migration

PST migration

Exchange Online hybrid mode

Check Your Knowledge


Question

Your organization has an on-premises Exchange Server 2010 deployment, and wants to
migrate to Office 365. Your organization has 3,000 mailboxes, with an average mailbox
size of 1 GB. Which migration type should you use?

Select the correct answer.

Cutover Exchange migration

Staged Exchange migration

IMAP migration

PST migration

x Exchange Online hybrid mode


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-41

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

A cutover migration batch continues synchronizing until you remove it. T

Sequencing Activity
Put the following steps for a staged Exchange migration in order, numbering each to indicate the correct
order from 1 through 9.

Steps

1 Configure a migration administrator account with Full Access permissions to the


source mailboxes.

2 Configure directory synchronization.

3 Create a migration endpoint.

4 Create the staged migration batch.

5 Convert on-premises mailboxes to mail-enabled users.

6 Update MX records to change mail routing to Office 365.

7 Assign Office 365 licenses to users

8 Delete all staged migration batches.

9 Update Autodiscover DNS records


MCT USE ONLY. STUDENT USE PROHIBITED
7-42 Planning and configuring Exchange Online services

Lab B: Configuring email protection and client policies


Scenario
The pilot project is going well at A. Datum. Before finishing it and moving into a full deployment, you need
to confirm that you can configure the Exchange Online settings to match the on-premises settings for
options such as anti-spam and antivirus settings, and client access policies.

Objectives
After completing this lab, you will have:

 Configured anti-spam and antivirus settings

 Configured client access policies

Lab Setup
Estimated Time: 35 minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, 20347A-LON-CL2

User names: Adatum\Administrator, Adatum\Holly, and LON-CL2\Francisco


Password: Pa$$w0rd

In all tasks:

 In references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx with your unique Office 365


name that displays in the online lab portal.

 In references to Adatumyyxxxx.hostdomain.com, replace the Adatumyyxxxxx with your unique


hostdomain.com name that displays in the online lab portal.

This lab requires the following virtual machines:

 LON-DC1

o Sign in as Adatum\Administrator using the password Pa$$w0rd


 LON-DS1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-CL1
o Sign in as Adatum\Holly using the password Pa$$w0rd

 LON-CL2

o Sign in as LON-CL2\Francisco using the password Pa$$w0rd

Exercise 1: Configuring email protection


Scenario
You also need to explore the anti-spam and antivirus settings that are available in Exchange Online, and
you must:

 Configure a policy to ensure that an administrator account is notified when Exchange Online receives a
message that contains malware.

 Ensure that internal users are notified when their messages are not delivered.

 Ensure that you can block all email from IP addresses that you specify.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-43

 Ensure that Sales users receive all messages, even if there is a high likelihood that the message is spam.

 Ensure that Exchange Online quarantines all messages for other users if there is a high probability that
the message is spam.

The main tasks for this exercise are as follows:

1. Configure the malware filter.


2. Configure the connection filter.

3. Configure the spam filter.

4. Test the spam filter settings (optional).

 Task 1: Configure the malware filter


1. On LON-CL1, in the Exchange admin center, browse to malware filter in protection.

2. Modify the Default malware filter to:

o Notify internal senders when a message is blocked


o Notify Holly@Adatumyyxxxxx.hostdomain.com when messages from internal or external
senders are blocked

 Task 2: Configure the connection filter


 On LON-CL1, in the Exchange admin center, configure the Default connection filter with the following
settings:

o Block 192.168.0.0/24

o Enable safe list

 Task 3: Configure the spam filter


1. On LON-CL1, in the Exchange admin center, modify the Default spam filter to quarantine high-
confidence spam.

2. Create a new spam filter with the following settings:


o Name: Sales spam policy

o Spam: Prepend subject line with text

o High confidence spam: Move message to Junk Email folder

o Prepend subject line with this text: Junk

o Applied to: members of Sales group

 Task 4: Test the spam filter settings (optional)


1. Sign in to your alias@outlook.com accounts.

2. Create a new message to send to kendra@Adatumyyxxxxx.hostdomain.com.

3. In the body of the message, include the text XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-


STANDARD-ANTI-UBE-TEST-EMAIL*C.34X, and then send the message.

4. Create a new message to send to francisco@Adatumyyxxxxx.hostdomain.com.

5. In the body of the message, include the text XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-


STANDARD-ANTI-UBE-TEST-EMAIL*C.34X, and then send the message.

6. On LON-CL1, in the Exchange admin center, browse to quarantine in protection.


MCT USE ONLY. STUDENT USE PROHIBITED
7-44 Planning and configuring Exchange Online services

7. Verify that the message sent to Francisco is in quarantine, but the message sent to Kendra is not.

8. Release the message sent to Francisco.

9. On LON-CL2, in Outlook on the web, verify that the message was delivered to Francisco.

Results: After completing this exercise, you should have configured anti-spam and antivirus settings.

Exercise 2: Configuring client access policies


Scenario
A. Datum wants to be able to restrict some options for Outlook on the Web and mobile clients. You need to
configure policies for Outlook Web App, mobile device access, and mailboxes.

The main tasks for this exercise are as follows:

1. Configure an Outlook Web App policy.


2. Configure mobile-device access.

3. Configure a mailbox policy for mobile devices.

4. Validate mobile-device management policies (optional).

 Task 1: Configure an Outlook Web App policy


1. On LON-CL1, in the Exchange admin center, browse to the Outlook Web App policies in permissions.

2. Create a new Outlook Web App policy named Limited features with the following features disabled:

o Instant messaging

o Text messaging

o Unified messaging

o LinkedIn contact sync

o Journaling

o Direct file access for private computers.

3. Associate the Limited features Outlook Web App policy with Kendra Sexton. In User's account
4. In Outlook, create a new message for Kendra Sexton, and the attach the See lab details
C:\Windows\Logs\DISM\dism.log file.

5. On LON-CL2, sign out of Outlook on the web, and then sign in again as
Kendra@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

6. Verify that Kendra is unable to access the attachment in the new message.

 Task 2: Configure mobile-device access


1. On LON-CL1, in the Exchange admin center, browse to mobile device access in mobile.

2. Edit the Exchange ActiveSync Access settings to quarantine new mobile devices and notify Holly
Dickson.

No longer works with IOS and Android (28/9/16)


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 7-45

 Task 3: Configure a mailbox policy for mobile devices


1. On LON-CL1, browse to mobile device mailbox policies in mobile.

2. Modify the Default policy to:

o Require a password

o Allows simple passwords

o Minimum password length of 4

 Task 4: Validate mobile-device management policies (optional)


1. On your mobile device, add a new ActiveSync account for Francisco Chaves.

2. If Autodiscover does not detect the server name, enter outlook.office365.com.

3. Your device will be placed into quarantine, and you must approve the device before you can send and
receive messages.

4. After you configure the Exchange ActiveSync account, the security settings from the mobile device
mailbox policy will apply, and you may be prompted to create a password on your device.
5. When you are done testing, you can delete the account from your mobile device.

6. Leave the virtual machines running for the next lab.

Results: After completing this exercise, you should have configured client access policies.
MCT USE ONLY. STUDENT USE PROHIBITED
7-46 Planning and configuring Exchange Online services

Module Review and Takeaways


Review Questions
Question: Why is it important not to remove the last on-premises Exchange server when
directory synchronization is in place?

Question: You recently migrated all of your organizational mailboxes to Office 365. Many of
your users have mobile devices that connect by using Exchange ActiveSync. Your security
officer was shocked when he saw that a user did not have a password on his mobile device.
Why did this happen, and how can you fix it?
MCT USE ONLY. STUDENT USE PROHIBITED
8-1

Module 8
Planning and deploying Skype for Business Online
Contents:
Module Overview 8-1

Lesson 1: Planning and configuring Skype for Business Online service settings 8-2

Lesson 2: Configuring Skype for Business Online users and client connectivity 8-12
Lesson 3: Planning voice integration with Skype for Business Online 8-15

Lab: Configuring Skype for Business Online 8-24

Module Review and Takeaways 8-30

Module Overview
Skype for Business Online is a core component of Microsoft Office 365. Skype for Business Online provides
a variety of options for users to collaborate with each other, including presence information, instant
messaging (IM), and audio and video conferencing. Additionally, Skype for Business Online provides a full
voice solution, where you can replace some or all on-premises Private Branch Exchange (PBX)
functionality with a cloud-based solution.

Objectives
After completing this module, you will be able to:

• Plan and configure Skype for Business Online service settings.

• Configure Skype for Business Online user settings and clients.

• Plan voice integration with Skype for Business Online.


MCT USE ONLY. STUDENT USE PROHIBITED
8-2 Planning and deploying Skype for Business Online

Lesson 1
Planning and configuring Skype for Business Online
service settings
Most Office 365 subscriptions include Skype for Business Online. When you assign users licenses that
include Skype for Business Online, they can immediately start using this feature. However, before you
enable users to utilize Skype for Business Online, you should understand the Skype for Business Online
service, and you should be able to configure the service settings to meet your organization’s
requirements.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe Skype for Business Online features.


• Describe the various Skype for Business Online subscription options.

• Describe Skype for Business Online network requirements.

• Explain how to connect to Skype for Business Online by using Windows PowerShell.
• Explain how to configure organization settings.

• Explain how to configure external communications.

• Describe Skype Meeting Broadcast.


• Explain how to configure Skype Meeting Broadcast.

Overview of Skype for Business Online


Skype for Business Online helps connect
organizational users with multiple devices, and it
offers a consistent experience for presence, IM,
and voice and video conferencing. Skype for
Business Online is available as a stand-alone Office
365 service or as a part of most Office 365
subscriptions.

Skype for Business Online provides the following


key features:

• Real-time presence. Users get availability and


location information to make it easier for
them to choose the best method of
communication with their co-workers. Skype for Business Online tracks presence information for all
Skype for Business Online users, and it provides this information to the Skype for Business client and
other apps such as Microsoft Outlook 2013 or later.

• IM. Users can utilize standard text-based IM to communicate in real time with multiple users, and
users can transfer files to those users.

• Voice calls. Users can make Skype for Business calls to other Skype for Business users inside and
outside an organization, and if enabled, they can call Skype consumer users.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-3

• Web conferencing. Skype for Business Online can host conferences, which you can schedule or run as
needed. Conferences can include IM, audio, video, application sharing, slide presentations, and other
forms of data collaboration.

• Audio conferencing. Users can join Skype for Business Server–based audio conferences by using any
desktop or mobile device. When connecting to an audio conference by using a web browser, users
can provide a telephone number that the audio conferencing service calls.

• Enhanced presentations. Users can enhance their online presentations by using Skype for Business
Online screen sharing, application sharing, and virtual whiteboard features.
• Support for federation. You can configure federation with other organizations that are running Skype
for Business Online, Skype for Business Server on-premises, Microsoft Lync Server, or Microsoft Office
Communications Server—you can provide full Skype for Business functionality for users in multiple
organizations.

Skype for Business Online subscription options


Microsoft provides several different Office 365
and Skype for Business subscriptions. Skype for
Business Online is included with many Office 365
Business and Enterprise subscriptions, with
different levels of functionality provided with
different subscriptions.
In addition to ordering Skype for Business Online
as part of an Office 365 subscription, you also can
order Skype for Business Online as a stand-alone
subscription. The following table shows some of
the options that are available with each
subscription.

Skype for Business


Option Online plan 1 Online plan 2
Server 2015

Presence and instant messaging Yes Yes Yes

Audio and HD video calling to Yes Yes Yes


Skype for Business users

Group HD video calling No Yes Yes

Schedule meetings in Outlook No Yes Yes

Join meetings from desktops and No Yes Yes


web browsers, including
anonymously

Desktop sharing, application sharing, No Yes Yes


and remote control

Persistent Chat No No Yes

Dial-in audio conferencing No No Yes

Enterprise Voice No No Yes


MCT USE ONLY. STUDENT USE PROHIBITED
8-4 Planning and deploying Skype for Business Online

Additional Reading: For more information, refer to Skype for Business Compare plans:
http://aka.ms/vqcfmt.

Additional Reading: For more information on the Skype for Business options that are
provided with Office 365 and Skype for Business Online stand-alone subscriptions, refer to Skype
for Business Online Service Description: http://aka.ms/eljskd.

Network requirements for Skype for Business Online


When you plan for a Skype for Business Online
deployment, you need to consider the following
network requirements:

Internet connectivity requirements


If you are not restricting internal user connections
to the Internet based on external domain names
or port numbers, you do not need to change any
network settings on your network. Client
computers in your network initiate all connections
to Skype for Business Online, and in most cases,
firewalls do not block responses to these
connections.

Some organizations use proxy servers or firewall settings to block users from accessing Internet locations.
If you are limiting the domains, URLs, and IP addresses that your internal users can access, then you must
ensure that internal clients have access to the domain names, URLs, and ports that Skype for Business
Online servers require.

Additional Reading: For more information on the domain names, URLs, IP addresses, and
port numbers that Office 365 and Skype for Business Online require, refer to Office 365 URLs and
IP address ranges: http://aka.ms/Ef9aum.

As a best practice, you should allow internal users to access Skype for Business Online servers by using
domain names or URLs rather than IP addresses. The IP addresses that are associated with the Skype for
Business Online servers might change frequently, whereas domain names and URLs are less likely to
change.

In addition to ensuring user access to Skype for Business Online servers, you can perform the following
key network optimization configurations:

• Disable authentication for Skype for Business Online audio and video traffic when an authenticating
HTTP proxy is used.

• Configure the network to allow User Datagram Protocol traffic for better audio and video
performance.

• Modify internal routers and optimize internal network paths for audio and video traffic.

Bandwidth requirements for Office 365


You should carry out a comprehensive assessment of the required network bandwidth for Skype for
Business Online and its conferencing features, as these services might necessitate an increase in the
required bandwidth.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-5

Additional Reading: The Skype for Business Bandwidth Calculator is a tool that you can
use to calculate bandwidth requirements. You can download this tool from:
http://aka.ms/h028y7.

Additional Reading: For more information on Internet bandwidth usage for Office 365
services, refer to Network planning and performance tuning for Office 365: http://aka.ms/i09jrk.

Connecting to Skype for Business Online by using Windows PowerShell


As with almost all other Office 365 components,
you can manage all Skype for Business Online
settings by using the Windows PowerShell
command-line interface. The Skype for Business
admin center is generally easier for new
administrators to use, but Windows PowerShell
offers the following advantages over the Skype for
Business admin center:

• Some tasks can be performed only by using


Windows PowerShell.

• More experienced users can use Windows


PowerShell to organize multiple Windows
PowerShell commands into scripts and then use these scripts to automate and speed up repetitive
tasks.

Software requirements
To manage Skype for Business Online by using Windows PowerShell, your computer must be running a
64-bit Windows operating system and have the following installed:

• Windows PowerShell 3.0 or later. An appropriate version of Windows PowerShell is already pre-
installed on Windows Server 2012 or Windows 8 or later operating systems.

• The Skype for Business Online module for Windows PowerShell. This installs the Skype for Business
Online Connector module and the New-CsOnlineSession cmdlet on your local computer. You can
download this module from http://aka.ms/x3kyib.

Note: If you are using a computer that is running Windows 7, then you will need to install
Windows PowerShell 3.0 and the Microsoft Online Services Sign-In Assistant. This software
provides sign-in and authentication functionality for Office 365 applications, including Skype for
Business Online. This can be downloaded from the Microsoft Download Center at
http://aka.ms/vl42dg.

Connecting to Skype for Business Online by using Windows PowerShell


After installing the required software, you need to connect to Skype for Business Online before you can
run remote Windows PowerShell commands. To do this, run the following commands in Windows
PowerShell:

$cred = Get-Credential
$SfBSession = New-CSOnlineSession –Credential $cred
Import-PSSession $SfBSession
MCT USE ONLY. STUDENT USE PROHIBITED
8-6 Planning and deploying Skype for Business Online

After completing the first command, a credentials dialog box appears. Enter the user name and password
for a Skype for Business Online administrator. The second command creates the variable $SfBSession and
uses the New-CSOnlineSession command to create a connection to Skype for Business Online by using
the supplied credentials. The last command imports the session to your Windows PowerShell console. You
can then use all Skype for Business Online commands.
To remove the Windows PowerShell session and to disconnect from Skype for Business Online, run the
following command:

Remove-PSSession $SfBSession

Note: Specific examples of Windows PowerShell commands are included in the


configuration topics in the rest of this module.

Additional Reading: For more information on using Windows PowerShell to perform


common administrative tasks in Skype for Business Online, refer to Quick reference: Using
Windows PowerShell to do common Skype for Business Online management tasks:
http://aka.ms/tbf95p.

Additional Reading: For more information on specific Windows PowerShell cmdlets to


administer and configure Skype for Business Online, refer to The Skype for Business Online
cmdlets: http://aka.ms/b0gp7b.

Configuring organization settings


After you configure an Office 365 tenant, you can
configure Skype for Business organization settings
in the Skype for Business admin center.

Configuring general settings


You can configure the following organization
settings on the general page:

• Presence privacy mode. This defines whether


users’ presence information displays for
everyone who they communicate with, or just
for their contacts. The options include:

o Automatically display presence


information (default)

o Display presence information only to a user’s contacts

• Mobile phone notifications. Mobile phone notifications alert Windows Phone and iOS users when
they receive incoming instant messages when the users are not actively using their Skype for Business
clients. Users can also disable these push notifications on their devices.

By default, push notifications are enabled for Windows Phones through the Microsoft Push Notification
Service and for iOS devices through the Apple Push Notification Service. You can disable either or both
options. If you disable these options for an organization, users will not receive push notifications even if
the options are enabled on their devices.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-7

Configuring meeting invitations


When users create meeting invitations by using Outlook or Microsoft Outlook Web App, the meeting
invitations include generic meeting details. You can customize Skype for Business meeting invitations for
your organization by configuring the following:

• Logo URL. The logo that the URL points to must be a JPG or GIF image that is a maximum of 188
pixels wide by 30 pixels high.

• Help URL. This points to your organization’s support website.

• Legal URL. This points to a website that contains your organization’s legal disclaimers.

• Footer text. This allows you to enter free text, such as legal disclaimer information, directly into the
meeting invitation.

Configuring organization settings by using Windows PowerShell


You can configure organization settings by using the following commands:

• To configure presence privacy settings, use the Set-CsPrivacyConfiguration cmdlet, with the
EnablePrivacyMode parameter. If this parameter is set to True, then users can turn on advanced
privacy mode so that only their contacts can see their presence information. If set to False, then
presence information is available to all users in the organization.

• To enable or disable push notifications to iPhones or Windows Phones, you can use the Set-
CsPushNotificationConfiguration cmdlet, which uses the EnableApplePushNotificationService and
EnableMicrosoftPushNotificationService parameters.

• To customize meeting invitations, use the Set-CSMeetingConfiguration cmdlet, and configure the
LogoURL, LegalURL, HelpURL, and CustomFooterText parameters.

• You can also use the Set-CSMeetingConfiguration cmdlet to configure other meeting parameters
for your organization, including the following:
o Use the AdmitAnonymousUsersByDefault parameter to define whether to allow anonymous users
into meetings automatically, or whether they will need to wait in a lobby until a meeting
presenter admits them.
o Use the AllowConferenceRecording parameter to define whether users will be able to record
meetings.

Configuring external communications


When you implement Skype for Business Online,
you can configure the level of integration
between your organization and other
organizations that are running Skype for Business
Online or Skype for Business Server 2015 on-
premises. To do this, you need to configure
external communications settings in the Skype for
Business admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
8-8 Planning and deploying Skype for Business Online

Configuring external access with other domains


When you enable users to communicate with other organizations, you are configuring domain federation.
If the other organization is also hosted on Skype for Business Online and the other organization is not
configured to block your domain, then domain federation is automatically enabled. If the other
organization is using an on-premises version of Lync Server or Skype for Business Server, then they might
need to further configure federation with your online tenant.

Additional Reading: For more information on how to configure an on-premises


environment to federate with Skype for Business Online, refer to Managing federation and
external access to Lync Server 2013: http://aka.ms/v748ur.

By default, domain federation with all domains is allowed when you configure an Office 365 tenant. You
can modify the default setting by choosing one of the following options:

• Off completely. This disables external access and will prevent users from communicating with
anyone in an external domain.

• On except for blocked domains. This enables domain federation for all domains except for those
that you explicitly add to the blocked domains list.

• On only for allowed domains. This enables domain federation for all the domains that you explicitly
add to the allowed domains list.

After federation is established between domains, users in the two organizations will be able to
communicate with contacts that they have added to their Skype for Business clients.

Note: Public IM connectivity in Skype for Business Online only supports public IM
connectivity with Lync or Skype users; it does not support other public IM networks such as AOL
Instant Messenger or Yahoo Messenger.

Skype communications between users in federated domains are restricted to Skype for Business Online
features that both organizations support. For example, if your organization supports video conversations
but the other domain does not, your users will not be able to start video conversations with users in that
federated domain.

Configure public IM connectivity


You can also configure whether or not users are able to communicate by using IM and audio and video
calls with users who utilize the public version of Skype. If you want to allow users to communicate with
Skype users, you need to permit domain federation in the external access settings, and then select the Let
people use Skype for Business to communicate with Skype users outside your organization option.

Note: You can also use the Office 365 admin center to configure external communication
settings for Skype for Business Online. To do this, expand the External Sharing tab, and then
click Skype for Business. You can then enable or disable external access and configure the
blocked or allowed domains.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-9

Configuring organization settings by using Windows PowerShell


To configure external communication settings by using Windows PowerShell, use the following
commands:

• To enable or disable federation with public IM providers, you can use the
Set-CsTenantFederationConfiguration cmdlet with the AllowPublicUsers parameter.

• To allow federation with all domains, you can use a variable with the
New-CsEdgeAllowAllKnownDomains cmdlet, and then use the
Set-CsTenantFederationConfiguration cmdlet with the AllowedDomains
parameter and the defined variable.

• To view a list of blocked domains, you can use the Get-CsTenantFederationConfiguration cmdlet,
with the | Select-Object -ExpandProperty BlockedDomains parameters.

• To add a domain to the blocked domains list, you can use a variable with the
New-CsEdgeDomainPattern cmdlet, and then use the Set-CsTenantFederationConfiguration
cmdlet with the BlockedDomains parameter and the Add method with the defined variable.

Skype Meeting Broadcast


Skype Meeting Broadcast is a new offering from
Office 365 and Skype for Business Online that uses
the Office 365 infrastructure to broadcast
meetings to a large number of attendees. A Skype
Meeting Broadcast can be broadcast live and
viewed simultaneously by up to 10,000 users
around the world.

To use Skype Meeting Broadcast, you must have


an Office 365 Enterprise E1, Office 365 Enterprise
E3, or Office 365 Enterprise E5 or a stand-alone
Skype for Business Online Plan 2 license assigned
to your account. You can use Skype Meeting
Broadcast if you have an on-premises Skype for Business Server deployment, but you must enable hybrid
mode with Skype for Business Online.

When configuring Skype Meeting Broadcast, you can configure the following roles for users in your
organization:
• Organizer. A user needs to have meeting organization permissions to create a meeting request and
invite others to join the meeting. An organizer can also review meeting reports after a meeting is
complete. By default, only users assigned the Office 365 Global admin role can organize meetings.

• Producer. A user with producer permissions can manage meeting content such as live or dial-in
presentations, audio or video sources, and Microsoft PowerPoint decks. Producers can also record
meetings and post recordings to Office 365 Video.

• Event team member. Event team members can contribute to the event as a presenter.

• Attendee. Attendees do not have any presenter permissions; they can only attend and view a
meeting.

You cannot schedule Skype Meeting Broadcast in Outlook; instead, you have to connect to
https://broadcast.skype.com, which is the scheduling portal. After you sign in to the portal, you can
schedule a Skype Meeting Broadcast before sending an invitation.
MCT USE ONLY. STUDENT USE PROHIBITED
8-10 Planning and deploying Skype for Business Online

The steps for joining a Skype Meeting Broadcast are the same as joining any other meeting in
Skype for Business, with one exception. Even though users connect by using the familiar method,
participants will not receive any presentation until a presenter turns on audio. In a traditional
Skype for Business meeting, audio is not a requirement.

When running a Skype Meeting Broadcast, you can use a web browser and the Skype for Business Web
App, or you can use the Skype for Business 2015 client. Regardless, the client layout and the options
change slightly when in a broadcast session. For example, you can only show one video feed at a time,
and the only sharing that can occur is by using PowerPoint via Office Web Apps Server, or Office Online
Server.

Configuring Skype Meeting Broadcast


To enable and configure Skype Meeting
Broadcast, you must configure certain settings by
using Windows PowerShell. However, before you
can do that, you must connect to Skype for
Business Online by using an Office 365 global
administrator’s credentials.
1. To view the current Skype Meeting Broadcast
configuration, run the following command:

Get-CsBroadCastMeetingConfiguration

2. By default, the EnableBroadcastMeeting


parameter is set to False. You can change this to True by running the following command:

Set-CsBroadcastMeetingConfiguration –EnableBroadcastMeeting $True

3. Before users can configure meeting broadcasts, you need to enable external communications for your
organization, and you need to ensure that access to the meeting broadcast domains is not blocked.
You must enable the Let people use Skype for Business to communicate with Skype users
outside your organization option. If you are limiting external access by domain, you need to ensure
that the following domains are on the allowed domain list:
o noammeetings.lync.com

o emeameetings.lync.com

o apacmeetings.lync.com

o resources.lync.com

4. If you are limiting the URLs and IP addresses that your users can access on the Internet, you need to
ensure that users can access the following URLs and domains.

URLs Domains

https://broadcast.skype.com Skype.com

https://*.broadcast.skype.com *.skype.com

http://*.microsoftonline.com *.microsoftonline.com

https://*.microsoftonline.com *.microsoftonline.com
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-11

URLs Domains

http://aka.ms aka.ms

https://*.infra.lync.com *.infra.lync.com

5. After enabling Skype Meeting Broadcast, connect to https://broadcast.skype.com to create a new


meeting. When you create a new meeting, you can add your team members and choose whether to
allow anonymous users or to limit access to specified users or all users in your organization. You can
also create an Outlook invitation to invite users to the broadcast.

Check Your Knowledge


Question

You are preparing your Windows 10 workstation to manage Skype for Business Online by
using the Windows PowerShell command-line interface. What software do you need to
install on the computer?

Select the correct answer.

Windows PowerShell 3.0

Microsoft Online Services Sign-In Assistant

x Skype for Business Online module for Windows PowerShell

Windows Azure Active Directory module for Windows PowerShell

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

You can invite users from outside of


your organization to Skype Meeting
t
Broadcast, but only as attendees, not as
presenters.
MCT USE ONLY. STUDENT USE PROHIBITED
8-12 Planning and deploying Skype for Business Online

Lesson 2
Configuring Skype for Business Online users and client
connectivity
After configuring Skype for Business Online service settings, the next step is to configure users’ settings. By
default, all users that have an appropriate license have access to Skype for Business Online, and the users
will have full access to all Skype for Business Online functionality that you configured for your
organization. You might want to change this default configuration for some or all users.

Lesson Objectives
After completing this lesson, you will be able to:

• Explain how to configure audio and video settings for users.

• Explain how to configure external communications for users.


• Describe the different Skype for Business Online client options.

Configuring audio and video settings for users


By default, users who are assigned a license that
includes Skype for Business Online can use all
functionalities that you have configured for your
organization. You can modify the functionality
that is available to a specific user by editing the
user settings in the Office 365 admin center or the
Skype for Business admin center.

If you want to prevent a licensed user from using


Skype for Business Online, you can remove this
service by editing the user properties in Office 365
admin center. To do this, edit the user license
settings, and remove the Skype for Business
option.

To edit user settings, select the users tab in the Skype for Business admin center, select the user account,
and then select the Edit icon. You can configure the following settings on the general tab:

• Audio and video. This setting enables you to select one of four options for audio and video
capabilities:

o None
o Audio only

o Audio and video

o Audio and HD video

• Record conversations and meetings. This setting defines whether a user is allowed to use the
record option to record meetings.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-13

• Allow anonymous attendees to dial-out. This setting enables unauthenticated meeting attendees
to be called by the conferencing service instead of having to dial in directly to the service.

• For compliance, turn off non-archived features. This setting turns off the features that are not
archived when an organization implements the Microsoft Exchange in-place hold feature. You should
use this option if your organization is legally bound to archive electronically stored data.

You cannot manage user settings by using Windows PowerShell, except for assigning and configuring
audio conferencing providers (ACPs). You can use the Get-CsOnlineUser cmdlet to view information
about your users.

Configuring external communications for users


External communications are typically configured
at the organizational level to allow users to
communicate with other users outside of the
organization who use Skype for Business Online or
an on-premises version of Skype for Business, Lync
Server, or the Skype public IM service. However,
Skype for Business Online allows you to configure
this setting on a per-user basis.

You can configure the following settings on the


external communications page:

• Choose people outside of your organization


that the user can communicate with:

o External Skype for Business users. If you select this option, the user will be able to
communicate with all external domains that you have configured for the organization.

o External Skype users. To select this option, you must select the External Skype for Business
users option. Selecting this option enables the user to communicate with users on the Skype
public service.

Skype for Business Online client options


You can use the following Skype clients with
Skype for Business Online:

• Skype for Business 2016 and Skype for


Business 2015 clients. These clients provide
full access to Skype presence, IM, and
conferencing capabilities.

• Microsoft Lync 2013 for Office 365 client. This


client provides full access to Skype presence,
IM, and conferencing capabilities. It includes
enhanced features that are not available with
Lync 2013 Basic, such as multiparty video
(Gallery View), Microsoft OneNote meeting
notes, recording, and calendar delegation.
MCT USE ONLY. STUDENT USE PROHIBITED
8-14 Planning and deploying Skype for Business Online

• Lync 2013 Basic. This locally installed client provides a scaled-down set of Skype presence, IM, and
conferencing features. The Lync 2013 Basic client is available for organizations that have a
subscription that includes Skype for Business Online but not Microsoft Office 365 ProPlus. Lync Basic
does not provide the same enhanced features as the full Lync 2013 client that was described above.
The Office 365 admin center contains information about how to download the current version of Lync
Basic.

• Lync Windows Store app. This Lync app is optimized for touch, and it was designed specifically for
Windows 8 and Windows RT. Users can download this app from the Windows Store.
• Skype for Business Web App. The web-based Skype for Business Web App client offers users IM in
meetings, enhanced application and desktop sharing, a whiteboard, and presenter access controls.
Additionally, Skype for Business Web App now includes PC-based audio and video. Skype for Business
Web App is designed mainly for external users who are invited to Skype Meetings and for employees
who are not using their usual computer during a meeting. Skype for Business Web App supports
Windows and Macintosh operating systems only.

• Skype for Business Mobile app clients. They extend Skype for Business features to users’ mobile
devices. Skype for Business Mobile app clients provide voice and video over wireless connections, rich
presence, IM, conferencing, and calling features from a single interface. The Skype for Business
Mobile app is available for Windows Phone, iOS (iPhone/iPad), and for Android.

• Lync for Mac 2011. This client provides Mac users with integrated presence, IM, conferencing, and
audio and video capabilities, in addition to desktop sharing, application sharing, and file sharing.

Additional Reading: For more information on the available Skype for Business features for
different clients, refer to Client comparison tables for Skype for Business Server 2015:
http://aka.ms/us67gj.

Additional Reading: For more information on the available Skype for Business features for
different mobile device platforms, refer to Mobile client comparison tables for Skype for Business:
http://aka.ms/mrxvgx.

Question: You need to ensure that only specific users in your organization can communicate
with users in other organizations who are using Skype for Business. However, all other users in
your organization should be blocked. How would you configure Skype for Business Online to
achieve this?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-15

Lesson 3
Planning voice integration with Skype for Business Online
Many organizations that have deployed Skype for Business Server 2015 on-premises use the Skype for
Business infrastructure to provide telephony and voice functionality, including connectivity to the public
switched telephone network (PSTN) and mobile phones. Skype for Business Online has enabled dial-in
conferencing for audio conferences through non-Microsoft partners for some time. Some of the most
recent additions to Skype for Business Online have been new features that provide much of the same
functionality as Enterprise Voice does for on-premises deployments.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe voice integration options.

• Explain how to plan for dial-in conferencing.


• Explain how to configure dial-in conferencing with an ACP.

• Explain how to configure dial-in conferencing with a Microsoft conferencing bridge.

• Describe Cloud PBX features.

• Describe the PSTN Calling service.

• Describe how to configure PSTN connectivity with an on-premises solution.

• Explain how to plan a Cloud PBX solution.

Overview of voice integration options


With an on-premises deployment of Skype for
Business Server, you have the option to allow and
configure Enterprise Voice. Enterprise Voice
provides full telephony functionality for an
organization, enabling users to utilize Lync clients,
Skype for Business clients, or Voice over Internet
Protocol (VoIP) devices to place or receive phone
calls from other organizational users or from
external users. Skype for Business Server provides
full PBX functionality, in addition to various
options for connecting an on-premises PBX with
external PSTN networks.

Skype for Business Online provides similar options for integrating voice functionality. The following
options are available:

• Dial-in conferencing by using a non-Microsoft provider. This allows users to join meetings by using a
phone rather than using a Lync or Skype for Business client. You can provide internal or external users
with a local or toll-free phone number, and users can utilize that number to connect to an audio
conference. For this option, you need to set up a subscription with non-Microsoft dial-in conferencing
or ACP, and you need to configure users to utilize that provider.

To enable dial-in conferencing with a non-Microsoft provider, you must subscribe to a Skype for
Business Online Plan 2, Office 365 Enterprise E1, or Office 365 Enterprise E3 license.
MCT USE ONLY. STUDENT USE PROHIBITED
8-16 Planning and deploying Skype for Business Online

• Cloud PBX. This provides a full Enterprise Voice solution that Office 365 hosts. With Cloud PBX, you
can replace your on-premises PBX solution, and you can provide users with a full-featured telephony
experience, including voice mail. Users can place phone calls from their computer-based clients or by
using other VoIP devices. Cloud PBX can integrate with your on-premises PSTN gateway solution, or
you can use a cloud-based PSTN gateway solution.
To enable Cloud PBX, you must subscribe to a Skype for Business Online Plan 2, Office 365 Enterprise
E1, or Office 365 Enterprise E3 license, and you must add the Skype for Business Cloud PBX add-in.
You can also subscribe to an Office 365 Enterprise E5 license, which includes the Skype for Business
Cloud PBX add-in.

• Voice-calling plans. If you use Cloud PBX and choose cloud-based PSTN integration, you can
subscribe to voice-calling plans that enable users to make a calls to PSTN phone numbers by using
Cloud PBX. You can subscribe to a Skype for Business PSTN Local Calling plan or a Skype for Business
PSTN Local and International Calling plan.

To use voice-calling plans, you must have a subscription that provides Cloud PBX, and you must add
the voice-calling plan.

• PSTN conferencing. If you enable Cloud PBX, you can also enable PSTN conferencing. PSTN
conferencing is similar to dial-in conferencing in that you can provide PSTN dial-in access to
meetings. However, with PSTN Conferencing, you use the Cloud PBX solution rather than a non-
Microsoft provider to enable dial-in access.

To enable Cloud PBX, you must subscribe to a Skype for Business Online Plan 2, Office 365 Enterprise
E1, or Office 365 Enterprise E3 license, and you must add the PSTN Conferencing add-in. You can also
subscribe to an Office 365 Enterprise E5 license, which includes the Skype for Business Cloud PBX and
PSTN Conferencing add-in.

Additional Reading: For more information on the licensing requirements for each of the
voice integration options, refer to Skype for Business Online licensing overview:
http://aka.ms/tm4tg0.

Planning dial-in conferencing


Dial-in conferencing provides users with audio
access to meetings from a phone instead of
having users connect to meetings by using clients
from mobile devices or PCs. Many organizations
provide dial-in meetings for users who are outside
the office, or for users who are outside the
organization.

Choosing a dial-in conferencing


provider
When you plan your dial-in conferencing
provider, the first consideration is whether to use
an ACP or to use an Office 365–only solution for
providing dial-in conferencing:
• ACP. ACP provides a conference bridge, and PSTN, and meeting access, and it integrates with Skype
for Business Online. In this scenario, users will call the ACP conference bridge. If access to the
conference is limited to authenticated users, the ACP will authenticate the user and then provide
access to the meeting.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-17

• Microsoft conferencing bridge. With this option, Microsoft provides all dial-in conferencing
components. Users dial in to a Microsoft conference bridge, and Office 365 handles all
authentications. This option is easier because you can manage all service and user settings from one
location, and users only need to remember their Office 365 credentials to access conferences.

Note: You can use both a non-Microsoft provider and a Microsoft conferencing bridge for
dial-in conferencing, but each user can only be configured with one or the other option.

Planning dial-in conferencing features


When choosing the dial-in conferencing provider, you need to make decisions regarding the features that
you want to enable for dial-in conferencing. A few of these decisions include:

• Do you want to provide only local dial-in numbers, or do you also want to provide toll or toll-free
phone numbers?

• Do you need to provide international toll or toll-free numbers?

• Do you want to allow users to connect to a conference by using a computer-based client?


• Do you want to provide users with the option to have a conference provider call their phones to
provide audio for a conference?

• Do you want to provide anonymous, external access to dial-in conferences, or do you want to provide
access to internal, authenticated users only?

• Do you need to provide dial-in users support for multiple languages?

Additional Reading: For more information on the features that ACPs and Microsoft dial-in
conferencing provide, refer to Dial-in conferencing in Office 365: http://aka.ms/Dt6jbp.

Configuring dial-in conferencing with an ACP


To implement dial-in conferencing by using an
ACP, perform the following actions:

1. Select a dial-in conferencing provider.

2. Set up an account with that provider.

3. Export users and import settings.

4. Optionally, you might also need to manage


user settings manually.

Selecting a dial-in conferencing


provider
The choice of dial-in conferencing providers will
vary according to which country you are in. To see which conferencing providers are available in your
country, click the Find a provider link on the third-party provider tab in the Skype for Business Online
admin center. The link takes you to the Microsoft Pinpoint website, which lists conferencing providers for
your location.

If your organization provides dial-in conferencing services by using an on-premises solution, you might
already have a dial-in conferencing provider. You should check whether the provider also provide dial-in
functionality for Skype for Business Online and Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
8-18 Planning and deploying Skype for Business Online

Setting up a dial-in conferencing account


If you do not have an existing dial-in conferencing provider or your current provider does not support
Skype for Business Online, you will need to set up another dial-in conferencing account. The process for
setting up an account varies depending on the provider.

Export users and import settings


After you have set up an account, you need to export your users by using the export wizard link on the
third-party provider tab in the Skype for Business Online admin center. This action generates a comma-
separated value file with all the user Session Initiation Protocol account names. You can then send this file
to the ACP, and the provider then returns it with the completed provider name, toll number, toll-free
number, and passcode. You can then import this file by using the import wizard.

Configuring user settings for dial-in conferencing


You can also manually configure dial-in conferencing settings for users. You can configure:

• The provider name. This enables you to choose your ACP from a list of supported providers for your
country.

• Toll number and toll-free number. The ACP supplies you these phone numbers. The numbers that
you enter here appear in the same format in Skype for Business Meeting requests. The toll number is
a required setting, but the toll-free number is optional.

• Passcode. This is the code that meeting participants enter when they join meetings.

Configuring dial-in conferencing with a Microsoft conferencing bridge


Instead of using an ACP, you can use an Office
365–only option to provide dial-in conferencing
for users.
To configure dial-in conferencing by using a
Microsoft conferencing bridge, perform the
following steps:

1. Verify that you have a subscription that allows


you to add the PSTN Conferencing add-in.
You must have an Office 365 Enterprise E1,
Office 365 Enterprise E3, Office 365 Enterprise
E5, or a Skype for Business Online Plan 2
subscription, and you must assign a license
from this subscription to each user who will be allowed to use dial-in conferencing.

2. Purchase the PSTN Conferencing add-in and assign it to each user. If you have an Office 365
Enterprise E5 subscription, the PSTN Conferencing add-in is already included.
3. Configure dial-in user settings for all users who will be allowed to use dial-in conferencing.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-19

Overview of Cloud PBX


Cloud PBX is an online PBX solution that fully
integrates with Office 365 and Skype for Business
Online. By deploying Cloud PBX, you can replace
your on-premises PBX system with a full-featured
PBX solution.

Cloud PBX provides almost the same functionality


as an on-premises PBX that is integrated with on-
premises Skype for Business. Users can make calls,
receive calls, and they can perform call control
tasks such as transferring calls or parking calls.
Like on-premises Skype for Business users, Cloud
PBX users can use their Lync or Skype for Business
clients on a computer or mobile device, or they can use VoIP phones that work with Skype for Business.
Because Cloud PBX fully integrates with Office 365, users can utilize the presence information that various
apps provide to identify the status of their contacts or other users in their address books, and then they
can place a call to those users.

If you implement Cloud PBX, calls between users in your organization are handled entirely in the cloud,
without ever connecting to a PSTN. If users are in different locations, they can make toll-free calls through
Cloud PBX.

Another Cloud PBX feature is voice mail. All Cloud PBX–enabled users have access to voice mail, which
allows users to listen to messages by using the Skype for Business client. The voice mail is delivered to a
user’s mailbox as an email with an audio attachment.

One of the features that most on-premises PBX solutions provide is the ability to place and receive calls
from PSTN and mobile phones. You can also connect Cloud PBX with PSTN to provide full dial-in and
dial-out access to PSTN and mobile phones. To provide this functionality, you can:

• Add the PSTN Calling service to Cloud PBX. With this option, Microsoft provides PSTN connectivity so
that all incoming and outgoing PSTN calls go through the Microsoft infrastructure.
• Integrate Cloud PBX with an on-premises PSTN connectivity solution. With this option, you can use
your existing PSTN connection to provide PSTN connectivity. Cloud PBX users are located in the
cloud, but when they place or receive a PSTN phone call, the call passes through your local
infrastructure to the PSTN. This might be attractive for organizations that have PSTN solutions in
place because it allows users to retain the same phone numbers.
MCT USE ONLY. STUDENT USE PROHIBITED
8-20 Planning and deploying Skype for Business Online

PSTN Calling service

PSTN calling overview


When you configure users to utilize Cloud PBX,
they are assigned phone numbers so that they can
place and receive calls by using VoIP phones or
softphones on their computers or mobile devices.
To obtain these phone numbers, you can reserve
phone numbers when you sign up for Cloud PBX,
or you can transfer the phone numbers that are
used in your organization to Cloud PBX.

In addition to assigning a Cloud PBX license to


users and assigning phone numbers, you also
need to assign a PSTN voice-calling plan to users. Two options are available:

• Skype for Business PSTN Local Calling. With this option, users can place calls to PSTN phone numbers
that are in the same country as the user. Each licensed user gets 3,000 domestic dial-out minutes, 60
minutes of conference calling to phones, and unlimited incoming calls each month.

• Skype for Business PSTN Local and International Calling. With this option, users can place calls to
PSTN phone numbers that are in the same country as the user and to international numbers in 196
countries. Each licensed user gets 3,000 domestic dial-out minutes, 600 international dial-out
minutes, 60 minutes of conference calling to phones, and unlimited incoming calls each month.

Not all users in your organization have to use the same calling plan. You can buy both types of plans and
assign different calling plans to different users.

Note: At the time of writing this course, PSTN calling is only available to organizations that
have a United States–based Office 365 billing address.

Additional Reading: For more information on the PSTN voice-calling plans, refer to Skype
for Business Online PSTN services use terms: http://aka.ms/gv7f7f.

To configure PSTN calling, perform the following steps:

1. Purchase and assign appropriate licenses and PSTN voice-calling plans for your users.

2. Get the phone numbers for your organization. You acquire phone numbers for your organization by
requesting phone numbers from Office 365, or you can use the phone numbers that are already
assigned to you by your carrier.

Additional Reading: For more information on how to port existing phone numbers to
Office 365, refer to Transfer phone numbers over to Skype for Business Online:
http://aka.ms/I3rygm.

3. Configure emergency addresses and locations for your organization. Before you start assigning phone
numbers to users, you must configure at least one emergency address, and if applicable, one or more
emergency locations. Emergency locations are associated with an emergency address, but they
provide a more exact location within a building.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-21

Additional Reading: For more information on how to configure an emergency address,


refer to Add or remove an emergency address for your organization: http://aka.ms/meu76q.

You must have a subscription that includes Cloud PBX and a voice-calling plan before you can
configure addresses and locations.

4. Assign phone numbers to users. When assigning phone numbers, you must associate users with
emergency addresses.

PSTN connectivity with an on-premises solution


The second option for enabling PSTN connectivity
for Cloud PBX users is to use an existing PSTN
connection in your organization and configure
Cloud PBX to route outgoing and incoming calls
through that connection. Currently, two options
are available for configuring this connectivity.

Using an existing Skype for Business


Server deployment
If you have already configured Enterprise Voice
with PSTN connectivity in your on-premises
environment, you can use that infrastructure to
provide PSTN connectivity for Cloud PBX. To
implement this solution, you need to:

• Deploy an edge server environment that provides connectivity between the on-premises environment
and Skype for Business Online.

• Deploy a Mediation Server environment that provides connectivity between Skype for Business Server
and PSTN gateways.

• At least one Skype for Business server that provides the Central Management store role.

You can use Skype for Business Server 2015 or Lync Server 2013 for an on-premises deployment.

Additional Reading: For more information on how to plan for and configure PSTN
connectivity through an existing Skype for Business Server deployment, refer to:
http://aka.ms/jawfqa and http://aka.ms/ul1d3b.

Using Skype for Business Cloud Connector edition


Cloud Connector edition is a Skype for Business Server hybrid option that provides a set of virtual
machines that implement connectivity between Cloud PBX and an on-premises PSTN connection.
Essentially, the virtual machines provide the same infrastructure that is required if you use an on-premises
Skype for Business Server deployment. With this option, you download and install virtual machines in your
Windows Server 2012 or later Hyper-V environment, and then you follow the configuration steps to create
Skype for Business Server 2015 servers and to configure connectivity to a PSTN gateway. Finally, you
configure connectivity between the on-premises environment and Skype for Business Online.

Note: At the time of writing this course, Cloud Connector edition is in preview release, so
the configuration and features might change.
MCT USE ONLY. STUDENT USE PROHIBITED
8-22 Planning and deploying Skype for Business Online

Reference Links: For more information on how to plan for and configure Cloud Connector
edition, refer to: http://aka.ms/otqqzu and http://aka.ms/hmurjm.

Planning a Cloud PBX solution


Cloud PBX provides a complete cloud-based
Enterprise Voice solution. With Cloud PBX, you
can provide dial-in conferencing and a full-
featured call solution for internal and external
users, including PSTN or mobile users. When
planning your Cloud PBX solution, you need to:

• Understand your organization’s requirements.


The first step in planning any information
technology infrastructure is to understand the
business problem that you are trying to solve.
If your organization is only interested in
providing dial-in conferencing features for a
few users, and most of your voice infrastructure will remain on-premises, your best solution might be
to implement dial-in conferencing by using an ACP. The cost and complexity of this implementation
might be less than a full Cloud PBX deployment. However, if your organization is considering
providing full PBX functionality by using a cloud-based solution, then Cloud PBX is likely to be an
attractive option.

Not all features are currently available in Cloud PBX, so you might not be able to move all of your
voice functionality to the cloud. For example, if your organization needs Response Groups, Group Call
Pickup, or Call Park, you might need to retain an on-premises PBX solution until these features
become available.
• Understand your organization’s infrastructure. If your organization currently has a reliable on-
premises PBX infrastructure, and this infrastructure is meeting all of your organization’s needs, then it
makes sense to continue using that infrastructure and to implement only those Cloud PBX
components that are not available with the PBX. However, if your current PBX solution is not meeting
business requirements, or if it does not have the capacity to expand as your organization expands,
then implementing some Cloud PBX components might be the best solution.

If you have already deployed Skype for Business Server 2015 with Enterprise Voice, then you might
choose to implement a hybrid solution that continues to use the on-premises environment while also
taking advantage of some Cloud PBX features for some or all users.
You should also consider your organization’s Internet connectivity when deciding which Cloud PBX
components to implement. If your Internet connection has limited bandwidth or high latency, or if
the connection is not highly reliable, you might choose not to put the additional traffic that is created
by voice on that connection.
If you are concerned about your network bandwidth and performance, consider using Microsoft
Azure ExpressRoute to optimize your connectivity to Office 365.

Additional Reading: For more information, refer to ExpressRoute and QoS in Skype for
Business Online: http://aka.ms/edfrbb.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-23

• Consider ease of management. One significant benefit of using Cloud PBX is that it provides a single
interface for managing all of the voice integration components. Rather than having to manage one
environment for IM and conferencing and a different environment for voice, you can manage all
components from a single location. Additionally, when you use Office 365 to host all components,
you do not have to manage any servers or other infrastructure components.
• Consider geographic limitations. Not all Office 365 features are available in all countries at the same
time. If a Cloud PBX feature that you urgently need is not available in your country, you might need
to consider another solution as an interim or permanent solution.
Question: Cloud PBX is a relatively new offering in Skype for Business Online. Do you think
that your organization will be interested in this feature? What changes would you need to
make in your organization to start using Cloud PBX?
MCT USE ONLY. STUDENT USE PROHIBITED
8-24 Planning and deploying Skype for Business Online

Lab: Configuring Skype for Business Online


Scenario
As part of an Office 365 implementation, A. Datum Corporation wants to use Skype for Business Online to
provide IM and online conferencing. You need to configure the Skype for Business Online service settings
and the user settings to meet A. Datum’s requirements.

Objectives
After completing this lab, you will be able to:

• Configure Skype for Business Online organization settings.

• Configure Skype for Business Online user settings.

• Configure a Skype Meeting Broadcast.

Lab Setup
Estimated Time: 60 minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, 20347-LON-CL3, 20347-


LON-CL4

User name: Adatum\Administrator

Password: Pa$$w0rd

In all the tasks, where you see references to Adatumyyxxxxx.onmicrosoft.com, replace


Adatumyyxxxxx with your unique Office 365 name that is displayed in the online lab portal.

Where you see references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your
unique hostdomain.com name displayed in the online lab portal.

This lab requires the following virtual machines: (use only the VMs required for your lab)

• LON-DC1

o Sign in as Adatum\Administrator

• LON-DS1

o Sign in as Adatum\Administrator

• LON-CL1

o Sign in as Adatum\Holly using the password Pa$$w0rd

• LON-CL3
o Sign in as Adatum\Roman using the password Pa$$w0rd

• LON-CL4

o Sign in as Adatum\Maira using the password Pa$$w0rd


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-25

Exercise 1: Configuring Skype for Business Online organization settings


Scenario
A. Datum needs to ensure that internal users can communicate with some external users, but the
company also wants the option to block communication with some specified domains. A. Datum also
wants to customize the default meeting page to provide company-specific information. You need to
configure the required settings.

The main tasks for this exercise are as follows:

1. Download and install the Skype for Business Online module for Windows PowerShell.

2. Enable Skype Meeting Broadcast for the organization.

3. Configure the organization settings for Skype for Business Online.


4. Configure the meeting invitation settings.

5. Validate the meeting invitation settings.

 Task 1: Download and install the Skype for Business Online module for Windows
PowerShell
1. In Microsoft Edge, connect to http://go.microsoft.com/fwlink/?LinkId=294688.
2. Download and install the Skype for Business Online module for Windows PowerShell.

 Task 2: Enable Skype Meeting Broadcast for the organization


1. On LON-CL1, connect to Skype for Business Online by running the following commands in Windows
PowerShell. Use Holly’s credentials to connect:

$cred = Get-Credential
$ SfBSession= New-CSOnlineSession –Credential $cred
Import-PSSession $SfBSession

2. Enable meeting broadcasts by using the Set-CsBroadcastMeetingConfiguration cmdlet.


Set-CsBroadcastMeetingConfiguration –EnableBroadcastMeeting $True
 Task 3: Configure the organization settings for Skype for Business Online
1. On LON-CL1, use Windows PowerShell to configure the following:

a. Enable privacy mode by using the Set-CSPrivacyConfiguration cmdlet with the


EnablePrivacyMode parameter.
b. Disable push notifications for Apple devices by using the Set-CSPushNotificationConfiguration
cmdlet with the EnableApplePushNotification parameter.

c. Verify the privacy and push notification settings by running the Get-CSPrivacyConfiguration
and Get-CSPushNotificationConfiguration cmdlets.

d. Allow users to communicate with public Skype users by using the


Set-CsTenantFederationConfiguration cmdlet with the AllowPublicUsers parameter.

e. Allow users to communicate with federated partners by using the


Set-CsTenantFederationConfiguration cmdlet with the AllowFederatedUsers parameter.
MCT USE ONLY. STUDENT USE PROHIBITED
8-26 Planning and deploying Skype for Business Online

2. Use the following commands to enable communication with all federated partners except for
litware.com:

$AllDomains = New-CsEdgeAllowAllKnownDomains
$BlockedDomain = New-CsEdgeDomainPattern -Domain "litware.com"
Set-CsTenantFederationConfiguration -AllowedDomains $AllDomains –BlockedDomains
$BlockedDomain
Get-CsTenantFederationConfiguration

3. Open Microsoft Edge, and then connect to https://portal.office.com.

4. Sign in as Holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

5. In the Skype for Business admin center, verify the following settings:

o Privacy mode is set to display presence information only to a user’s contacts.

o Apple Push Notification Service is not enabled.

o External communications are enabled for all domains except for litware.com.

 Task 4: Configure the meeting invitation settings


1. On LON-CL1, in the Skype for Business admin center, configure the following meeting invitation
settings:

o Help URL: http://help.adatum.com

o Footer text: Sample legal disclaimer

2. Use the Get-CsMeetingConfiguration cmdlet to verify the meeting invitation settings.

 Task 5: Validate the meeting invitation settings


1. On LON-CL1, open Skype for Business 2016, and then sign in as
Holly@adatumyyxxxxx.hostdomain.com.

2. On LON-CL1, open Microsoft Outlook 2016.


3. Create a new Skype meeting request, and then send it to Maira.

4. Open the meeting, and then verify the help link and custom footer text.

Results: After completing this exercise, you should have configured Skype for Business Online service
settings.

Exercise 2: Configuring Skype for Business Online user settings


Scenario
You need to configure different Skype for Business Online user settings based on the department of which
the user is a member. You will use Windows PowerShell to configure the settings.

The main tasks for this exercise are as follows:

1. Configure Skype for Business user settings.

2. Verify Skype for Business communications.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-27

 Task 1: Configure Skype for Business user settings


1. On LON-CL1, in the Office 365 admin center, edit the Christie Thomas user account to remove the
option to use Skype for Business.

2. In the Skype for Business admin center, verify that Christie Thomas is not listed as a Skype for Business
user.

3. Edit Maira Wenzel’s Skype for Business user settings to remove the option to record meetings, and to
prevent her from communicating with public Skype users.

4. Edit Francisco Chaves’s Skype for Business user settings to enable him to connect to audio meetings
only.

 Task 2: Verify Skype for Business communications


1. On LON-CL4, ensure that you are signed in as Maira. Open Outlook 2016 and configure a profile for
Maira@adatumyyxxxxx.hostdomain.com.

2. Open Skype for Business and sign in as Maira@adatumyyxxxxx.hostdomain.com with the


password Pa$$w0rd.

3. On LON-CL1, create a Skype meeting request for a meeting that will start within the next 15 minutes,
and then send the request to Francisco Chaves and Maira Wenzel.

4. In Skype for Business, send Maira an IM.

5. On LON-CL4, respond to the message.

6. Accept the meeting request from Holly, and then join the meeting.

7. On LON-CL1, join the meeting, and then verify that Maira is connected to the meeting.

8. On LON-CL1, share your desktop.

9. On LON-CL4, verify that Holly’s desktop is visible in the meeting window.

10. On LON-DC1, open Internet Explorer, and then connect to https://portal.office.com. Sign in as
Francisco@adatumyyxxxxx.hostdomain.com.

11. Open Mail, and then accept Holly’s meeting request.

12. Open Calendar, and join the meeting, and then install the Skype for Business Web App plug-in.

13. Verify that you can join the meeting and that Holly’s desktop is visible.

14. Close the Internet Explorer window.

15. On LON-CL4, disconnect from the meeting.

16. On LON-CL1, disconnect from the meeting.

Results: After completing this exercise, you should have configured Skype for Business Online user
settings and validated Skype for Business Online functionality.
MCT USE ONLY. STUDENT USE PROHIBITED
8-28 Planning and deploying Skype for Business Online

Exercise 3: Configuring a Skype Meeting Broadcast


Scenario
A. Datum is interested in exploring the option of hosting large company meetings and external meetings
on Skype for Business. You need to configure a Skype Meeting Broadcast.

The main tasks for this exercise are as follows:

1. Configure a Skype Meeting Broadcast.

2. Validate the Skype Meeting Broadcast configuration.

 Task 1: Configure a Skype Meeting Broadcast


1. On LON-CL1, connect to https://broadcast.skype.com, and then sign in as
holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

2. Create a new broadcast meeting with the following information:

o Meeting title: Test broadcast meeting

o Meeting time: Today’s date

o Start time: Within the next 15 minutes


o Duration: 1 hour

o Members: Roman Miler

o Access: Secure
o Attendees: Maria Wenzel

3. Create and send an Outlook invitation to the meeting.

 Task 2: Validate the Skype Meeting Broadcast configuration


1. On LON-CL3, ensure that you are signed in as Roman. Open Outlook 2016 and configure a profile for
Roman@adatumyyxxxxx.hostdomain.com.

2. Open Skype for Business and sign in as Roman@adatumyyxxxxx.hostdomain.com with the


password Pa$$w0rd.

3. In Outlook 2016, accept the broadcast meeting request from Holly.

4. Join the broadcast meeting. Verify that Roman can join the meeting.

5. Start the broadcast as a content only meeting.

6. On LON-CL4, accept the broadcast meeting request from Holly.

7. Join the meeting as Maira.

8. Verify that Maira can join the meeting.

9. On LON-CL3, stop the broadcast.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 8-29

10. On both LON-CL3 and LON-CL4, disconnect from the meeting.

11. Keep the virtual machines running for the next lab.

Results: After completing this exercise, you should have configured a broadcast meeting and verified that
users can join the meeting.

Question: How will you change the Windows PowerShell steps that you ran in the lab if you
want to block all communication with external domains except for litware.com?

Question: Do you think that your organization will use Skype Meeting Broadcast?
NO WAY!
MCT USE ONLY. STUDENT USE PROHIBITED
8-30 Planning and deploying Skype for Business Online

Module Review and Takeaways


Common Issue and Troubleshooting Tip
Common Issue Troubleshooting Tip

Users cannot authenticate to


Skype for Business Online.

Tools
The following tools are covered in this module:

• Skype for Business admin center. Accessible from the Office 365 admin center, use this tool to
configure Skype for Business Online service settings and user settings.

• Skype for Business Server Management Shell. Use this tool to configure Skype for Business Online
settings.

• The Skype for Business Online module for Windows PowerShell. This provides the Windows
PowerShell commands that are required to configure Skype for Business Online when you use the
Skype for Business Server Management Shell.
MCT USE ONLY. STUDENT USE PROHIBITED
9-1

Module 9
Planning for and configuring SharePoint Online
Contents:
Module Overview 9-1

Lesson 1: Configuring SharePoint Online services 9-2

Lesson 2: Planning and configuring SharePoint Online site collections 9-10

Lesson 3: Planning and configuring external user sharing 9-23

Lab: Configuring SharePoint Online 9-36

Module Review and Takeaways 9-40

Module Overview
SharePoint Online is one of the most important services within Office 365. It provides users the capabilities
to work together, share documents, and plan their collaboration. SharePoint Online helps in internal and
external collaboration and in finding information quicker and easier. All these services are accessed
through a web browser, which means that even if users are working online or offsite, they are always able
to accomplish tasks and work together. Some of the SharePoint Online features are now available only
online and not in the on-premises version.

This module describes the administrative features available within SharePoint Online and the most
common configuration tasks for any administrator who starts using SharePoint Online. This module
describes the concept of site collections and the different sharing options within SharePoint Online. A
brief overview of additional portals, such as the video portal, are also discussed.

Objectives
After completing this module, you will be able to:

• Configure SharePoint Online services.

• Plan and configure SharePoint Online site collections.

• Plan and configure external user sharing.


MCT USE ONLY. STUDENT USE PROHIBITED
9-2 Planning and configuring SharePoint Online

Lesson 1
Configuring SharePoint Online services
You can use SharePoint Online as a collaboration platform that enables both internal employees to
collaborate among themselves and to collaborate with members of an external organization. This lesson
describes the administrative functions within SharePoint Online and provides an overview of the
SharePoint admin center. This lesson also describes commonly used administrative features and
configuration options for the overall SharePoint Online experience.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe the use of the SharePoint admin center.

• Configure SharePoint Online settings.

• Describe how to configure SharePoint Online user profiles.


• Add SharePoint Online apps.

• Configure Office 365 Video.

Overview of the SharePoint admin center


The main location where you manage SharePoint
Online is called the SharePoint admin center. As
the SharePoint Online administrator, you can use
the SharePoint admin center to:

• Create and manage site collections.


• Allocate and monitor site collection storage.

• Manage permissions and users, and help


secure content on sites.

• Manage user profiles and configure personal


sites.

• Enable and configure specific SharePoint Online features or global settings.


You can access the SharePoint admin center either through a direct link or through the Office 365 admin
center. The direct link looks as follows: https://tenantname-admin.sharepoint.com

To access the SharePoint admin center through the Office 365 admin center, you have to first sign in into
https://portal.office.com. Then, you can switch to the Office 365 admin center. Here, you can access the
SharePoint admin center by clicking the Admin centers menu and then clicking SharePoint.

A global administrator of Office 365 automatically becomes a SharePoint admin center administrator. It is
also possible to assign an administrator for the SharePoint admin center alone.

To delegate permission for SharePoint admin center alone, you should:

1. Open the Office 365 admin center.

2. Under Users, select the user who will be the SharePoint Online administrator.

3. In the Roles section, click Edit.

4. Select the Customized administrator, and then click SharePoint Administrator.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-3

Administrator roles are described in more detail in the “Managing Office 365 users and groups” module.

Note: Site collection administrators do not have access to the SharePoint Online admin
center.

The main areas that you can access from the SharePoint admin center are:

• Site collections. Here, you can create new site collections and manage them. Site collections are a
tiered set of sites.

• InfoPath. You use InfoPath Forms Services in SharePoint Online to deploy your organization's forms
to your sites, enabling users to fill out these forms in a web browser.

• User profiles. A user profile is the collection of user properties—and the policies and settings
associated with each of those properties—that describe a single user. Here, you find also settings for
your organization such as the management of promoted sites.

• BCS. In SharePoint Online, you can create Business Connectivity Services (BCS) connections to data
sources, such as Azure SQL Database or Windows Communication Foundation (WCF) web services,
that are outside the SharePoint Online site.

• Term store. Here, you can manage metadata information on a central location.

• Records management. You can manage records in place, which means that you can leave a document
in its current location on a site, or store records in a specific archive.

• Search. Here, you can customize the search experience for users. This customization includes defining
searchable managed properties in the search schema, identifying high-quality pages to improve
relevance, managing query rules and result sources, and removing individual results.

• Secure store. The Secure Store Service is a claims-aware authorization service that includes an
encrypted database for storing credentials.

• Apps. You can create an App Catalog site to make internally-developed custom apps available for
users to install. Users can find these apps under the From Your Organization filter on the Site
Contents page.
• Settings. Here, you manage SharePoint Online tenant-wide settings such as external sharing and
rights management, among others.

• Configure hybrid. Here, you can configure SharePoint Online hybrid with an on-premises SharePoint
Online site.

SharePoint Online software boundaries and limits


If you use SharePoint Online, there are certain software boundaries and limits. Due to a multitenant
technology, you work in a shared environment with many other Office 365 customers.

Some of the limits are:

• Number of site collections per tenant is 500,000.


• You can have up to 2,000 site collections per subsite.

• The file upload limit is 10 gigabytes (GB).

These limits change from time to time, and we recommend you review them often. These limits are
managed separately from Microsoft Exchange Online Limits.
MCT USE ONLY. STUDENT USE PROHIBITED
9-4 Planning and configuring SharePoint Online

Additional Reading: For more information, refer to SharePoint Online and OneDrive for
Business software boundaries and limits: http://aka.ms/jns65q.

Configuring SharePoint Online settings


In the SharePoint admin center, you can configure
general tenant-wide options that are valid across
site collections and the entire SharePoint Online
tenant structure. On the left navigation bar of the
SharePoint admin center, click Settings to
configure SharePoint Online tenant-wide options.
These options are discussed in this topic.

Show or hide options


In this setting, you can configure whether the
OneDrive for Business and Sites menu items are
visible to the users.

Note: These settings disable the visibility of Sites and OneDrive for Business within Office
365. The app launcher and the entry menu do not show those menu items anymore. If a user
knows the direct link to their OneDrive for Business account or the Sites site, they can still access
it.

Site collection storage management


SharePoint Online is allocated a certain amount of storage based on licensed users. This storage is
available to all site collections in the tenant. Within SharePoint Online, you have the option to assign
storage quotas to site collections or let SharePoint Online manage the storage allocation automatically.
You can configure automatic allocation of storage management if there are numerous site collections or if
an administrator must set site collection storage quotas.

OneDrive for Business experience


The updated interface of OneDrive for Business is aligned to the user interface of OneDrive for consumer
purposes. The interface of OneDrive for Business is better accessible via mobile devices because of the
additional phone and tablet features. If you select New experience, users who use this new experience
can decide for themselves if they want to switch back to the classic view. This menu item will not be
available as soon as the only UI available is the new one.

Admin center experience


Here, you can choose between a simplified view of the SharePoint admin center and an advanced view of
it. With the simplified view, only some navigation options are available. They are:

• Site collections

• User profiles

• Settings

• Configure hybrid
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-5

Office Graph
Office Graph collects individual activities and relationships across the entire Office suite. Email, social
conversations, meetings, documents in SharePoint Online, and OneDrive for Business are triggered to
present user information that is more relevant in their Office 365 experience. The Office Graph represents
the relationships and interactions between content and users within Office 365. If you want to disable that
and access to Office Delve, you can switch Office Graph off in the settings menu.

Enterprise social collaboration


With this setting, you can replace the SharePoint Online newsfeed with Yammer Enterprise. This setting
will also disable the newsfeed item in the app launcher and replace it with the Yammer icon. Yammer is
described in more detail in the “Planning and configuring an Office 365 collaboration solution” module.

Note: If Yammer Enterprise is not enabled, switching to Yammer will disable the Newsfeed
icon in the app launcher but it will not enable the Yammer icon.

Streaming video service


You can enable or disable the video portal in this setting. The video portal is a new portal where you can
upload and manage internal videos within Office 365. Video portal is discussed in more detail later in this
lesson.

External sharing
These settings enable various sharing options across all site collections. By configuring these settings, a
SharePoint Online administrator can configure whether external user sharing is disabled or not, or if
anonymous sharing is allowed. Individual site collection settings follow those settings, which means if
anonymous sharing is disabled tenant wide, you are unable to allow it for a specific site collection.

Global Experience Version settings


Within this setting, an administrator is able to decide which versions of site collections users can create.

Information Rights Management (IRM)


If the organization needs to use Office 365 information rights services, you can enable it here in this
setting. If Azure Rights Management (Azure RMS) is already configured organization wide, administrators
are able to assign usage restrictions. This setting enables IRM to protect SharePoint Online lists and
libraries.

Start a site
You can let users create their own team sites. Site creation is turned on by default and users with Create
Subsites permissions can create team sites. By default, these sites are created under the root SharePoint
Online site https://tenantname.sharepoint.com. Under the Start a site option, you can specify a path
where new team sites the users will create and alternatively, specify a custom template for these sites.

Custom script
With this setting, you can enable or disable custom script settings. You can use this setting to maintain the
security and integrity of sites within your SharePoint Online site collections. If custom scripts are disabled,
some SharePoint Online options are no longer available, such as save as site template, solutions gallery,
and blogs.

Additional Reading: For more information, refer to Turn scripting capabilities on or off:
http://aka.ms/Okimfj.
MCT USE ONLY. STUDENT USE PROHIBITED
9-6 Planning and configuring SharePoint Online

Preview features
Beside the First Release settings within Office 365, an administrator can disable Preview Features in
SharePoint Online in the following scenarios:

• The preview feature has a different Service Level Agreement (SLA) than Office 365.

• SharePoint Online compliance boundaries are not met.

Note: The SharePoint Online preview feature is not related to the First Release feature of
Office 365. The First Release feature allows all or a subset of users to access new Office 365
updates as soon as they become available and are rolled out to tenants through Microsoft.

Connected services
SharePoint 2013 workflows use Microsoft Azure Service Bus. You can disable this service in this setting.

Access apps
Access apps are databases running within SharePoint Online. Access apps are hosted within SharePoint
Online. You can enable or disable access apps.

Configuring SharePoint Online user profiles


You can also use the SharePoint admin center to
configure user profiles. In the user profiles menu
item, you will find settings related to user profiles,
the organization, and promoted sites.

User profile settings are broadly classified as


people settings, organizational settings, and My
Site settings:

• People. In this menu item, you are able to


configure user properties, manage user
profiles, manage user permissions, and many
other tasks. Detailed information about each
user is available, including Manager fields and
other user properties fields.

The settings under user profiles influence general settings such as language settings or promoted
sites.

• Organizations. You can use properties in this menu collection to map fields to Active Directory
Domain Services (AD DS) or Lightweight Directory Access Protocol (LDAP)–compliant directory
services.

• My Site settings. With My Site settings, you can manage My Site owners, promoted links, and links
to Office client applications. To verify or update My Site settings, open the Setup My Sites menu
item. Here, you can configure various settings. For example, there is an option to set the read
permission level to grant access on personal sites for selected users only.

o Secondary My Site owner. An important setting is the secondary My Site owner. You can
configure a secondary user for use in scenarios when you remove a user from Office 365. In that
case, the manager of that person gets access to this My Site. If there is no manager, the
secondary My Site owner becomes the owner of this My Site.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-7

o Publish Links to Office Client Applications. Use this option to publish selected links to
SharePoint Online sites and lists when opening and saving documents from Office client
applications. Links published here appear under the My SharePoints tab when opening and
saving documents. You can configure this setting for a selected user base.

o Manage promoted sites. The Sites page lists all sites a user is following, as well as suggested
sites. You can add suggested sites under the promoted sites item. All links provided here are
visible under the Sites page. This is especially useful if an administrator wants to create promoted
links to selected sites on the main page for all users or for a subset of users.

Adding SharePoint Online apps


You can also use the SharePoint admin center to
configure apps that are available to users. Apps
are minor applications that can help you within
your Office application or within SharePoint
Online. Users can install these apps from the From
your organization menu when they browse for
apps. An example of an app is a calendar app.
Using this app in your site collection provides you
an easy-to-use calendar in your team site. Within
that menu, there are capabilities to manage the
App Catalog on an organizational level.

A SharePoint Online administrator can create an


App Catalog site to make either internally developed apps or third-party apps available to users. The users
will find those apps under the from your organization filter in the site contents page.

The following table describes the options available within the From your organization setting.

Option Description

App Catalog Use this option to make apps available within your
organization. This can be apps developed in the
organization or third-party apps. You can make apps for
SharePoint Online and Office become available here, as well
as app requests.

Purchase Apps Use this option to purchase apps from the SharePoint Store.

Manage Licenses Use this option for license management of purchased apps.

Configure Store Settings Use this option to configure tenant-wide settings for apps.

Monitor Apps Use this option to track the usage of apps as well as review
errors.

App permissions Use this option to manage app access to the tenant.
MCT USE ONLY. STUDENT USE PROHIBITED
9-8 Planning and configuring SharePoint Online

To manage apps within the App Catalog, perform the following steps:

1. Create an App Catalog site:

a. On the SharePoint Online Administration menu, on the left side, click Apps.

b. Select App Catalog.

c. Create a new App Catalog site and click OK. The App Catalog site collection is created. You can
find it in https://tenantname.sharepoint.com/sites/apps. In the App Catalog site, all apps are
stored for the entire tenant.

2. Add apps to the App Catalog. It is possible to distribute apps for SharePoint Online or for Office. With
this functionality, users can add apps for SharePoint Online to their site collections. Office apps are
available in the on-premises installations of Office 365 ProPlus.

3. Optionally, install an app for all users. If you want an app to be used by all users, you can configure it
to be deployed.

Configuring Office 365 Video


Office 365 Video is part of SharePoint Online.
Office 365 Video is built with Microsoft Azure
Media Services in the background, which enables
an intranet website portal where people within
the organization can post and view videos. The
video portal is part of SharePoint Online, but it is
not managed through the SharePoint admin
center. The only available option in the SharePoint
admin center is under Settings where an
administrator can enable or disable the video
service.

There are two types of administrative permission


levels within the Office 365 Video portal:

• Video admins. Global administrators and SharePoint Online tenant administrators have this
permission level by default. These admins can perform administrative settings within the video portal.

• Channel admins. Channel administrators can create new channels. By default, any user within the
organization has channel administrator rights. A video admin can change this setting.

Video portal settings and preferences


To configure the Office 365 Video portal settings, an administrator with video admin permissions signs in
to Office 365. In the app launcher, the admin clicks Video and opens the video portal. With proper
permissions, the admin has Portal settings available in the video portal.
Within the Portal settings page, the administrator sets permissions as well as the Spotlight Videos setting
and how the videos appear. Another setting here is the preferred channels on the video portal site.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-9

Channel management
Each uploaded video is uploaded in a selected channel. A channel admin can create new channels by
opening the video portal, clicking Channels, and then clicking New Channel. The channel admin
provides a name for the channel and assigns a color to the channel. After the channel is created, users can
upload videos to the channel. Within the Menu Channel settings, the channel admin can set the
permission level of the channel, select spotlight videos for the channel, and allow or deny Yammer
conversations for the channel.

Office 365 Video supports only the codecs and file formats that are supported by Azure Media Services.

Note: For the most up-to-date list of supported codecs and file formats, refer to Media
Encoder Standard Formats and Codecs: http://aka.ms/drbvv7.

Question: Discuss the advantages and possible disadvantages between SharePoint


on-premises versus SharePoint Online.

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

The maximum file size in SharePoint Online is 2 GB. F


MCT USE ONLY. STUDENT USE PROHIBITED
9-10 Planning and configuring SharePoint Online

Lesson 2
Planning and configuring SharePoint Online site
collections
In this lesson, you will learn how to plan and configure SharePoint Online site collections, set resource
quotas and warning levels, set storage quota for site collections, and configure the name and URL of site
collection. Using site collections helps you organize your organizations’ content into sites for different
purposes.

Lesson Objectives
After completing this lesson, you will be able to:

• Explain the concept of site collections.

• Describe the types of sites you can create in SharePoint Online and Office 365.
• Plan for site collections.

• Create site collections.

• Configure site collections.

• Manage site collections by using Windows PowerShell.

• Describe the common errors and best practices when managing site collections.

Overview of site collections


A SharePoint Online site collection is a hierarchical
group of sites that you, as an administrator of
SharePoint Online, can manage on an individual
basis or as a whole. The sites in a site collection
share items such as administration settings, owner,
and collection-wide permissions. Each site
collection contains one top-level site that is
created automatically when you create the site
collection, and a number of subsites that are
below it in the site hierarchy. Subsites can inherit
permissions and navigation from the parent site,
or these components can be configured and
managed separately. Within SharePoint Online there is no farm level configuration available.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-11

Default site collections


There is a subset of site collections within a
SharePoint Online tenant. They are:

• App Catalog

• Search Center

• My Site host

• Video portal
• Compliance Center

• E-Discovery Center

These site collections exist as standalone site


collections. Some of these may be automatically created for you when you sign up for Office 365. You
may need additional site collections if your organization has other specialized purposes. For instance,
some groups need to restrict access to their content. In this case, you can create a custom site.
SharePoint Online also offers a variety of site collection templates that help you to find the proper
template for your organizational needs.

The following table describes the types of sites you can create in SharePoint Online and Office 365.

Site Description

Team site The team site is a simple template you can use for teamwork and
project collaboration. The site includes libraries and lists for:
• Shared documents
• Announcements
• Calendars
• Links
• Tasks
• Discussion board

Blog site The blog site gives you the possibility to have internal blogs
available for announcements, ideas, observations, and expertise
within your team or organization. The site contains Posts,
Comments, and Links menus.

Project site If you need to manage projects, the project site template provides
an easy way with collaborative features and a Projects Summary
Web Part.

Community site The community site is a site where members can discuss various
topics.

Document Center site This site is for the management of a large amount of documents.
You can use it as a content archive.
MCT USE ONLY. STUDENT USE PROHIBITED
9-12 Planning and configuring SharePoint Online

Site Description

Records Center site If you need to manage records such as legal or financial
documents, you can use the records center template. Here,
the entire records management process, from records
collection through records management to records
disposition, is supported.

BI Center site Use a business intelligence (BI) site to store, manage, share,
and view business reports, scorecards, and dashboards.

Search Center (Enterprise or Enterprise search is a top-level site collection. With this
Basic) site template, you are able to provide search elements based on
Enterprise search.

Publishing site Use this site to create enterprise intranets or communication


portals. Contributors can work on draft versions of pages
and publish them to make them visible to readers. Use this
site with workflow to publish web pages on a schedule by
using approval workflows.

Enterprise Wiki This is a publishing site for sharing and updating large
volumes of information across an enterprise.

Visio Repository site A Visio Process Repository in SharePoint is a document


library that provides check-in and check-out functionality
and supports versioning for Visio diagrams.

There are three categories of templates to choose from in the Office 365 admin center: Collaboration,
Enterprise, and Publishing, or you can pick the Custom template, which enables you to select a
template at a later time.

Planning site collections


Having a hierarchy of top-level sites and subsites
means that you can maintain different control
levels over the features and settings for each site.
This enables you to have a primary site for an
entire organization or team, and individual and
shared sites for subteams, divisions, or other
projects. You can also create separate site
collections for external websites.

The way you organize your site collections


depends mainly on the organization’s size and the
needs of the business. If you know certain key
factors—such as what a site collection will be used
for, who will require access to it, and who will manage it—this makes it easier for you to make key
planning decisions about which site templates to use, how many sites and site collections you need to
create, and how much storage you need.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-13

You should ask yourself the following questions when planning your site collections:

• What site templates should you use? You can create a site collection from a site template. These
templates already contain items such as document libraries, lists, pages, and several other common
site components that provide various features for your organization. Any sites that you create from a
template will inherit the template’s properties. It is common to use several different site templates
when building your site collection. You can also choose to create a custom site.

• How many site collections are required? This number is typically dependent on your organization’s
storage limits and its business needs. Some types of sites, such as the Enterprise Search Center and
the My Site host, exist as standalone site collections and may be automatically created for you when
you sign up for Office 365. You will likely need to create further site collections to fulfill the specific
requirements of your organization.
• How much storage is required for each site collection? When you purchase the SharePoint Online
service as part of your Office 365 plan, you are allocated a storage pool based on the number of user
licenses and the type of Office 365 plan you purchase. You can let SharePoint Online manage storage
automatically or allocate the storage by yourself. When assigning storage to your site collections, you
can see the total amount of storage allocated to your organization and how much of that remains to
allocate to other site collections. You can modify these storage levels later and you can increase or
decrease them as needed within your storage allocation limit.

• Is multilanguage support required? The Multilingual User Interface (MUI) feature allows your users to
display sites and web pages in other languages. This feature is not a translation tool; rather, it
modifies the display language for specific default interface components. MUI modifies the user
interface on a per-user basis and does not affect how other users view the site or page. This MUI
feature only modifies the viewable on-screen components; it does not modify content, such as
documents held within the site. The MUI feature is enabled in SharePoint Online by default, but if you
want to use it on a site collection, then you or another site collection administrator also need to
enable it on that site collection.
• Do you need to grant access to external users? Some of your users may need to collaborate with
users external to the organization. In this case, you will need to consider sharing content with those
external users; this will require thought and planning.

• Who will manage your site collections? The following roles can administer the SharePoint Online
service:

o Global administrator. This is the main administrative role for the Office 365 admin center and can
perform all administrative tasks, including managing service licenses, users and groups, domains,
subscribed services, and defining site collection administrators.

o SharePoint Online administrator. This role is a customized administrator role. This is the
administrator whose primary role is to administer SharePoint Online using the SharePoint admin
center. This role can create and manage site collections, define site collection administrators,
define tenant settings, and configure most other administrative elements, such as Business
Connectivity Services, Secure Store, InfoPath Forms Services, Records Management, Search, and
User Profiles.

Note: Office 365 global administrators are also automatically SharePoint Online
administrators.
MCT USE ONLY. STUDENT USE PROHIBITED
9-14 Planning and configuring SharePoint Online

o Site collection administrator. This role is granted the administrative permissions to manage a site
collection. Although a site collection can have several administrators, there can only be one
primary site collection administrator. When creating a new site collection, the SharePoint Online
administrator defines the primary site collection administrator. The SharePoint Online
administrator can add further people to the list of site collection administrators after the site
collection is created. Site collection administrators can add or delete sites, specify a secondary site
collection administrator, and modify site settings for any site in the site collection.

• What SharePoint Online limits exist? There are boundaries and limits within SharePoint Online. To do
a proper planning of a site collection design, it is necessary that you know which limits are present
and how they will affect your site collection planning. For example, a too deep site collection
structure may reach the character length limit of the website address.

• How to plan for governance? Governance is the set of policies, roles, responsibilities, and processes
that control how your organization cooperates to achieve business goals. As soon as you start
planning your site collection structure, you should also develop a plan to govern them. Examples
include:

o How to manage intellectual property your employees create?

o Are all regulatory requirements met?


o What do the security goals of your company look like?

• How to plan for the SharePoint Online site collection life cycle? The site collection life cycle defines
how provisioning and deprovisioning of a site collection works. SharePoint Online is a software as a
service (SaaS) and proper provisioning as well as deprovisioning planning can influence the costs of
your Office 365 environment. Proper planning includes planning around how long a site collection
should be archived before it can be deleted.

Best Practice: A recommended best practice is to define more than one site collection
administrator, where the additional administrators act as backups to the primary site collection
administrator.

Creating site collections


As the SharePoint Online administrator for your
Office 365 environment, you will be responsible
for creating and deleting site collections. You can
create multiple private site collections for use
internally by your organizations’ users.

Creating site collections


SharePoint Online administrators can create
private organization-wide site collections and
assign primary site collection administrators to
each site collection by using the SharePoint admin
center.

To create a site collection:

1. Sign in to Office 365 as a global administrator or SharePoint Online administrator.


2. In the Office 365 admin center, click Admin centers, and then click SharePoint.

3. In the leftmost side, click Site collections.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-15

4. On the ribbon, click New, and then click Private Site Collection.

5. In the new site collection dialog box, specify the following:

o A title for the site collection.

o A website address and URL path for the site collection. You can choose either /sites or /teams as
part of the path and then supply a further path extension to be the path to the site in the empty
text box.

o A language for the site collection.

Note: You must ensure you select the correct language for your site collection here,
because it cannot be changed afterwards.

o A template that matches the purpose of the site collection. For example, if your site collection is
used for a specific project, you choose the project site from the list, and for a team site, you
choose the team site template.

o An appropriate time zone.

o A site collection administrator. You can use either the Check Names or Browse buttons to help
find a user’s name.

o Optionally, a storage quota. Only if you decide to allocate the storage by yourself, you need to
set a storage quota to allocate to this site collection. This must not exceed the total storage
available that is displayed next to the box.

o A server resource quota to allocate to this site collection.

6. Click OK.

The site collection is then created and eventually appears in the URL list. You will know the site is created
when the URL for the site collection is highlighted in blue as a hyperlink. At this point, the assigned site
collection administrator can begin creating and managing sites in the site collection.

Deleting site collections


There may be situations where you will be required to delete a site collection. This might occur for any
number of reasons, including:

• You have a team site collection and that team has been disbanded.

• Teams have been reorganized.


• You commonly use project-based sites; and the projects are short term and are not required after the
project is complete.

When you delete a site collection, it stays in the Recycle Bin for 30 days before it is permanently deleted;
this gives you a 30-day window of opportunity to restore the entire site collection if it was deleted in error
or your situation has changed and you want to retain it.

Note: When you delete a site collection, you also delete all the sites, site components, and
content in the site hierarchy, including documents and document libraries, lists and list items,
events, site configuration settings, and security information for all sites and their subsites.

As other people will likely be affected by the removal of the site collection, ensure that all interested
parties—such as site owners and site contributors—are aware of the impending deletion and are given
time to move their content or data to another place if necessary.
MCT USE ONLY. STUDENT USE PROHIBITED
9-16 Planning and configuring SharePoint Online

To delete a site collection:

1. Sign in to Office 365 as a global administrator or SharePoint Online administrator.

2. In the Office 365 admin center, click Admin centers, and then click SharePoint.

3. In the leftmost side, click Site collections.

4. Select the check box for the site collection(s) you want to delete.

5. On the ribbon, click Delete.

6. On the delete site collections page, read the warning, and then click Delete.

Restoring deleted site collections


If you have deleted a site collection in error, you can see it listed in the Recycle Bin and restore it from
there. The list in the Recycle Bin also shows you how many days are left before the site collection is
permanently deleted.

To restore a deleted site collection:

1. Sign in to Office 365 as a global administrator or SharePoint Online administrator.

2. In the Office 365 admin center, click Admin centers, and then click SharePoint.
3. In the leftmost side, click Site collections.

4. On the ribbon, click Recycle Bin.

5. Select the check box for the site collection(s) you want to restore.
6. On the ribbon, click Restore Deleted Items.

7. On the restore site collections page, click Restore.

The site collection will take some time to restore, and after restoration is complete, the site collection is
listed under Site Collections again.

Configuring site collections


There are several site collection elements and
properties you can configure as a SharePoint
Online administrator, including site collection
properties, owners, sharing, and resource quotas.

Viewing site collection properties


To view site collection properties, select the site
collection, and then click properties. The site
collection properties page of the site collection
displays the following information:

• Title

• Website address

• Primary administrator and other administrators

• Number of subsites

• Storage usage, quota, and warning level

• Resource usage, quota, and warning level


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-17

Adding or removing site collection administrators


You can modify the current primary site collection administrator and add or remove other site collection
administrators.

To change the primary site collection administrator:

1. In the Office 365 admin center, click Admin centers, and then click SharePoint.

2. In the leftmost side, click Site collections.

3. Select the check box next to the appropriate site collection.

4. On the ribbon, in the Manage section, click Owners, and then click Manage Administrators.

5. In the manage administrators dialog box, under Primary Site Collection Administrator, change
the user name for the primary site collection administrator.

6. Click the Check Names button to verify that the user name is valid.

7. Click OK.

To add or remove site collection administrators:

1. In the Office 365 admin center, click Admin centers, and then click SharePoint.
2. In the leftmost side, click Site collections.

3. Select the check box next to the appropriate site collection.

4. On the ribbon, in the Manage section, click Owners, and then click Manage Administrators.
5. In the manage administrators dialog box, under Site Collection Administrators, add people to, or
remove them from, the list.

6. Click the Check Names button to verify that the user names are valid.
7. Click OK.

Sharing site collections


The Sharing option on the ribbon enables you to share your site collections with users outside your
organization. You can do this either through invitations or anonymous guest links, depending on the
tenant configuration.

Managing the server resource quota for a site collection


The server resource quota is a value generated by SharePoint Online for each site collection. The custom
code running in sandboxed solutions adversely affects the performance of other site collections by
depleting available server resources. Having server resource quotas helps reduce this risk.
As a SharePoint Online administrator, you can specify a quota for server resource usage for each site
collection you will monitor to ensure they do not exceed the specified level. SharePoint Online will also
send an alert email to notify the site collection administrator when the server resource quota is near its
limit based on a warning level set by you. The monitoring that SharePoint Online carries out is based on
performance data collected for key resources such as processor and memory usage. If a site collection
reaches its server resource quota limit, SharePoint Online will turn off the sandbox for the site collection
so that custom code can no longer be run.

To change the server resource quota for a site collection:

1. Sign in to Office 365 as a global or SharePoint Online administrator.

2. In the Office 365 admin center, click Admin centers, and then click SharePoint.

3. In the leftmost side, click Site collections.


MCT USE ONLY. STUDENT USE PROHIBITED
9-18 Planning and configuring SharePoint Online

4. Select the check box for the site collection for which you want to specify a storage quota.

5. In the ribbon, in the Manage section, click Server Resource Quota.

6. In the set server resource quota dialog box, enter a maximum number of resources to allocate to
the selected site collection out of the available displayed total. The default number of resources is
300.

7. Ensure the Send e-mail when each selected site collection resource usage reaches warning level
at check box is selected. This will send an email alert notification when you are getting close to the
server resource quota limit.

8. Enter a percentage value to set the warning level for the alert email to be triggered. The default is 85
percent.

9. Save your settings.

Upgrading site collections from a previous version


In the SharePoint admin center, under site collections, there is an option on the Manage section of the
ribbon to upgrade the links and settings for your site collections. This setting enables you to:

• Specify site collection upgrade settings.

• Send an email notification about site collection upgrades to the site collection administrator.

Managing site collections by using Windows PowerShell


You can use the SharePoint Online Management
Shell to simplify the management of your site
collections in SharePoint Online. This can be
especially useful if you are creating and
configuring a lot of site collections and want to
speed up the process rather than manually
creating and configuring them in the SharePoint
admin center.

The SharePoint Online Management Shell is a


Windows PowerShell module. You can use it to
manage SharePoint Online users, sites, site
collections, and organizations from the command
line, instead of using the SharePoint admin center user interface. Windows PowerShell enables you to
perform these command-line operations by using a custom command called a cmdlet. A cmdlet,
pronounced command-let, is constructed as a verb-noun pair, such as Get-Command. The two parts of a
cmdlet are separated by a hyphen (-) without spaces. The verb part refers to the action that the cmdlet
takes. The noun part refers to the object on which the cmdlet takes action. Cmdlets are especially efficient
for batch operations such as controlling an external share in SharePoint Online.

Additional Reading: For more information, refer to Introduction to the SharePoint Online
Management Shell: http://aka.ms/Yj9ioq.

As with other Microsoft services, you run Windows PowerShell command-line operations by using
cmdlets. You can view a full list of all the available cmdlets by running the Get-Command cmdlet and
access help on how to use each cmdlet by using the Get-Help cmdlet.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-19

Before you can run cmdlets, you have to set up the SharePoint Online Management Shell environment
and connect to the service.

Setting up the SharePoint Online Management Shell


SharePoint Online global administrators use the SharePoint Online Management Shell to remotely
manage site collections.

To set up the SharePoint Online Management Shell:

1. Ensure that you have installed Windows PowerShell 3.0 from Windows Management Framework 3.0.

2. Install the SharePoint Online Management Shell from the Microsoft Download Center at:
http://aka.ms/f04q5o.

3. Open the SharePoint Online Management Shell.

Connecting to the SharePoint Online service


Having set up the SharePoint Online Management Shell, you need to connect to the SharePoint Online
service before you can use Windows PowerShell to manage your site collections.

To connect to the SharePoint Online service:

1. Open Windows PowerShell and load the SharePoint Online module by typing the following
command, and then pressing Enter:

Import-Module Microsoft.Online.Sharepoint.PowerShell

2. At the prompt, type the following command, and then press Enter:

Connect-SPOService -Url https://tenantname-admin.sharepoint.com -credential


admin@contoso.com

Using Windows PowerShell to manage site collections


There are several useful cmdlets in the SharePoint Online Management Shell that can create and
configure site collections.

You can use the Get-SPOSite cmdlet to view all site collections or view specific properties of site
collections.

To view a list of all your current site collections, at the prompt, type the following command, and then
press Enter:

Get-SPOSite

To view the details of a specific site collection, at the prompt, type the following command, and then
press Enter:

Get-SPOSite –Identity urlofsitecollection

When you create a site collection, you can specify a site collection template to use. You can use the Get-
SPOWebTemplate cmdlet to view all the available site collection templates or all those that match the
given identity.

To view a list of all site collection templates:

Get-SPOWebTemplate
MCT USE ONLY. STUDENT USE PROHIBITED
9-20 Planning and configuring SharePoint Online

You can use the New-SPOSite cmdlet to create new site collections in SharePoint Online. This cmdlet has
several parameters that you can use with it to specify configuration settings such as site collection owner,
storage and resource quota, name, and template.

To create a new site collection, at the prompt, type the following command, and then press Enter:

New-SPOSite –Url urlofnewsitecollection –Owner upnofsitecollectionowner –StorageQuota


number –Title “nameofsitecollection”

Example:

New-SPOSite –Url http://tenantname.sharepoint.com/sites/sales –Owner user@contoso.com –


StorageQuota 400 –Title “Sales Site”

You can use the Set-SPOSite cmdlet to configure or update settings on existing site collections in
SharePoint Online. As with the New-SPOSite cmdlet, this cmdlet has several parameters that you can use
with it to specify configuration settings such as site collection owner, storage and resource quota, and
name.
To delete a site
To set the storage quota and quota warning level for an existing site collection, at the prompt, type the
following command, and then press Enter:

Remove-SPOSite -Identity https://contoso.sharepoint.com/sites/sales -NoWait

To restore a deleted site collection, at the prompt, type the following command, and then press Enter:

Restore-SPODeletedSite -Identity https://contoso.sharepoint.com/sites/arecycledsite

Additional Reading: For more information, refer to Use Windows PowerShell cmdlets to
administer site collections in SharePoint Online: http://aka.ms/rbb2c1.

Common errors and best practices


When managing site collections in SharePoint
Online, there are some common errors that you
should avoid, and some best practices you should
follow.
These common errors include:

• Granting too many permissions or not


granting enough permissions.

• Breaking permissions in between site


collections.

• Setting quotas too high or too low.


• Poor planning of site collections, domain names, and URLs.

• Too much customization.

• Planning for hybrid when there is no need to.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-21

To ensure that you manage SharePoint Online site collections correctly, we recommend the following best
practices:

• Follow the Keep it simple, stupid principle.

• Centralize your management of SharePoint Online.

• Maintain your site to keep it up-to-date.


• Plan your permission structure carefully.

• Consistently retain the look and feel of the SharePoint Online interface.

• Keep thorough and up-to-date documentation of site configuration.

Check Your Knowledge


Question

Which of the following sites do you find in the Enterprise section of the site
collection templates in the SharePoint admin center? (Select all that apply).

Select the correct answer.

x Document Center site

Community site

Enterprise Wiki

x Search Center site

x Records Center site

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

If you delete a site collection, you can restore it from the Recycle Bin for 30 T
days.
MCT USE ONLY. STUDENT USE PROHIBITED
9-22 Planning and configuring SharePoint Online

Check Your Knowledge


Question Must you do
Which of the following actions do you need to perform during the creation of a site
collection? (Select all that apply.)

Select the correct answer.

x Define an administrator

Define the sharing settings

Define a second administrator

x Set the language

Set the storage quota


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-23

Lesson 3
Planning and configuring external user sharing
External user sharing in SharePoint Online is an Office 365 feature for administrators, power users, and
even for end users. External user sharing allows users to work together across organizational boundaries
by enabling a simple way to give external users a secured access to your site collections. This lesson
describes the concept of external user sharing and planning for it.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe the methods for sharing site content with external users.

• Describe the considerations for external user sharing.

• Configure external user sharing.

• Describe the options for sharing documents and auditing shared access.
• Remove external user sharing.

• Describe the common errors and best practices when configuring external user sharing.

• Manage external user sharing by using Windows PowerShell.

Overview of external user sharing


Most organizations have many business cases that
require the sharing of documents between users,
both within and outside of the company. Instead
of sending documents as email attachments,
SharePoint Online provides several features that
help users to collaborate in a much better way,
even with partners outside of your own
organization.

These users are referred to as external users and


could include any person who you want to give
permission to access your site, but who does not
have a license for your organization’s Office 365
tenancy. External users would typically be nonemployees such as contractors, onsite agents, vendors,
partners, or your affiliates. Although you might invite external users to contribute as members of a long-
term project and allow them to perform a range of tasks on a project site, they typically will not have the
same capabilities and rights as full-time, licensed users in your organization.

Planning for sharing content with these external users is an important part of your overall permission
strategy for SharePoint Online in Office 365. There are three methods for sharing site content with
external users:

• You can share your entire site with external users by inviting them to sign in with either a Microsoft
account or an Office 365 user ID.

• You can share individual documents with external users by inviting them to sign in to your site with
either a Microsoft account or an Office 365 user ID.
MCT USE ONLY. STUDENT USE PROHIBITED
9-24 Planning and configuring SharePoint Online

• You can share individual documents with external users by sending them an anonymous guest link to
view or edit the document.

Note: External users who access the shared site or documents can obtain more permissions
than an anonymous guest who gets access to one specific document through a hyperlink sent by
email. This is because Microsoft can authenticate external users with either a Microsoft account or
an Office 365 user ID, and can ensure the permission level for these users. This is not the case
when a link is sent to any other unknown email address. In that case, every person who gets the
link can access the shared document.

Considerations for external user sharing


Because your SharePoint Online sites are likely to
contain both confidential information and
information that you want to share with external
users, it is important to plan how and what
content is shared.

Consider the following questions when planning


your sharing strategy, including how to share your
site content with external users:

• Who needs access to content on your site and


any subsites?
• Do they need access to an entire site or just a
subsite?

• Do they only need access to a few specific documents?

• Do they only need to view the shared content, or do they also need to make changes to it?

• Which users in your organization need to be able to share content with external users?

• Which content on your site should never be shared with users external to your organization?

• Is a governance policy in place?

You can organize a SharePoint Online site so that content shared with external users is clearly
differentiated from content intended to stay within the organization. This can be as easy as creating a
document library or a subsite named internal and another subsite named external, or it can be much
more complex. It is important that you plan for the site structure before using external user sharing.

External users restrictions


An external user is someone outside of your organization who can access your SharePoint Online sites and
documents but does not have a license for your SharePoint Online or Microsoft Office 365 subscription.
External users do have some restrictions. After you enable external user sharing, those external users can
perform several tasks and will inherit some rights and capabilities, but there are also some tasks they
cannot perform and they will not receive certain rights and capabilities.

External users can:


• Use Microsoft Office Online for viewing and editing documents. If your plan includes Office 365
ProPlus, they will not have the licenses to install the desktop version of Office 365 on their own
computers.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-25

• Perform tasks on a site consistent with the permission level assigned. For example, if you add an
external user to the Members group, they will have Edit permissions and they will be able to add, edit,
and delete lists; they will also be able to view, add, update, and delete list items and documents.

• See other types of content on sites. For example, they can navigate to different subsites within the site
collection to which they were invited. They will also be able to perform other actions such as viewing
site feeds.

External users cannot:

• Create their own personal sites, edit their profile, change their photo, or see aggregated tasks.
External users do not get their own OneDrive for Business document library.

• Be an administrator for a site collection (except in scenarios where you have hired a partner to help
manage Office 365). You can designate an external user as a designer for your public website.

• See the company-wide newsfeed.

• Add storage to the overall tenant storage pool.

• Access the Search Center or execute searches. Other search features that may not be available include
advanced content processing, continuous crawls, and refiners.

• Access site mailboxes.

• Access Microsoft Power BI app for Windows features such as Power View, Power Pivot, Quick Explore,
or Timeline Slicer. These features require an additional license, which is not inherited by external
users.

• Use eDiscovery. This requires an Exchange Online license.

• Open downloaded documents protected with IRM.

Additional Reading: For more information, refer to Manage external sharing for your
SharePoint Online environment: http://aka.ms/adaoao.

Configuring external user sharing


You can enable or disable external user sharing at
two levels within the SharePoint admin center:

• At the global level for your entire SharePoint


Online tenant. If you enable external sharing,
you can also configure whether to allow
sharing only with authenticated users, or to
allow sharing with both authenticated users
and anonymous users through guest links.

• At the individual site collection level. This


enables you to secure content on specific site
collections when you do not want all your
content shared. You can also configure
whether or not to allow sharing with authenticated users, or sharing with both authenticated users
and anonymous users on a site collection.
MCT USE ONLY. STUDENT USE PROHIBITED
9-26 Planning and configuring SharePoint Online

Note: By default, external user sharing is enabled for the entire tenant and all the site
collections it already contains. It is common practice to disable it globally first and then start
planning how and where to use it.

Note: When you create a new private site collection, the default setting for this site is set to
Don't allow sharing outside your organization. You explicitly turn it on if you want to use
external user sharing in the new site.

The SharePoint Online administrator must enable sharing with external users. To configure external
sharing for a site collection:

1. In the Office 365 admin center click Admin centers, and then click SharePoint.

2. In the leftmost side, click Site collections.

3. Select the check box for the site collection for which you want to configure external sharing.

4. In the Manage section of the ribbon, click Sharing. (Alternatively, you can open the URL for your
tenant at https://tenantname-admin.sharepoint.com/_layouts/15/online/TenantSettings.aspx)

5. Click one of the following:

o Don’t allow sharing outside your organization. This will prevent users from sharing sites or
content with any external users.

o Allow external users who accept sharing invitations and sign in as authenticated users. This
requires that any external user who have received an invitation to access shared content must
sign in with a Microsoft account (MSA) or with an organizational account (Org Account) before
they are allowed to access the content.

o Allow both external users who accept sharing invitations and anonymous guest links. This
allows external users who have received an invitation and signed in with a Microsoft account
(MSA) or with an organizational account (Org Account) to access shared content, but it also
allows users to share documents directly with external users through anonymous guest links.

6. Click Save.

Note: Be aware that anonymous guest links could potentially be shared with, or forwarded
to, other people; this means that content could be viewed by people other than your intended
target.

Additional Reading: For more information on configuring external user sharing for a
tenant or site collection, refer to Manage external sharing for your SharePoint Online
environment: http://aka.ms/adaoao.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-27

Sharing documents and auditing shared access


You can view the current external user sharing
settings for multiple site collections by selecting
those site collections on the site collections page
and then clicking Sharing. This will display all the
current settings. Each site collection will display
one of the following three sharing settings:

• Not allowed

• Share invitations

• Share links and invitations

Sharing content with authenticated external users


After external user sharing is enabled for the tenant or a site collection, depending on the sharing setting,
you can then share either an entire site or individual documents.

To share an entire site with an external user, you need to send them an invitation to the site, which they
will use to sign in to your site and access the content. The invitation is sent to external users through an
email message with a link to the site and an optional message you may have provided in the invitation.
When the external user receives the email invitation, they click the link and sign in with either a Microsoft
account or an Office 365 ID to access the site and its content.

Note: You can redeem invitations to view content only once. After an external user accepts
an invitation, the invitation cannot be shared or used by others to gain access.

When you send the invitation, you have the option of deciding what kind of permission that external user
will receive when they access your site. The available permission options are:

• Full Control. To provide full control of the site, select the Sitename Owners [Full Control] option.

• Edit. To allow external users to edit the site’s contents, select the Sitename Members [Edit] option.

• Read. To allow only read-only access, select the Sitename Visitors [Read] option.

It is a best practice to create a site dedicated to sharing nonsensitive content with external users and
setting specific unique access permissions for that site only.

Note: When granting external users access to your site content, you should always apply
the principle of least privilege, so that those external users only receive the minimum permission
required to perform their tasks, and not more permissions. You should only grant Full Control in
extremely rare cases.

To share a site with an external user for read-only access:

1. Navigate to the site you want to share with an external user.

2. Click SHARE.
3. In the Share sitename dialog box, enter the email address of the external user you want to invite to
share your document. (If you want to share with an internal user, enter their name instead).

4. Enter a message to include in your invitation.


MCT USE ONLY. STUDENT USE PROHIBITED
9-28 Planning and configuring SharePoint Online

5. Click SHOW OPTIONS.

6. Under Select a group or permission level, in the drop-down list, click Sitename Visitors [Read].

7. Click Share.

8. When the external user receives the emailed invitation, they will see your message, click the Go To
sitename link, and then sign in with either a Microsoft account or an Office 365 ID.

Note: By default, invitations expire after 7 days, so if the external user has not accepted the
invitation within that time, you need to send a new invitation.

Sharing individual documents by using invitations or anonymous guest links


To share an individual document with an external user, you can either send an invitation in the same way
as you do for a site, but only for the individual document, or you can send an anonymous guest link to
the document, if this setting is enabled for your tenant and the site collection.

Anonymous guest links only enable external users to open the document in the relevant Office Web Apps,
such as Word Online, Excel Online, PowerPoint Online, or OneNote Online, and they cannot open it in the
full desktop version of the application.

To share a document that requires the external user to sign in:

1. Navigate to the site containing the document you want to share with an external user.

2. Click the ellipsis (...) next to the document to open its callout window and click SHARE.

3. In the leftmost pane, ensure that Invite people is selected.


whom
4. Enter the email address of the person with which you want to share the document.
5. In the drop-down list, click either Can edit or Can view.

6. Optionally, enter a message to include in your invitation.

7. Select the Require sign-in check box.

8. Click Share.

To share a document using an anonymous guest link:

1. Navigate to the site that contains the document you want to share with an external user.

2. Click the ellipsis (...) next to the document to open its callout window and then click SHARE.

3. In the leftmost pane, click Get a link.

4. Select one of the following:


o Under View Only, click CREATE LINK to grant read-only permission to the document.

o Under Edit, click CREATE LINK to grant edit permission to the document.

5. After the anonymous guest link URL is created, copy it to a location where it can be easily retrieved,
such as Notepad.

6. Close the dialog box.

7. You can then copy the anonymous guest link URL and paste into a location of your choice, such as an
email message, a chat window, or a social media page.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-29

Note: If you later disable external user sharing at the tenant level, any anonymous guest
links will stop working; when you enable it again, those anonymous guest links will start working
again.

Note: You cannot share files in a library that has been IRM-protected with external users.

Auditing shared access to sites and documents


You can also quickly see users with whom a site or document has been shared, which is useful for auditing
and reporting purposes.

To see a list of users with whom a site has been shared:

1. On the site home page, in the upper right side of the page, click SHARE.

2. Note the list of users after the words Shared with.

To see a list of users with whom a specific document has been shared:
1. Select the document in the library.

2. On the Files tab, in the Manage section of the ribbon, click Shared With. The Shared With dialog
box lists all the users with whom this document has been shared.

3. Click Close.

Remove external user sharing


There are several ways of stopping external user
sharing, which include removing user permissions
from an external user by taking them out of a
group, revoking invitations, disabling anonymous
guest links, and disabling external user sharing for
the tenant or site collection.

Removing external user permissions


If an external user has already accepted an
invitation, you can still stop their access to a site
by removing their permissions. To remove an
external user’s permissions:

1. On the site’s home page, click the Settings icon (the wheel icon).
2. Click Site settings.

3. Under Users and Permissions, click People and groups.

4. In the leftmost side, under Groups, select the group from which you want to remove the users, for
example, Sitename Members.

5. Select the user or users you want to remove, click Actions, and then click Remove Users from
Group.
6. Click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
9-30 Planning and configuring SharePoint Online

Revoking invitations
You can withdraw invitations you have sent to external users if you need to, but only if the external users
have not yet accepted the invitations. To revoke an invitation:

1. On the site’s home page, click the Settings icon (the wheel icon).

2. Click Site settings.

3. Under Users and Permissions, click Access requests and invitations.

4. Under EXTERNAL USER INVITATIONS, click the ellipsis button (…) for the person or persons you
would like to revoke the invitation.

5. Click WITHDRAW.

Disabling anonymous guest links


You can revoke access to a document you have shared individually by disabling the guest link on the
document. To disable an anonymous guest link:

1. Navigate to the library that contains the document for which you want to disable the anonymous
guest link.

2. Click the ellipsis button (…) for the document, and click a guest link.

3. In the dialog box, click DISABLE.

4. In the dialog box, click Disable Link.


5. Close the dialog box.

Turning off external user sharing


The other option you have is to disable external user sharing at the tenant or site collection level.
Disabling sharing at the tenant level means you cannot share any content at all with any external users in
any site collections. Disabling sharing at the site collection level means that external user sharing is only
disabled for that specific site collection.
To disable external user sharing for a tenant:

1. In the Office 365 admin center, click Admin centers, and then click SharePoint.

2. In the leftmost side, click Settings.

3. Under External sharing, click Don’t allow sharing outside your organization.

4. Click OK.

To disable external user sharing for a site collection:


1. In the Office 365 admin center, click Admin centers, and then click SharePoint.

2. In the leftmost side, click Site collections.

3. Select the check box for the site collection for which you want to disable external user sharing.
4. In the Site Collections section of the ribbon, click Sharing.

5. Click Don’t allow sharing outside your organization.

6. Click Save.

After about a minute, sharing is turned off for the selected site.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-31

Common errors and best practices


When configuring external user sharing in
SharePoint Online, there are some common errors
that you should avoid, and some best practices
you should follow.

These common errors include:

• Sharing more content than is necessary by


sharing an entire site rather than one or two
documents.

• Granting more shared access than is required;


for example, by giving an external user edit
permission when they only need to read the
document.
• Granting access through anonymous guest links temporarily, but later forgetting you have done
granted access.

• Lack of awareness of what external users can and cannot do in SharePoint Online.
• Lack of documentation of SharePoint Online configuration in relation to external user sharing.

• Hijacking can happen. External users can forward the generated email-invitation to another person.
The person who opens the invitation link gets access to the shared content.
To ensure that you configure external user sharing successfully in SharePoint Online, we recommend you
follow these best practices:

• Plan what external users can see and access by segmenting your content by its data sensitivity.
• Consider creating a site purely for the purposes of sharing content with external users.

• Exercise security awareness by using the principle of least privilege.

• Set appropriate permissions on the site collection so users cannot share info they should not be
sharing.

• External users can forward anonymous guest links with other people, who might also be able to view
or edit the content without signing in. Avoid using anonymous guest links for sensitive content;
instead, share a document by using an invitation that requires sign in.

• Ensure you know the identity of any external users before you start sharing content with them.
Remember that these users can sign in to your site and start browsing and accessing content just like
other site members. Depending on the access permission you give them, this may mean that they can
share content with other external users.

• If you share team site content, consider creating a subsite for the shared content, and then share that
subsite with external users so that you can assign unique permissions only to that subsite.

• External users may not receive the invitation email due to transportation errors or spam filters. In such
cases, send out a new invitation and inform the user to check their mailbox with the invitation-email.
• Every invitation is valid only for a specific timeframe, which usually is 7 days. After that time, you must
send a new invitation.

• Split your site collections for internal and external users to ease the management.
MCT USE ONLY. STUDENT USE PROHIBITED
9-32 Planning and configuring SharePoint Online

Note: Try external sharing with a demo user and check the result. Check your external user
sharing constantly to avoid unwanted permissions for external users. Unfortunately, it is not
possible to share documents programmatically through a SharePoint API or through Windows
PowerShell.

Best practices
To decide which method will be appropriate, the following list delivers some key facts to consider for
using external sharing.

• To share a site and require sign in, provide someone outside your organization with ongoing access
to information and content on a site. They need the ability to perform just like a full user of your site,
and create, edit, and view content.

• To share a document and require sign in, provide one or several people outside your organization
with secure access to a specific document for review or collaboration. These people do not require
ongoing access to other content on your internal site.

• To share a document, but not require sign in, share a link to a nonsensitive or nonconfidential
document with people outside your organization so that they can either view it or update it with
feedback. These people do not require ongoing access to content on your internal site.

Managing external user sharing by using Windows PowerShell


You also can use SharePoint Online Management
Shell commands to manage external sharing by
using Windows PowerShell.

Although SharePoint Online provides


management for external sharing in the Web
interface, administrators find it helpful to get an
overview and to manage existing shares
programmatically via Windows PowerShell.

Windows PowerShell Command Builder


Tool
Windows PowerShell commands support
administrators in automating tasks rapidly. If you are new to cmdlets, you can use the Windows
PowerShell Command Builder Tool. Here, you can choose between all available cmdlets and their
parameters, and the tool creates the corresponding Windows PowerShell command for you. Additionally,
there is help for the command, which is available with one click.

Additional Reading: For more information, refer to Windows PowerShell for SharePoint
Command Builder: http://aka.ms/n3apxc.
For more information, refer to Index of Windows PowerShell for SharePoint Online cmdlets:
http://aka.ms/bccasb.

After having installed the SharePoint Online Management Shell environment, the cmdlets are ready for
you to use.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-33

Using the Windows PowerShell cmdlets to control external sharing


The SharePoint Online Management Shell environment provides access to the Office 365 tenant and the
SharePoint Online representational state transfer (REST) services. In addition to the functionality of
managing SharePoint Online sites, there are some cmdlets for working with external sharing.

To get a list of all external users in SharePoint Online for an Office 365 tenant:

1. Open Windows PowerShell and connect to SharePoint Online. You are now connected to the
SharePoint Online tenant.

2. To get a list of all external users, run the following command, and then press Enter:

Get-SPOExternalUser -Position 0 -PageSize 30 | Select DisplayName,EMail | Format-


Table

The SharePoint Online API delivers a list of users with their sign in name and shows the output in the
Windows PowerShell output.

3. Close the Windows PowerShell window.

Note: Save this command in a showexternalusers.ps1 file for further use. This script
allows you to get all the external users in a SharePoint Online tenant by using the standard
Get-SPOExternalUser SharePoint online cmdlet and returns the users DisplayName and email
in the Windows PowerShell output window.

Note: To download an improved version of this script from the TechNet gallery, refer to
How to get all the external users in a SharePoint Online Tenant!: http://aka.ms/ajxjrb.

Removing a specific external user with Windows PowerShell


To remove an external user in SharePoint Online for an Office 365 tenant:

1. Open Windows PowerShell and connect to SharePoint Online. You are now connected to the
SharePoint Online tenant.

2. Retrieve the user by running the following command, and then press Enter:

Get-SPOExternalUser

3. Replace the email address with the desired external user email address by running the following
command, and then pressing Enter:

$ExtUser = Get-SPOExternalUser -filter guest1@outlook.com

Now, you have the user object stored in $ExtUser.

4. Remove this user by running the following command, and then pressing Enter:

Remove-SPOExternalUser -UniqueIDs @($ExtUser.UniqueId)

5. The cmdlet asks for confirmation. Click Yes.

6. This command removes the user from the list of external users in SharePoint Online and displays a
message in the Windows PowerShell output that reads “Successfully removed the following
external users. 10038FFD909DBCA2” where 10038FFD909DBCA2 is the UniqueID of the removed
user object.
MCT USE ONLY. STUDENT USE PROHIBITED
9-34 Planning and configuring SharePoint Online

Note: You can filter more than just one specific user with the -filter string. If you want to
remove, for example, all users with the outlook.com domain, you can use this string as filter
criteria.

Note: Anonymous users are invited with a guest link, and so they are not external users.
These shared links do not show with the Get-SPOExternalUser Windows PowerShell cmdlet.

Note: Currently there are no Windows PowerShell cmdlets for creating an external share.
You must do this directly in the SharePoint Online. In addition, there is no SharePoint Online API
for programmatically accessing the external sharing features.

The SharePoint Online Management Shell environment provides access to the Office 365 tenant and the
SharePoint Online REST Services. Besides the functionality of managing SharePoint Online sites, there
exists some cmdlets for working with external sharing.

Getting a list of all external users with Windows PowerShell


To get a list of all external users in SharePoint Online for an Office 365 tenant:

1. Open Windows PowerShell and connect to SharePoint Online. You are now connected to the
SharePoint Online tenant.

2. To get a list of all external SharePoint Online users, run the following command, and then press Enter:

Get-SPOExternalUser -Position 0 -PageSize 30 | Select DisplayName,EMail | Format-


Table

3. The SharePoint Online API delivers a list of users with their sign in name and shows the output in the
Windows PowerShell window.

4. Close the Windows PowerShell window.

Check Your Knowledge


Question

What is the correct definition for external users?

Select the correct answer.

Users with a non-Microsoft account

Users with a Microsoft account

Users inside your organization’s Azure Active Directory

x Users outside your organization’s Azure Active Directory

Users in any Azure Active Directory


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-35

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

From a user perspective, you can share content in SharePoint Online for T
internal users in the same way as for external users.

Check Your Knowledge


Question

Where can administrators enable external sharing for the Office 365 tenant? (Select
all that apply.)

Select the correct answer.

In the Office 365 admin center, use the setup menu

x In the Office 365 admin center, use the external sharing menu

In the SharePoint admin center, use the site collections menu

In the SharePoint admin center, use the apps menu

x In the SharePoint admin center, use the settings menu


MCT USE ONLY. STUDENT USE PROHIBITED
9-36 Planning and configuring SharePoint Online

Lab: Configuring SharePoint Online


Scenario
Now that the pilot group is getting comfortable with Exchange Online and Skype for Business Online, the
next step is to start using SharePoint Online. You need to start the SharePoint Online deployment by
configuring the service settings, creating and configuring site collections, and configuring external user
sharing.

Objectives
After completing this lab, you will be able to:

• Configure SharePoint Online settings.

• Create and configure SharePoint Online site collections.


• Configure and verify external user sharing.

Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, and 20347A-LON-CL1

User names: Adatum\Administrator for LON-DC1 and LON-DS1 and Adatum\Holly for LON-CL1

Password: Pa$$w0rd
In all of the tasks where you see references to Adatumyyxxxxx.onmicrosoft.com, replace yyxxxxx with
your unique Office 365 name that displays on the online lab portal.

Where you see references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your
unique hostdomain.com name that displays on the online lab portal. This lab requires the following virtual
machines (use only the virtual machines required for your lab):

This lab requires the following virtual machines: (use only the VMs required for your lab)

• LON-DC1

o Sign in as Adatum\Administrator

• LON-DS1
o Sign in as Adatum\Administrator

• LON-CL1

o Sign in as Adatum\Holly with the password Pa$$w0rd

Exercise 1: Configuring SharePoint Online settings


Scenario
As a first step in the SharePoint Online deployment, you will configure using Yammer as the default
enterprise social networking tool of the SharePoint Online service settings.

The main tasks for this exercise are as follows:

1. Configure settings.

2. Configure user profiles.

3. Configure apps.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-37

 Task 1: Configure settings


1. On LON-CL1, open Microsoft Edge, connect to https://portal.office.com, and then sign in as Holly
Dickson.

2. Access the SharePoint admin center.

3. In settings, configure the following options:

o Enable automatic site collection storage management.


o Select Yammer as the Enterprise Social Newsfeed.

o Enable external sharing for authenticated users and users gaining access through anonymous
guest links.

 Task 2: Configure user profiles


1. In User profiles, select the user profile of Brad, and add Holly as his manager.

2. Under My Site Settings, configure Holly as the secondary site owner.

 Task 3: Configure apps


1. Configure store settings in the app section.
2. Disable apps from starting when documents are opened in the browser.

Results: After completing this exercise, you should have configured SharePoint Online service settings.

Exercise 2: Creating and configuring SharePoint Online site collections


Scenario
As a first step in the SharePoint Online deployment, you will create two different site collections, one for
the Accounts Project group, and one for the Marketing group.

The main tasks for this exercise are as follows:

1. Create a site collection using the SharePoint admin center.

2. Create a site collection using Windows PowerShell.

3. Configure permissions on the site collections.

4. Verify access to the site collections.

 Task 1: Create a site collection using the SharePoint admin center


1. Open Microsoft Edge and sign in to https://portal.office.com with the user name
holly@Adatumyyxxxxx.hostdomain.com, and the password of Pa$$w0rd.

2. Access the SharePoint admin center.

3. In the leftmost side, click Site collections, and create a new site named marketing. Use the
https://adatumyyxxxxx.sharepoint.com/sites/marketing URL, and add Holly as the site
administrator.
MCT USE ONLY. STUDENT USE PROHIBITED
9-38 Planning and configuring SharePoint Online

4. Wait for the site collection to be created.

Note: It can take a few minutes until the Sharing menu on the ribbon is active. You can
speed this up by refreshing the page by pressing the F5 key.

5. Change the Sharing settings to Allow sharing with all external users, and by using anonymous
access links.

 Task 2: Create a site collection using Windows PowerShell


1. Download the SharePoint Online Management Shell tool from http://aka.ms/f04q5o and install it.

2. Open the SharePoint Online Management Shell as an administrator.

3. Connect to the SharePoint admin center by running the following command:

Connect-SPOService –Url https://adatumyyxxxxx-admin.sharepoint.com –credential


holly@adatumyyxxxxx.hostdomain.com

4. Enter your password.


5. Create a new SharePoint Online site by running the following command:

New-SPOSite -Url https://Adatumyyxxxxx.sharepoint.com/sites/AcctsProj -Owner


holly@Adatumyyxxxxx.hostdomain.com -StorageQuota 500 -NoWait -Template PROJECTSITE#0
–Title “Accounts Project”

6. Close the Windows PowerShell window.

 Task 3: Configure permissions on the site collections


1. In Microsoft Edge, open a new InPrivate window, connect to the SharePoint admin center, and then
select the /marketing site.

2. Edit the properties of the site, and add Brad Sutton as an additional site collection administrator.

3. Sign in as Brad@adatumyyxxxxx.hostdomain.com and verify if you are a site collection


administrator of the site.

 Task 4: Verify access to the site collections


1. On LON-CL1, connect to https://adatumyyxxxxx.hostdomain.com/sites/marketing.

2. Sign in as maira@Adatumyyxxxxx.hostdomain.com, with the password of Pa$$w0rd.

3. Verify that you cannot access the site, and then request access.

4. Connect to https://Adatumyyxxxxx.sharepoint.com/sites/marketing.

5. Sign in as holly@Adatumyyxxxxx.hostdomain.com, with the password of Pa$$w0rd.

6. On the Site Permissions page, approve Maira Wenzel’s access request, and then add Perry Brill to
the site members group.

7. Access the site again as Maira and verify that she has access.

8. Access the site as Perry and verify that he has access.

Results: After completing this exercise, you should have created and configured SharePoint Online site
collections.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 9-39

Exercise 3: Configuring and verifying external user sharing


Scenario
Now, you will create a new site collection and configure the SharePoint Online service settings. Then, you
will share the site and documents with external users.

The main tasks for this exercise are as follows:

1. Configure global settings for external user sharing.

2. Configure a site collection for external user sharing.


3. Verify external user sharing.

 Task 1: Configure global settings for external user sharing


1. In Microsoft Edge, access the SharePoint admin center by signing in as Holly.

2. In settings, enable external sharing for authenticated users and users gaining access through
anonymous guest links.

 Task 2: Configure a site collection for external user sharing


1. Select the /AcctsProj website and configure it for sharing with external and anonymous guest links.

2. Share the AcctProj site with the Microsoft account you used for setting up your Office 365 trial. Grant
the user member permissions.

3. On the Marketing site, create a new document in the Documents folder. Enter some text in the
document.
4. Share the document with the Microsoft account you used for setting up your Office 365 trial. Grant
the user edit permissions.

 Task 3: Verify external user sharing


1. Sign in to Outlook.com using your Microsoft account, and then use the link provided in the email to
verify that the external user can access the AcctProj site.

2. Verify that the user can also access and edit the document in the Marketing document library.

3. Close all browser tabs and close the browser.

4. Leave the virtual machines running for the next lab.

Results: After completing this exercise, you should have configured a new site collection for external user
sharing, and you should have shared a site and a document with external users.
MCT USE ONLY. STUDENT USE PROHIBITED
9-40 Planning and configuring SharePoint Online

Module Review and Takeaways


Review Question
Question: Create a checklist for proper site collection planning.

Best Practices
SharePoint Online offers several configuration options; planning a collaboration solution and configuring
SharePoint Online are tasks that you must do upfront to have a good SharePoint Online environment
where your users can start working with.

The main points you should consider are:

• Do proper planning before you start with user onboarding.

• Create a sharing policy that is consistent throughout the service.

• Automate site collection generation as much as possible.


MCT USE ONLY. STUDENT USE PROHIBITED
10-1

Module 10
Planning and configuring an Office 365 collaboration
solution
Contents:
Module Overview 10-1

Lesson 1: Planning and managing Yammer Enterprise 10-2

Lesson 2: Planning and configuring OneDrive for Business 10-16

Lesson 3: Configuring Office 365 groups 10-26

Lab: Planning and configuring an Office 365 collaboration solution 10-33

Module Review and Takeaways 10-39

Module Overview
SharePoint Online Services is a major part of Office 365 services. With Yammer Enterprise, Office 365
offers an enterprise social solution that helps you to build a collaborative environment within your
organization. You can use Yammer Enterprise as a stand-alone solution, or you can integrate it within
Office 365 and SharePoint Online.
OneDrive for Business is the personal space where users can store their documents, and share files and
folders to work together. Office 365 groups are relatively new in Office 365. They combine Microsoft
Exchange Online and SharePoint Online, and from a user experience perspective, they are present
everywhere throughout the Office 365 services.

This module describes how to plan and implement a SharePoint collaboration solution, and how to enable
Yammer Enterprise services within Office 365 and OneDrive for Business, and Office 365 groups.

Objectives
After completing this module, you will be able to:

• Enable and configure Yammer Enterprise.

• Configure OneDrive for Business.

• Configure Office 365 groups.


MCT USE ONLY. STUDENT USE PROHIBITED
10-2 Planning and configuring an Office 365 collaboration solution

Lesson 1
Planning and managing Yammer Enterprise
Yammer is an organization’s private social network, and it provides collaboration options and teamwork
capabilities. It is part of the Microsoft enterprise social strategy. Yammer is available as a stand-alone
product or as part of Office 365 Enterprise. Yammer helps organizations connect employees, and lets
them share the information they need. It helps users find answers, experts, and information in an easy
way. Yammer helps you to improve project collaboration within your organization. Yammer can help your
organization reduce internal email and email trees. Yammer is useful for collaboration with external
business partners because it provides the ability to create external networks.

Lesson Objectives
After completing this lesson, you will be able to:

• Provide an overview of Yammer Enterprise.


• Describe how to enable Yammer Enterprise.

• Explain how to configure security settings.

• Describe how to configure user roles and administrators.


• Describe how to configure usage policies.

• Describe how to set up and configure external networks.

• Explain how to optimize the Yammer user experience.

Overview of Yammer Enterprise


Organizations can use Yammer as their private
social network. With Yammer an organization has
collaboration and teamwork capabilities. Yammer
provides Enterprise social capabilities.
From a user’s perspective, Yammer provides the
following benefits:

• Breaks down internal barriers.


• Connects people.

• Offers sharing capabilities.

• Helps you find information and experts.


• Improves project collaboration.

• Helps reduce email trees and internal emails.

• Provides capabilities for external collaboration.

• Helps strengthen communication skills within your organization.

• Helps reduce hierarchies in your organization.

• Is easy to adopt, and has low onboarding and training costs.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-3

From an administrator’s perspective, Yammer provides the following benefits:

• Provides Yammer users an internal helpdesk tool.

• Provide users a secure space to collaborate and share.

• Administer users from Office 365 admin center.

• Audit users from Office 365 admin center.

• Enables control of Yammer network access and appearance.

• Enables control of creation and access to external Yammer networks.

Yammer Basic is available for free, Yammer Enterprise can be bought separately or is included in an
Office 365 subscription. You can buy Yammer either as a stand-alone product or as part of Office 365
Enterprise. A mobile app experience is also available if your users are connected through their mobile
devices.

The Yammer application is available in two versions:

• Yammer Basic. This is the free version that is available to all users, and offers fundamental features for
co-workers to collaborate within an organization.
• Yammer Enterprise. This is the premium version, which is provided either as a stand-alone upgrade
from the basic version or as part of some SharePoint Online and Office 365 plans. This enterprise
version of Yammer provides several additional features and resources to enable an organization to
implement a professional enterprise social network.

You can upgrade from a Yammer Basic network to the Yammer Enterprise network anytime during your
subscription period.

Note: The enterprise version of Yammer is available with some SharePoint Online and
Office 365 plans. However, it is a completely separate service, and therefore has different user
rights, and privacy and security policies than Office 365. Yammer is included in the following
Office 365 subscriptions: E1, E3, E5, K1, K2, Midsize, and Education.

Yammer Basic includes:

• Basic social networking features: Users can create groups, polls, and use the chat feature to
collaborate within the organization.

• Collaboration features: Users can work together in groups, and share information, documents, videos
and notes.

• Yammer Mobile: The Yammer mobile app is available for Basic and for Enterprise Networks.

Yammer Enterprise includes:

• Administration tools. Only the Yammer Enterprise version enables you to configure Yammer, manage
users, and perform data analytics.

• Network-level apps and integrations. You can activate Office 365, manage apps for your network, and
secure your network.

• Integrated Office 365 experience. You can integrate Yammer with the overall Office 365 experience.

• Services and support. You can get technical support through Office 365 Enterprise support all day,
every day.
MCT USE ONLY. STUDENT USE PROHIBITED
10-4 Planning and configuring an Office 365 collaboration solution

You can integrate your business applications via Open Graph with your Yammer network. By using
Yammer Embed, you can bring Yammer conversations into your business applications. For example, you
can extend your apps with Like and Follow buttons, and share updates within your Yammer network.
Yammer also provides a dedicated app directory.

Administering Yammer
After you enable Yammer Enterprise within Office 365, you will see the Yammer icon in the Office 365 app
launcher. You also can access Yammer as an Administrator in the Office 365 admin center.

The primary location for administering Yammer is within the Yammer admin center. A global Office 365
administrator is automatically a verified network administrator in Yammer. It is also possible to configure a
customized administrator for Yammer alone. Admin and User roles are described in more detail later in
this lesson. Single sign-on (SSO) is available through Office 365 sign-in. This means that all users who have
an Office 365 account can sign in to Yammer with the same credentials.

Network access
Only coworkers can join a Yammer network, which means that only users who are members of the same
domain can join the Yammer Enterprise network. A Yammer network is the place where users meet to
collaborate, conduct conversations, and interact. Within Office 365, you can merge more than one
domain into a single Yammer network. Yammer communications are secure and visible only to people
within your organization and those people who are members of your Yammer network or part of a
selected conversation.

The Yammer Portal user interface


The Yammer portal contains your information feed. This information feed shows all conversations. The
following feed options are available to you:

• Discovery. Contains all conversations that are most relevant to you. The feed contains information
based on your subscriptions and your interactions within your Yammer network.

• All. Shows the conversations to which you have access within your network.

• Following: Shows conversations that you actively subscribe to, and all conversations your followers
have participated in or liked. You see conversations about topics that you follow, and conversations
from groups that you have joined.

On the left of the Yammer portal page, you find navigation options for all the groups to which you
subscribe. The groups are sorted by relevance, with the group in which you participate the most
appearing at the top. If you need to search within Yammer, you have a search box on the left side of the
Yammer navigation pane.

Home, Inbox and Notifications icons


• Home. Directs you to your main feed page.

• Inbox. Takes you to the inbox, where you find information about conversations in which you are
tagged, or announcements in a group or network to which you belong.

• Notifications. Show all the likes for posts that you publish, or comments that you make.

On the right side of your Yammer portal, you see the recent activities of your coworkers. From here you
can view group descriptions, subscribe to groups by email, or move through apps.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-5

Enabling Yammer Enterprise


Yammer is activated seamlessly for all Office 365
tenants with a subscription that includes Yammer.
This activation either creates a new Yammer
network or connects to an existing Yammer
network that has all or a subset of domains
managed on the Office 365 tenant that includes a
valid Yammer subscription; the existing Yammer
network is upgraded to Yammer Enterprise if
needed.

Merge domains into one Yammer


Enterprise network
If your organization uses more than one custom
domain and you want to have all domains included in one Yammer network, you can migrate one or
more Yammer networks with their own email domains ("subsidiary" networks) to a larger Yammer
Enterprise network ("parent" network).

Note: A network migration migrates only the users with their user information. If you
merge networks, the content (groups, posts) of the merged network is no longer available. Only
the content of the primary network remains active. Network migrations cannot be reversed.

Requirements for a network merge


While merging Yammer networks, you should keep in mind the following requirements:

• Only Office 365 global administrators can perform a network merge.


• Network migrations are only available for Yammer Enterprise networks.

• You can start multiple network migrations back to back, without waiting for the previous ones to
complete.
• If a user exists in both networks, the user's account from the parent network will remain and be
promoted from a guest account to a regular account.

Note: If you need to preserve any content from the Yammer network that will merge,
export it before the migration takes place. Create a communication plan, and inform your users
about the change.

Merge Yammer networks


1. Sign in as a global administrator to https://portal.office.com.

2. Open Yammer from the Office 365 app launcher.

3. On the left pane, click the Settings icon at the bottom of the page.

4. Click Network Admin.

5. Click Admin, click Network, and then click Network Migration.

6. In the Network Migration Wizard, on the Step 1 of 3 - Check/Add Verified Domains page, note all
the verified domains that are available in your network, and then click next.
MCT USE ONLY. STUDENT USE PROHIBITED
10-6 Planning and configuring an Office 365 collaboration solution

7. On the Step 2 of 3 - Choose a Yammer Network to Migrate page, note the first Domain that can
be merged.

8. If you want to add this domain to your Yammer network, select the domain, and then click next.

9. On the Step 3 of 3 - Export Data & Start Migration page, note the information about the network,
and then start the migration.

10. Click Start Migration, and then confirm the migration in the Confirm dialog box.

11. Perform steps 1 to 10 for all other domains.

Best practice
If your organization has more than one Yammer network, activate Yammer with the network that has the
largest number of active users in it.

Configuring security settings


Several security settings are available for Yammer
Enterprise networks. Some organizations want to
allow only selected IP ranges to have access to
Yammer, while others want to configure selected
password policies. To administer these Yammer
Enterprise functionalities, follow these steps:

1. Sign in to http://portal.office.com as global


administrator.
2. Open Yammer from the Office 365 app
launcher.

3. In the left panel, click the Settings icon at the


bottom of the page, and then click Network Admin.

4. Click Admin, click Content and Security, click Security settings, and then configure the following
security settings:
o IP Range. You can configure or restrict access to the network if you allow only specific IP ranges.

o Password policies. This is only necessary if you do not have any connection to Office 365. With
simplified sign-in for Office 365, you use the credentials from Azure Active Directory. Azure
Active Directory provides the identity management for Office 365 accounts.

o External Messaging. With this setting, you can enforce Exchange Online Transport Rules in
Yammer. Users can add external participants to their Yammer conversations with external
messaging. Exchange Online Transport Rules is a set of proactive controls to prevent organization
information from being shared. These are configured within Exchange Online to protect content
from Yammer networks. So if you apply this setting, and one of your users tries to add an
external participant and this violates your Exchange Online Transport Rule, the user receives an
error message. You should not see this method as an option to opt out of the external messaging
setting.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-7

o Enforce Office 365 identity in Yammer. The best way to manage users in Yammer is through their
Office 365 identities. In that scenario, you are able to maintain a single identity for all Office 365
users. By enforcing Office 365 identity in Yammer and configuring federated identity for Office
365, administrators can achieve SSO capabilities for all services in Office 365, including Yammer.
The default setting is off.

Enforcing Office 365 identity for Yammer users


1. Sign in to http://portal.office.com as global administrator.

2. Open Yammer from the Office 365 app launcher.

3. On the left pane, click on the Settings icon at the bottom of the page, and then click Network
Admin.

4. Click Admin, click Content and Security, and then click Security settings.
5. Scroll down to the section Enforce Office 365 identity in Yammer, and then select the Enforce
Office 365 identity in Yammer.

6. Confirm that you are ready to activate this option.


7. Click Save.

User experience for accounts that sign in with or without enforced Office 365
identity
If you enforce Office 365 identity, you can manage all users out of Office 365. This makes user activation
and auditing simple. However, if you use Yammer as a stand-alone tool, you might need to have Yammer
identities in place and perform all the user management tasks within Yammer. Below are the scenarios:
• Office 365 identity enforced. The user is prompted to sign in with his/her Office 365 identity. If the
customer has implemented the federated identity model in Office 365, the user signs in with his/her
SSO credentials.

• Office 365 identity not enforced. If the user has a corresponding Office 365 email account, he signs in
with his Office 365 identity.

• Office 365 identity not enforced. If the user has no corresponding Office 365 email account, he signs
in with his Yammer identity.

Note: Before you start enforcing Office 365 identities in Yammer, make sure that all current
Yammer users have a corresponding Office 365 identity and inform the users about this change.
MCT USE ONLY. STUDENT USE PROHIBITED
10-8 Planning and configuring an Office 365 collaboration solution

Configuring user roles and administrators


Within Yammer you have a several different user
and administrator roles. The permissions that you
can assign to each user and administrator role are:

Role Permissions

Guest User (User with Has the same rights as User.


an external email
address, invited by an
administrator)

User Has the following rights:


• Create messages, upload files, share and like messages
• Create polls, praise other network members
• Use instant messaging
• Delete own items
• Create notes
• Invite other users

Group Admin Has the same rights as User, and the following additional rights:
• Create groups
• Post announcements in own groups
• Configure group settings (name, picture, and description)
• Perform member management within groups
• Moderate content
• Mark notes and files as official within groups
• Control membership within groups

Network Admin Has the same rights as Group Admin, and the following additional rights:
• Configure network settings and applications
• Configure network design
• Configure usage-policy behavior
• Configure user-profile fields
• Invite anyone (also external guests)
• See all groups (also unlisted)
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-9

Role Permissions
• Delete any message
• Post announcements
• Grant and revoke Network Admin privileges
• Remove or block users

Verified Admin (Is an Has the same rights as Network Admin, and the following additional rights:
Office 365 Global
• Manage user-account activity
Admin, provisioned by
default) • Bulk update users
• Perform integrations
• Monitor keywords
• Set data-retention policy
• Export data
• Configure settings
• Access all groups
• Export content

If you are using Office 365 sign-in credentials, user management uses Azure Active Directory and Office
365 identities. If you use Yammer as a stand-alone solution, you can manage Yammer users through the
Yammer admin portal by using the following procedure:

1. Sign in to http://portal.office.com as global administrator.

2. Open Yammer from the Office 365 app launcher.

3. On the left pane, click on the Settings icon at the bottom of the page.

4. Click Network Admin.

5. Click Admin, and then click Users.


In this Users section, you can invite external guest users, remove and block users, invite users and bulk
update users. The option export users give you the ability to export all user data from Yammer
Enterprise.
Each user is able to fill out his/her individual profile information. Under the Admin section, in the Profile
fields area, you can select which fields are available for your users to fill out.

Note: The profile fields are not connected to your internal Active Directory fields or to your
SharePoint user profile fields. Some of this information is also visible in external networks in
which you are a member.
MCT USE ONLY. STUDENT USE PROHIBITED
10-10 Planning and configuring an Office 365 collaboration solution

Configuring usage policy


To ensure that all activities on Yammer are
positive, constructive, and in line with your
organization’s policies and culture, you can create
a usage policy and require your users to accept it.
As soon as you create or update your usage
policy, it will appear as a link in users’ home
screens or display as a pop-up message, that users
must accept before entering the Yammer network.
You can also set a usage-policy reminder to be
visible in the right sidebar.

Creating or updating a usage policy


1. Sign in to http://portal.office.com as global
administrator.

2. Open Yammer from the Office 365 app launcher.

3. In the left panel, click on the Settings icon at the bottom of the page.
4. Click Network Admin.

5. Click Admin Network, and then click Usage policy.

6. Select the appropriate check boxes if you want to enable a policy reminder in the sidebar, or if you
require your users to accept the policy during sign-up.

7. Type a policy title in the custom policy title text box.

8. Type the user policy text in the Enter your policy in the textbox below text box.

9. Click Save.

Note: You can use HTML tags such as <h1>, <b>, and <i> to format your policy, but
JavaScript is not allowed.

Tips for creating a usage policy


To create a good and motivating usage policy there are some basic guidelines:

• Keep it positive and explanatory, and not just a list of "don'ts."

• Encourage usage by providing positive examples and suggestions.

• Require that content be office appropriate.


• Be smart; in written communications, sarcasm never works. Try to set an example with good
communication skills, so that you are likely to motivate and engage people.

Sample acceptable usage policy


Welcome to Yammer! Our goal is to provide a collaborative environment to connect with colleagues, and
bridge various departments and geographic locations to share meaningful information.

Your activity in this network is governed by the following requirements:


• Everything in Yammer stays in Yammer! (No public posts or Twitter tweets, or other external
communications).
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-11

• Please do not post confidential information into the main feed.

• Be respectful to other members. It is acceptable to disagree, but please do so in a respectful manner.

• Add value with each post.

• You are responsible for the material you post to Yammer.

• It is important to substantiate ideas, but please keep messages brief and to the point.

Get started by following these best practices:

• When you first join, select the colleagues you want to follow. Posts from these colleagues will appear
in your Following feed. To see all the posts in your organization, select All.

• Fill out your profile information. Complete the Expertise and Education sections, and be sure to add
a profile picture.

• Customize your email preferences in the Notifications section.


• Before asking a question, use the search bar and explore the Topics feed to review existing content.
This will help limit repetitive messages.

• Browse the Group directory, and join groups that you find important. If a specific group does not
exist, start a new one and invite members of your team to contribute messages. For best results, use
groups as a replacement for existing email listservs.

• Add Topics, Links, pictures, and Events to posts when applicable.

• Use the Yammer FAQs, and How-to-Guide to help clarify common concerns.

• Take time to explore Yammer. You will get the hang of it!

• Post a question, or send a direct message to Network Admin with any specific questions.

Configuring external networks


External networks are independent Yammer
networks with a network “parent” that is the
Home network. An external network can be
created as an extension of any Yammer Internal or
Home network.

External networks have administration capabilities


and operate in a manner similar to internal
networks. This means that every external network
can be administered the same way as your
internal home network. External networks are
used to enable collaboration between members of
the home network and external parties outside of
the organization, such as customers, suppliers, and partners. External Networks operate independently of
email domains.

You must invite external parties (with external email addresses), or they must request access to an external
network. On joining, they can only see content that is posted specifically to that external network, which
means that they will not have access to another organization’s home network.

Within the Yammer admin portal, you can decide who is allowed to create an external network, and if
approval is required to create an external network. You also can disable external networks completely.
MCT USE ONLY. STUDENT USE PROHIBITED
10-12 Planning and configuring an Office 365 collaboration solution

Configuring external networks


1. Sign in to http://portal.office.com as global administrator.

2. Open Yammer from the Office 365 app launcher.

3. Click the Settings icon at the end of the page.

4. Click Network Admin.

5. Click Admin Network, and then click External networks.

6. Select the required options, if you want to restrict who is able to create an external network.

Options to restrict external networks:


• Any member or only network admins are able to create external networks.

• Require admin approval for your organization’s members to join other organizations' external
networks.

• Disable the Related External Networks directory.

• Disable the Our External Networks directory, and remove the External Networks link in the
networks menu.

Creating an external network


1. Sign in to http://portal.office.com as global administrator.

2. Open Yammer from the Office 365 app launcher.


Create a new group External group
3. Navigate to Networks in the left navigation bar, click Create a New Network., and then configure
the following settings:

o Create a network name.

o Provide a description.

o Add a network image.

o Set permissions.

o Require admin approval for users to join other organizations' external networks.

4. Create the external network.

5. Click save.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-13

Optimizing the user experience with Yammer


You can configure Yammer to be the enterprise
social collaboration network of choice for
SharePoint Online in Office 365. When you make
the change, the app launcher in the Office 365
portal updates to display Yammer instead of the
SharePoint Newsfeed.

Note: If you are using the SharePoint


Newsfeed, please keep in mind that making a
switch to Yammer is a major change to your users’
working environment. So ensure that you inform
them of the change, prior to it making it, and
provide some training on how to use Yammer if required.

To replace the SharePoint Newsfeed on the Office 365 portal with Yammer icon, perform the following
steps:

1. In the Office 365 admin center, click Admin centers, and then click SharePoint.
2. In the SharePoint admin center, click Settings.

3. Under Enterprise Social Collaboration, select Use Yammer.com service.

4. Click OK.

After a little while, the Yammer icon will show up instead of the SharePoint Newsfeed Icon in your App
Launcher.

Configuring Yammer Embed


Within SharePoint Online, you can use Yammer Embed to integrate content from groups within your
SharePoint experience. Yammer Embed is the preferred method for embedding Yammer conversations in
a SharePoint site.

Add a Yammer group feed to SharePoint Online


1. In Yammer, go to the group that you want to embed. Locate the Access Options section on the right
panel, and select Embed this group in your site.

2. Copy the script from the pop-up window.

3. In your SharePoint site, click Edit.

4. On the ribbon, click Insert, and then click Web Part.

5. In the Categories list, click Media and Content, and then click Script Editor.

6. In Add part to, select where you want to add the Web Part, and then click Add.

7. Locate your new script editor web part, and then click Edit Snippet.

8. Paste the script you copied from Yammer into the script editor Web Part.

9. Click Insert.

10. Save and publish the SharePoint page. You should see the Yammer group conversation on the
SharePoint page.
MCT USE ONLY. STUDENT USE PROHIBITED
10-14 Planning and configuring an Office 365 collaboration solution

Optimize user profile settings within Yammer


It is essential that you provide your users an optimal experience while they use Yammer. As a good
starting point, show the users how they can configure and optimize their user settings to meet their
individual needs.

Access the user profile settings and add profile information


1. Sign in to http://portal.office.com as global administrator.

2. Open Yammer from the Office 365 app launcher.

3. On the left panel, click the Settings icon at the bottom of the page.
4. Click Settings.

5. Type the desired information about yourself, and change your profile picture.

Note: A good user profile helps your coworkers find information about you and your skills.
Note that some of these fields are also visible when you are a member of an external network.

Set up notifications
Yammer offers numerous notifications. Users can receive notifications for likes, mentions and a lot more
in. This can be somewhat overwhelming in the beginning of any Yammer experience. A good way to help
your users is to advise them to configure their notification settings.
1. Sign in to http://portal.office.com as global administrator.

2. Open Yammer from the app launcher.

3. On the left navigation pane, click the Settings icon at the end of the page.
4. Click Settings.

5. Click Notifications.

6. Configure the settings so that they meet your requirements.

We recommend that users deselect as many options as possible. You should leave only those notification
settings selected that you actually want in your email inbox. A Best practice is to check those notifications
when you are tagged in a post or if you sign in from somewhere else for security reasons.

Note: If you are a member of a group, and you do not want to miss any conversation in the
group, subscribe to the group directly through the notification settings.

Configure preferences
In the preferences tab, users can change their time zone and preferred language.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-15

Check Your Knowledge


Question

Select the three Office 365 subscriptions with which Yammer Enterprise is available.

Select the correct answer.

Basic Network with SharePoint Online

x Enterprise Network and Office 365

Basic Network and Office 365

x Enterprise Network

x Enterprise Network and SharePoint Online

Check Your Knowledge


Question

Which three features are available only in a Yammer Enterprise Network?

Select the correct answer.

Secure Enterprise Social Networking

x Enterprise Administrator

Group Administrator

x Verified Administrator

x Enterprise Integrations

Check Your Knowledge


Question

Which two things must be in place before you enable Yammer Enterprise within Office 365?

Select the correct answer.

x A verified custom domain

A paid Yammer Enterprise network

A Global Administrator in Office 365

x A Global Administrator in Office 365 with the verified Domain

A verified Administrator in Yammer


MCT USE ONLY. STUDENT USE PROHIBITED
10-16 Planning and configuring an Office 365 collaboration solution

Lesson 2
Planning and configuring OneDrive for Business
Microsoft OneDrive for Business is a private library for storing, organizing, and sharing users’ work
documents. It is an integral component of a user’s Office 365 online environment, and it is available when
the organization purchases SharePoint Online licenses.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe OneDrive for Business.

• Describe the collaboration features in OneDrive for Business.


• Describe how to configure the OneDrive for Business client, and how to configure synchronization.

• Describe how to migrate files to OneDrive for Business.

• Explain how to manage OneDrive for Business.

• Describe how to plan a OneDrive for Business implementation.

Overview of OneDrive for Business


Microsoft OneDrive for Business is a cloud storage
repository where you can store, sync, and share
your work files. As part of Office 365, or
SharePoint Server 2013 and SharePoint Server
2016, OneDrive for Business enables you to
update and share your files from anywhere and
work on Office documents with others at the same
time. There are various options to access the
OneDrive for Business folders: through the
browser, through File Explorer, or on a mobile app
that is available for mobile platforms.

OneDrive for Business allows you to store all your


business-related files in a secure location, and sync files across devices and access them anywhere, even
when offline. Depending on the Office 365 subscription you purchase, you will be allocated either up to
1 terabyte (TB) of space or unlimited space in the cloud for OneDrive for Business for each licensed user,
without incurring additional costs. For government plans, this space is limited to 100 gigabytes (GB). This
storage allocation is separate from the tenant allocation.

If your OneDrive for Business library is hosted on a server running SharePoint Server in your organization,
your organization’s administrators determine how much storage space is available. OneDrive for Business
includes libraries, a Recycle Bin, and personal newsfeed information.

All files that you store in OneDrive for Business are private, unless you decide to share them. You can
either share a file with everyone in the organization by simply locating it in the Shared with Everyone
folder, or you can share a file with specific co-workers by using the SHARE option. You can do this by
clicking the ellipsis (…) icon, and then typing the names of the users to send a sharing invitation. You
might even be able to share with partners outside of your organization, depending on what your
organization allows.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-17

Note: Microsoft OneDrive for Business is not the same as OneDrive, which is a cloud-based
service intended for personal storage and is provided with Microsoft Accounts such as
user@outlook.com accounts. This can be confusing because, in the App Launcher and in the
Office 365 portal, the OneDrive for Business feature is actually displayed as “OneDrive” in the
navigation bar.

Note: When you send email from Outlook 2016 or from Outlook Web App, you can attach
a file stored in OneDrive for Business as a link, instead of sending an attachment. When you
attach a file as a link, you automatically give the recipients permission to edit the file. Also, this
practice saves space in everyone's mailbox, and it encourages people to edit the same copy that
is stored in OneDrive for Business.

The OneDrive for Business storage space in the cloud is available automatically for each user who has a
SharePoint Online license and is separate from the tenant allocation. While SharePoint sites usually store
organization-or team-related content, OneDrive for Business is ideal for personal use.

OneDrive for Business enables users to synchronize folders and files between their local computers and
the cloud. Another important benefit is that OneDrive for Business provides sharing functionality to
collaborate with other users, inside and outside of your own organization.

In summary, OneDrive for Business can make sense in many scenarios. For example, it can serve as a
central personal file storage (which was called “Home Directory” in local networks), as a way to use
documents offline and online with automatic synchronization, and to share documents with coworkers or
partners securely.

OneDrive for Business collaboration features


OneDrive for Business is your personal document
library in Office 365. By default, the files that you
store in OneDrive for Business are private, but you
can share them as needed. You can store files in
OneDrive for Business, and collaborate on files in
your team site.

While a team site is ideal for storing files that have


shared ownership, where several people or the
whole team can collaborate on them, your
OneDrive for Business storage is ideal for storing
business files that you are working on by yourself.
Additionally, it enables you to share personal
content with other people.

It is a common practice to store business files in your OneDrive for Business storage that other team
members will not need to collaborate on or access regularly.

Sharing documents with OneDrive for Business


You can access the OneDrive for Business collaboration features in Microsoft Edge when you access your
file stored in OneDrive for Business, by using the URL https://yourtenant-
my.sharepoint.com/personal/UPN/. UPN is the Universal Principal Name, the sign-in name and the
domain name, each separated by underscore characters). For example, the personal address of Holly’s
OneDrive for Business account is https://yourtenant-my.sharepoint.com/personal/hleitner_adatum_com/.
MCT USE ONLY. STUDENT USE PROHIBITED
10-18 Planning and configuring an Office 365 collaboration solution

You can use the following collaboration features:

• You can share a file with specific co-workers by using the SHARE option. You do this by clicking the
ellipsis (…) icon for a file, and then typing the names of the users to send a sharing invitation.

• In File Explorer, you can right-click a file, and then select click More OneDrive sharing options. This
opens Microsoft Edge. In the files list, select the file or folder, and then click Share on the menu bar.
In the sharing dialog box, type the names of the people you want to share your files with, and then
send a sharing invitation.

Note: In older Office 365 tenants, there was a folder named Shared with Everyone. All
files in that folder were visible automatically for all users within the organization. This folder no
longer exists in new Office 365 tenants.

Viewing documents that people have shared with you


To see which documents are shared with you, click the Shared With Me link in the OneDrive for Business
website Quick Action bar on the left pane.

To check if one specific document is shared with other users, select the document or the folder, and then
click Share. In the share dialog box, open Shared with to see a list of all users who have access to that
specific document.

Stop sharing a document


Click the document that you want to stop sharing, and then click Share. In the Share dialog box, click
Shared with. Click STOP SHARING to end sharing of the selected document.

Note: Currently, it is not possible to set a timeframe for sharing files or folders. Objects are
shared until the owner stops the sharing. This must be done manually.

OneDrive for Business client configuration and synchronization


The OneDrive for Business sync client lets you
synchronize your cloud storage or other
SharePoint site libraries to your local computer.
This enables you to take files offline to work on
and then synchronize them back to your OneDrive
for Business library once you are back online. The
synchronization process happens automatically in
the background when your computer is
connected to the Internet.

Currently, two versions of the OneDrive for


Business client are available. This is important
because the new OneDrive for Business sync client
does not support the same features that the current version offers.
older
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-19

The old sync client (groove.exe)


To get the OneDrive for Business sync client, install the desktop versions of Office 2013 or Office 2016.

The following versions of Office 2013 include the OneDrive for Business sync client:

• Office Professional Plus 2013 or 2016

• Office 365 Enterprise E3, E5

• Office 365 Business Professional

• Office 365 Business

• Office 365 Business Premium

Additional Reading: For more information, refer to System requirements for Office:
http://aka.ms/ghq4zw.
is
The OneDrive for Business sync app in available in different languages for both the x86 and x64 platforms.

Additional Reading: Download OneDrive for Business sync app in different languages and
for the x86 and x64 platforms from: http://aka.ms/we3v3g.

Restrictions of the old sync client are as follows

• You can sync files of up to 2 gigabytes (GB) in any SharePoint library.

• You can sync up to 5,000 items in a SharePoint library.

• You can sync up to a total of 20,000 items across all synchronized libraries.
• In SharePoint Server 2013, file names can have up to 128 characters while in SharePoint Online, file
names can have up to 256 characters.

• Folder name and file name combinations can have up to 250 characters.

• Restricted characters in file names in SharePoint Online are: \ / : * ? " < > | # %.

• A file or folder name that begins with a tilde (~) sign is not supported in SharePoint Online.

• The same file name restrictions that apply to SharePoint Online are also valid for SharePoint Server
2013, with some additional characters: \ / : * ? " < > | # { } % ~ &.

• A file name that begins with a period (.) or a tilde (~) sign is not supported in SharePoint Server 2013.

• There are some invalid file types that cannot be uploaded, such as *.tmp, *.ds_store, desktop.ini,
thumbs.db, or ehthumbs.db files. Additionally, in SharePoint Server, the IT administrators can block
individual file types to prevent them from being uploaded.

• Files that are opened in any application cannot be uploaded.

Note: For more information, refer to Restrictions and limitations that apply when you sync
SharePoint libraries through OneDrive for Business: http://aka.ms/ps7xle.
This URL also provides a download of a tool named MicrosoftEasyFix20150, which helps fix sync
issues with OneDrive for Business automatically.
MCT USE ONLY. STUDENT USE PROHIBITED
10-20 Planning and configuring an Office 365 collaboration solution

Note: The old sync client is still used for synchronization of SharePoint Document Libraries
because this is not supported currently in the new OneDrive for Business sync client.

The new OneDrive for Business sync client (OneDrive.exe)


Microsoft released a new version of the OneDrive for Business Next Generation Sync Client in early2016.
This new client has some improvements over the old client, including:

• Support for selective sync. The user can control which folders will synchronize.

• Support for synchronizing large files up to 10 GB.


• Support for synchronizing more than 20,000 files.

• IT administrator deployment, with configurable options such as the ability to block sync for the
OneDrive consumer service and setting the default sync folder location.
• Updates to the new sync client independently of Office and Windows updates.

Supported operating systems


• Windows 7, Windows 8, and Windows 10
• Mac OS X 10.9 and newer

Current restrictions
• Windows 8.1 support will be added at a later stage.
• SharePoint Document Library sync will be added in future releases. As a workaround, OneDrive for
Business next generation sync client works side by side with the existing sync client (groove.exe) for
users who require sync for OneDrive for Business and SharePoint Online document libraries.

• If a user opens a locally synced Office document from File Explorer, the Office integration is limited,
because the Office application is not aware that the file is a document from the cloud. As a result, the
user cannot use document co-authoring, and the most recent document list shows the local path and
not the cloud path. In addition, sharing is not available, and the cloud (modern) attachments are not
available in Outlook 2016.

Additional Reading: For more information, refer to Deploying the OneDrive for Business
Next Generation Sync Client in an enterprise environment: http://aka.ms/Q8m3fx.

Additional Reading: For more information, refer to Deploying the OneDrive Next
Generation Sync Client on OS X and configuring work or school accounts: http://aka.ms/xdv82u.

Additional Reading: For more information, refer to Meet the OneDrive for Business Next
Generation Sync Client: http://aka.ms/tvnzw1.

Finding the OneDrive for Business sync client version installed on your system
If you are using OneDrive for Business sync client, in the taskbar navigation area, locate the white or blue
OneDrive cloud icon, and then note the pop-up text.

• If the cloud icon is gray, you have the new OneDrive for Business Next Generation Sync Client but
have not set it up for your work or school account. Click the gray cloud icon, and sign in by using
your work or school sign-in credentials.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-21

• If the cloud icon is white, and the pop-up text reads OneDrive or OneDrive – Personal, the
OneDrive consumer service sync client is installed, and it uses the same program as the new OneDrive
for Business Next Generation Sync Client.

• If the cloud icon is blue, and the pop-up text reads OneDrive for Business, the old OneDrive for
Business sync client is installed.

• If the cloud icon is blue and the pop-up text reads "OneDrive - your organization's name, the new
OneDrive for Business Next Generation Sync Client is installed and configured.

Additional Reading: For more information, refer to Which OneDrive sync client am I
using?: http://aka.ms/p17elm.

Migrating files to OneDrive for Business


In many scenarios, you will have existing content
on your local computer or a file share that you
want to migrate to OneDrive for Business. As a
first step, we recommend that you analyze your
data to plan and prepare for the migration.

Analyzing data
While analyzing existing data, you should ask
yourself the following questions:

• What is the total size of all files that you want


to migrate? In previous topics, you saw that
OneDrive for Business can store up to
unlimited content. Keep in mind that SharePoint Online also has a limit on available capacity per site
collection.

• How many files will be migrated? Depending on the sync client that you use (see previous topic),
there is a limit on maximum number of files that you can synchronize. Also, there is a 5,000-item limit
for viewing content in document libraries, and 20,000 for synchronizing personal sites. If you have
more than 5,000 files in one folder, try to split the content over multiple subfolders within SharePoint
Online site collections.

• What are the largest file sizes? This depends on the sync client that you use. The maximum file size
with OneDrive for Business is 2 GB, whereas with the OneDrive for Business Next Generation Sync
Client, it is 10 GB. If some files exceed this size, you cannot migrate them into OneDrive for Business.
As an alternative, use another storage system such as a local storage area network, network-attached
storage (NAS), a DVD or Microsoft Azure blog storage.

• What does the folder structure look like, and what is the maximum path length? Use the
MicrosoftEasyFix20150 utility to ensure that filenames do not include special characters, and apply
the rules that you learned in the previous topic. The maximum path length that can be synchronized
is 260 characters. If your folder names are too long, try to use abbreviations, such as “HR” instead of
“Human resources.”

Additional Reading: Download the MicrosoftEasyFix20150 utility from:


http://aka.ms/rq11p3.
MCT USE ONLY. STUDENT USE PROHIBITED
10-22 Planning and configuring an Office 365 collaboration solution

• What file types exist? OneDrive for Business is ideal for storing Microsoft Office documents. However,
it is not a good idea to move other file types, such as pictures, multimedia files, development code,
and similar content, into SharePoint.

Additional Reading: For more information, refer to Types of files that cannot be added to
a list or library: http://aka.ms/orzefl.
There are no file types blocked in SharePoint online and Office 365
• Is there content that is no longer used? Check if content exists that is not being used anymore, to
reduce the number of files that you plan to migrate. Discuss with the customer if it is really necessary
to keep old data. Cleaning up content is generally a good practice to archive or delete old unused
files from any storage system before you migrate them to another system.

Additional Reading: For more information, refer to SharePoint Online and OneDrive for
Business: software boundaries and limits at: http://aka.ms/Ywqifr.

Migrating data
After you clean up and prepare the local data, the best way to migrate the data into OneDrive for
Business storage is to use File Explorer. Both the next generation sync client and the old sync client
manage uploading all content to the personal cloud storage.

Note: When you synchronize files to OneDrive for Business, metadata associated with files
and folders are not migrated to the OneDrive for Business storage (to the SharePoint Online
document library). Metadata associated with files or folders is not preserved, and invalid
characters, file type restrictions, or path lengths are not detected.

Some third-party tools provide additional features and migration capabilities. In a future release, the
import function within Office 365 will also be able to import data to OneDrive for Business or you go with
a third party migration tool.

Additional Reading: For more information on a list of third-party tools that you can use
during migration, refer to Migrating File Shares to OneDrive for Business: http://aka.ms/oo1zjq.

Troubleshooting migration issues


You might encounter issues during migration. To identify the issue's cause, do the following:

• Check the version of your installed OneDrive for Business sync client to see the tool's restrictions. If
you are running the stand-alone version of OneDrive for Business, make sure that you download the
latest version of the sync client.

Additional Reading: To download the SkyDrive Pro client for Windows, go to:
http://aka.ms/elihab.

• Check your upload speed with an online speed test tool, to get an indication of the maximum upload
speed from your location, and try to schedule uploads outside of business hours. Usually, nights are a
good time to upload a high volume of content.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-23

Additional Reading: To check your upload speed, you can use a speed test service such as
http://www.speedtest.net.

• If synchronization issues occur, try to repair the issues by identifying the underlying problems. You
can usually do this by fixing filename issues and path length on the local computer.

Managing OneDrive for Business


OneDrive for Business is a personal SharePoint
document library that has all the features and
limitations of a standard SharePoint document
library. OneDrive for Business is simple to use for
end users, and simple to manage for
administrators. Your content is available from
anywhere without the need to configure features.
You can share content with internal and external
users with a mouse click, and it does not require
much effort to maintain these services.

However, users need to understand that they are


responsible for their content. Following are some
aspects that you should consider for managing the content effectively:

• Managing security is top priority. Because it is easy to share content, users need to know which
objects are shared, or if there is content that is inheriting unwanted permissions. It is easy to create
orphaned permissions on objects; for example, when sharing a folder. Users should be aware of the
fact that they need to control which content is shared with whom.

• Objects, once shared, can be shared again. An external user can transfer permissions on a document
to another user. The document owners can stop sharing, but they need to monitor their shares.
• Monitoring shares can be done by checking shares periodically. This must be done actively by the
owner of the OneDrive for Business document library.

Note: Folders and files can be managed best with File Explorer. Shares must be monitored
in the OneDrive for Business site in Microsoft Edge, and can only be controlled online.

Besides the security aspects, users should also check the synchronization of their content between their
local computers and the cloud. Both the OneDrive for Business clients notify any issues in the System Tray
area of the taskbar.
MCT USE ONLY. STUDENT USE PROHIBITED
10-24 Planning and configuring an Office 365 collaboration solution

Planning a OneDrive for Business implementation


As an administrator who might be tasked with
implementing OneDrive for Business for your
organization, you need to understand the service
functionality and the administration possibilities
such as security, deploying the Sync Client,
integration, and other factors.

When you plan for implementing OneDrive for


Business within your organization, you should
consider doing the following:
• Analyze the existing content, and decide what
should be migrated.

• Inform your users about how OneDrive for Business works, and how they can migrate their content.
• Inform your users about the benefits of using OneDrive for Business, compared to local storage or
other services.

• Help users understand the difference between OneDrive for Business and the OneDrive consumer
version.

• Show users how the sync client works.

• Support users if errors occur during synchronization, and show them how to fix common errors.
• Encourage users to use the sharing functionality whenever needed instead of sending documents as
email attachments. Explain how sharing makes their life easier by sharing with internal users and
external users.
• Show users the advantages of sharing and using advanced features such as versioning and archiving,
the Recycle bin, Co-Authoring, document preview, and simplified search.

Note: You also can use OneDrive for Business in local environments. If you want to
implement OneDrive for Business in your organization's SharePoint Server 2013 on-premises
deployment, you must have configured the MySites and the User Profile Service application. To
display the user's My Site as a default Save or Open location in Office 2013, you must configure
SharePoint Server 2013 to use Exchange Autodiscover.

Additional Reading: For more information on the required prerequisites and configuration
settings, and how to plan for OneDrive for Business in SharePoint Server 2013, refer to Plan for
OneDrive for Business in SharePoint Server 2013 at: http://aka.ms/irhv85.

In hybrid deployment scenarios, you can also redirect your users to OneDrive for Business in Office 365.

Additional Reading: For more information, refer to How to redirect users to Office 365 for
OneDrive for Business at: http://aka.ms/j5ttiy.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-25

Check Your Knowledge


Question

Select all the OneDrive for Business attributes.

Select the correct answer.

x Provides up to unlimited Storage

Provides free Online Storage for personal use

x Available from any device

x Included in Office 365 and SharePoint Online Plans

Allows uploading files up to 15 GB in size

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

With the OneDrive for Business next-


generation sync client, selective sync is T
possible.

Check Your Knowledge


Question

Select three characters that are not supported in filenames that you store in OneDrive for
Business and SharePoint Online.

Select the correct answer.

x #

&

x %

x ?
MCT USE ONLY. STUDENT USE PROHIBITED
10-26 Planning and configuring an Office 365 collaboration solution

Lesson 3
Configuring Office 365 groups
Office 365 groups are groups that are available across all Office 365 services and are highly integrated
with all Office 365 services. Office 365 groups help in collaboration and teamwork. Through the Outlook
groups, mobile app users are informed about new content or new communications in the group. Users
also can use this app to work collaboratively with co-workers. Office 365 groups are available only in
Office 365. They are part of Azure Active Directory. Each Office 365 group has a mailbox, a calendar, an
OneNote notebook, and an OneDrive for Business site collection.

Lesson Objectives
After completing this lesson, you will be able to:

• Describe Office 365 groups.

• Describe the components of Office 365 groups.


• Explain how to create and configure Office 365 groups.

• Describe how users experience Office 365 groups.

• Describe how to remove Office 365 groups.

Overview of Office 365 groups


Office 365 groups are a unique combination of
Azure Active Directory groups with Exchange
Online and SharePoint Online functionality. Office
365 groups are similar to distribution groups. An
Office 365 group has its own mailbox, and its
members receive email messages sent to the
group. In addition, the Office 365 group provides
a shared workspace for email, conversations, files,
and calendar events. It serves as a designated
place to collaborate on a project. All conversations
are stored in the group; a dedicated calendar is
available to the group; and dedicated OneDrive
for Business storage is available for group documents.

Public and private Office 365 groups


With Office 365, Microsoft follows a user-centric approach. This means users can create their own groups
easily and administrators can manage some of the group capabilities.

There are two different group types, public and private. A public group is open to everyone. If you are
interested in that group, you can visit the group, and check out the content and conversations. If it is
interesting to you, you can join the group and be a member. You can subscribe to the group to get email
notifications about group discussions. A private group is exclusive, and is only open to its members. The
content and conversations are secure and is not viewable by everyone. Choose a private group if you are
concerned about security and privacy. To join a private group, you must obtain approval from the group
administrator. Each group, private or public, can receive emails.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-27

Note: At the time of writing this course, you cannot change a public group into a private
group, and vice versa.

There are some limitations that group members and owners should be aware of:

• A group can have a maximum of 10 owners.

• A user can create only up to 250 groups.

• Groups with more than 1,000 members are supported, but there might be performance limits.

Office 365 group components


Office 365 groups are user centric. This means
that users in your organization can create, join,
and remove themselves from Office 365 groups.
The same is true for Office 365 group creation.
Each user can create groups directly from Outlook
or through Microsoft Edge in Office 365.

When you create an Office 365 group, several


things happen in the background:
• The Azure Active Directory Group is created.

• A mailbox with calendar is created.

• A OneDrive for Business page is created.

• A OneNote Notebook is created.

Office 365 groups are similar to distribution groups in that members receive email messages sent to the
group. The Office 365 group components include a file store and a mailbox store.

Note: Because Office 365 groups have several components, it can take time to create the
groups.

Groups interact with all Office 365 services, such as Outlook, SharePoint, Yammer, Delve, and Planner.
MCT USE ONLY. STUDENT USE PROHIBITED
10-28 Planning and configuring an Office 365 collaboration solution

Creating and configuring Office 365 groups


Because of groups' user-centric design, users or
administrators can create the groups. As a global
administrator, you can create groups in the Office
365 admin center, and you do not need to be a
member of that Office 365 group.

Creating an Office 365 group in Office


365 admin center:
1. Sign in to http://portal.office.com as global
administrator.

2. Go to the Office 365 admin center by using


the app launcher.

3. Select Groups in the left navigation pane, and then click Groups.

4. Click Add a group.

5. On the right pane, you have three options for group type: Office 365 group, Distribution list or
Security group. Select Office 365 group.
6. Review the Office 365 options. Type a name, an email address, and a description. Select if the group
will be public or private, and then select the language.

7. Select the group owner. The group owners are the ones who can manage the group.
8. Select if group members are subscribed to the group or not subscribed.

9. Click Add.

Note: If group members are subscribed to a group, they receive all messages and calendar
items in their inbox.

Note: At the time of writing this course, you cannot add external members to an Office 365
group. If you need that functionality, you must create a Distribution list.

Editing and configuring an Office 365 group


1. Sign in to http://portal.office.com as global administrator.

2. Go to the Office 365 admin center by using the app launcher.


3. Select Groups in the left navigation pane, and then click Groups.

4. Click the group.

5. Select one of the options below:


o Edit Members and Owners. By using this option, you can add and remove members from a
group, select a new group owner, or change the status of the group admin.

o Delete Group. If you do not need the group anymore, delete it. The group, its email
conversations, calendar, and documents stored in OneDrive for Business storage will be deleted
along with the group. This action cannot be undone.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-29

Note: Add the time of writing this course, you cannot restore a deleted group.

o Edit Details. Sometimes it is necessary to change or update the name of a group. This name
appears in the address book, on the To: line in email, as the name of the group. A group
description helps your users to decide if a group is relevant for them

Managing groups through Windows PowerShell


If you need to perform bulk operations on Office 365 groups, you can use Windows PowerShell.

To manage Office 365 groups, you must first connect to Exchange Online by using Windows PowerShell.
You use Windows PowerShell on your local computer to create a remote PowerShell session to Exchange
Online:

$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic
-AllowRedirection
Import-PSSession $Session –AllowClobber

Create a new group:

New-UnifiedGroup –DisplayName "MVAGroup" -Alias "MVAGroup"

Add a user to the owners group:

Add-UnifiedGroupLinks " MVAGroup " –Links user@contoso.onmicrosoft.com –LinkType Owner

Add a user to the members group:

Add-UnifiedGroupLinks " MVAGroup " –Links user@contoso.onmicrosoft.com –LinkType Member

Remove a user from the members group:

Remove-UnifiedGroupLinks " MVAGroup " –Links user@contoso.onmicrosoft.com –LinkType


Member

Get all members of a group

Get-UnifiedGroupLinks –Identity " MVAGroup" –LinkType Members

Group naming policies


Group naming policies allows you to control how group names and email aliases appear in your
organization's directory, and how those appear to users. Naming policies can be useful for adding specific
suffixes to groups or blocking specific names in a group. Naming policies can also be useful if you need
naming policies in different regions. You can assign a group naming policy through Windows PowerShell.
Absolutely no documentaion available for this
MCT USE ONLY. STUDENT USE PROHIBITED
10-30 Planning and configuring an Office 365 collaboration solution

How users experience Office 365 groups


As long as Office 365 groups are not disabled in
your tenant, users can access Office 365 groups
across the all Office 365 services. Office 365
groups are visible to users within their Outlook
Web App and in OneDrive for Business. Also,
groups are part of the Office 365 Planner, and you
can see them in the Outlook 2016 client. Groups
are open and discoverable by default. When a
user finds a group, the user can first explore the
group by checking the memberships,
conversations and files. If the group interests the
user, the user can join the group and start
participating.

Conversations and email


One of the most important parts of a group is communication. As mentioned, each group has its own
mailbox, and each user can access group conversations either through Outlook or the Outlook Web App.
The group conversations are preserved. This ensures that new members can acquaint themselves with
group content quickly. The group conversations are sorted by date. You can also like a conversation in
Office 365 groups.

Additionally, you can send an email to a group by adding the group name to the To: line of your email
and send it.

Note: Currently, it is not possible to be a member of a group as an external user without an


Office 365 license or email address within the Office 365 tenant. But it is possible to send emails
to a group as an external user.

Group calendar
Each group has its dedicated group calendar. Every member of the group automatically sees meeting
invites and other events. All group calendars are visible in Outlook and Outlook We App, and can be
viewed side by side. Events that you create in the group calendar are added and synchronized
automatically with your personal calendar.

Files, sharing, and OneDrive for Business


Each group has its own OneDrive for Business folder. A group’s One Drive for Business page is the primary
place for group files. You can access the OneDrive for Business Group’s files from your OneDrive for
Business site by using Microsoft Edge.

Note: You can add folders only if the custom scripts on personal sites feature is disabled.

Subscribing to a group
You can be a member of a group, and you can subscribe to it. When you subscribe to a group, you are
requesting that conversations or events from the group be sent to your inbox. You can directly answer to
group conversations from your inbox. Subscribing is not enabled by default. Each user can decide to
subscribe to a group or not subscribe. This helps you subscribe only to the most relevant groups.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-31

Removing Office 365 groups


There might be several reasons why you need to
disable Office 365 groups. The most important
one is that you do not use all the services from
Office 365. If your organization uses only
SharePoint Online as the only service within Office
365 and has another email system on-premises, it
is difficult to use groups because groups are so
deeply connected to all Office 365 services. You
can disable Office 365 group creation at tenant
level; it is also possible to disable group creation
for a subset of users.

Note: At the time of writing this course, you


can disable groups only through Windows PowerShell.

Disabling group creation for all users


1. Open Windows PowerShell.

2. Connect to Exchange Online Remote PowerShell by using the following command:

Set-OwaMailboxPolicy -Identity test.com\OwaMailboxPolicy-Default


-GroupCreationEnabled $false

Disabling group creation for a subset of users


1. Open Windows PowerShell.

2. Connect to Exchange Online Remote PowerShell.


3. Create a new mailbox policy by using the following command:

New-OwaMailboxPolicy –Name “<policy name>”

4. Set the GroupCreationEnabled value to false by using the following command:

Set-OwaMailboxPolicy –Identity “<policy name>” –GroupCreationEnabled $false

5. Set the policy on the mailboxes of the user who is not allowed to create Groups by using the
following command:

Set-CASMailbox –Identity <user> -OWAMailboxPolicy “<policy name>”

Hiding a group from the global address list (GAL)


1. Open Windows PowerShell.

2. Connect to Exchange Online Remote PowerShell.

3. Hide a group from the GAL by using the following command:

Set-UnifiedGroup –identity <groupname> -HiddenFromAddresslistsEnabled $true


MCT USE ONLY. STUDENT USE PROHIBITED
10-32 Planning and configuring an Office 365 collaboration solution

Check Your Knowledge


Question

Select two services with which Office 365 groups are already integrated.

Select the correct answer.

x OneDrive for Business

Yammer

Delve

x OneNote

Skype for Business

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

Office 365 groups provide polls. F

Check Your Knowledge


Question

Which Windows PowerShell cmdlet do you use to disable groups?

Select the correct answer.

Set-OwaMailboxPolicy -Identity test.com\OwaMailuserPolicy-Default


-GroupCreationEnabled $true

x Set-OwaMailboxPolicy -Identity test.com\OwaMailboxPolicy-Default


-GroupCreationEnabled $false

Set-OwaMailuserPolicy -Identity test.com\OwaMailboxPolicy-Default


-GroupCreationEnabled $false

Set-OwaMailuserPolicy -Identity test.com\OwaMailUserPolicy-Default


-GroupCreationDisabled $true

Set-OwaMailuserPolicy -Identity test.com\OwaMailboxPolicy-Default


-GroupCreationDisabled $true
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-33

Lab: Planning and configuring an Office 365 collaboration


solution
Scenario
With all of the core Office 365 components configured and working well, the next step for A. Datum
administrators is to explore options for using Office 365 to enhance collaboration within the organization.
To do this, you will enable and configure Yammer Enterprise, OneDrive for Business, and Office 365
groups.

Objectives
After completing this lab, you will be able to:

• Enable and configure Yammer Enterprise.

• Configure OneDrive for Business.

• Configure Office 365 groups.

Lab Setup
Estimated Time: 60 minutes

Virtual Machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1, 20347A-LON-CL3


User name: Adatum\Administrator on LON-DC1 and LON-DS1, Adatum\Holly on LON-CL1, and
Adatum\Roman on LON-CL3

Password: Pa$$w0rd

In all tasks where you see references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx


with your unique Office 365 name that is displayed in the online lab portal.

Where you see references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx with your
unique hostdomain.com name displayed in the online lab portal.

This lab requires the following virtual machines:

• LON-DC1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

• LON-DS1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

• LON-CL1

o Sign in as Adatum\Holly using the password Pa$$w0rd

• LON-CL3
o Sign in as Adatum\Roman using the password Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
10-34 Planning and configuring an Office 365 collaboration solution

Exercise 1: Configuring Yammer Enterprise


Scenario
As a first step in exploring the collaboration options, you will configure Yammer Enterprise for A. Datum.
Yammer Enterprise is enabled by default, so you need to configure the settings and explore the user
experience with Yammer.

The main tasks for this exercise are as follows:

1. Configure a Yammer organization setting.

2. Configure Yammer service settings, and enforce Office 365 identity.

3. Configure the Yammer user experience.

4. Use Yammer.

 Task 1: Configure a Yammer organization setting


1. On LON-CL1, open Microsoft Edge, connect to https://portal.office.com, and sign in as Holly
Dickson.

2. Access the Yammer admin center.


3. Click Usage Policy.

4. Select the two options that users need to accept the usage policy and that a policy reminder is
displayed.
5. Name the Usage policy ADatum Acceptable Use Policy.

6. Enter the following as the use policy details:

Welcome to Yammer! Our goal is to provide a collaborative environment to connect with


colleagues and bridge various departments and geographic locations to share meaningful
information.

7. Click Save.

8. Accept the policy.

9. Configure so that users receive weekly digest of group messages.

10. Disable usage of third-party applications.

11. Configure Soft Delete data retention policy.

12. Monitor the following keywords on Yammer: gambling, erotic, warez.

 Task 2: Configure Yammer service settings, and enforce Office 365 identity
1. Go to Content and Security, and click Security settings.

2. Select the Enforce Office 365 identity in Yammer check box.

3. Confirm that you are ready and save.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-35

 Task 3: Configure the Yammer user experience


1. Access the Yammer SETTINGS.

2. Go to Notifications to configure the settings, and change the digest to weekly.

3. Select only the options:

o I receive a message in my inbox

o I log in from somewhere new

o I post a message via email (This will send a confirmation email)

4. Click Save.

 Task 4: Use Yammer


1. Sign in to Yammer as Roman@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

2. Invite Christie to use Yammer.

3. Accept usage policy.

4. Share the post from Holly.


5. Post a message to the company timeline “free gambling here”.

6. Sign out and sign in as Holly@adatumyyxxxxx.hostdomain.com.

7. Open the mailbox of Holly.

8. Verify that you received a message from Yammer with report about monitored keyword appearance
in Roman post.

9. Close the browser.

Results: After completing this exercise, you should have enabled Yammer Enterprise for A. Datum.

Exercise 2: Configuring OneDrive for Business


Scenario
After you enable Yammer Enterprise, you are ready to configure OneDrive for Business for A. Datum. If
you have Office 2013 or Office 2016 installed, you have the sync client on your computer, and you can
start using OneDrive for Business.

The main tasks for this exercise are as follows:

1. Enable OneDrive for Business synchronization.

2. Create files to synchronize with OneDrive for Business.

3. Share files with other users.

 Task 1: Enable OneDrive for Business synchronization


1. On LON-CL3, open Word 2016 and verify that Word is licensed to Roman Miler. If it is not, change
the account to Roman’s account.

2. Open Microsoft Edge, and connect to https://portal.office.com.


MCT USE ONLY. STUDENT USE PROHIBITED
10-36 Planning and configuring an Office 365 collaboration solution

3. Sign in as Roman@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

4. In the Office 365 portal, click OneDrive.

5. Create a Word document on the OneDrive site.

6. Select the option to synchronize the OneDrive folder.

7. When prompted, select the option to Show my files.

8. File Explorer opens and displays the location where the synchronized files will be stored. Verify that
the Word document has been synchronized to the local computer.

 Task 2: Create files to synchronize with OneDrive for Business


1. On LON-CL3, in the OneDrive for Business folder, create two new folders named Private and
Project A.

2. In Private folder, create a new Word document named Holidays.docx. Open the file, type some text,
save the document, and then close Microsoft Word.

3. In Project A folder, create a new Word document named project targets.docx. Open the file, type
some text, save the document, and then close Word.

4. Verify that both files are synchronized to Office 365.


5. To view the files online, switch to the Microsoft Edge windows, and verify that the two folders with
the files are displayed in OneDrive for Business.

6. In Microsoft Edge, navigate to the folder Private, open the synchronized document Holidays.docx,
add some text in Word Online, and then return to the OneDrive for Business Files site.

7. Switch back to File Explorer, navigate to the folder Private, and then open Holidays.docx. You will
see that the changes made in Word Online are synchronized automatically.

 Task 3: Share files with other users


1. In File Explorer, right-click the folder named Project A, and from the context menu, select the option
to open the folder in the browser.

2. Select the option to share the Project targets document.


3. Share the document with edit permissions with Holly Dickson.

4. Open an InPrivate Microsoft Edge window and connect to Office 365 as Holly. Access Holly’s mail.

5. Verify that you can open and edit the document shared by Roman.

6. In Roman’s online OneDrive for Business folder, stop sharing the document.

7. Close all Microsoft Edge windows.

Results: After completing this exercise, you should have configured OneDrive for A. Datum.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-37

Exercise 3: Configuring Office 365 groups


Scenario
The final Office 365 collaboration solution that you need to explore is Office 365 groups. You need to
configure Office 365 groups, including membership, privacy, and subscription options, and explore the
user interaction with Office 365 groups.

The main tasks for this exercise are as follows:

1. Configure a private Office 365 group.

2. Configure a public Office 365 group with Windows PowerShell.

3. Explore the Office 365 group components.

 Task 1: Configure a private Office 365 group


1. In the Office 365 admin center create a new Office 365 group named AdatumMarketing, and set it
to private.

2. Assign Holly Dickson as the group owner, and Roman Miler as a group member.

3. Set the group language as English (United Kingdom).

 Task 2: Configure a public Office 365 group with Windows PowerShell


1. Connect to Exchange Online Remote PowerShell.

2. Create a new unified group named Planning Group by using the new-unified group cmdlet.

3. After the group is created, add Holly@adatumyyxxxxx.hostdomain.com as a group owner.

4. Add Francisco@adatumyyxxxxx.hostdomain.com as a group member.

 Task 3: Explore the Office 365 group components


1. On LON-CL1, connect to https://portal.office.com as Holly@Adatumyyxxxxx.hostdomain.com.

2. Browse Office 365 groups through the Outlook Web App.


3. View the Planning Group.

4. Create a new conversation in the group.

5. Switch to the group calendar, and then add an entry named Planning meeting for tomorrow.
6. Check if the calendar item synchronizes to Holly’s calendar.

7. In the group Files, add a new Word document.

8. On LON-CL3, open Microsoft Edge, and sign in to https://portal.office.com as


Roman@Adatumyyxxxxx.hostdomain.com, with the password Pa$$w0rd.

9. Click Outlook. Verify that the AdatumMarketing group appears in your Groups list.

10. Join the Planning Group and verify that you see the message and document that Holly created in the
group.

11. Keep the virtual machines running for the next lab.

Results: After completing this exercise, you should have configured Office 365 groups at A. Datum.
MCT USE ONLY. STUDENT USE PROHIBITED
10-38 Planning and configuring an Office 365 collaboration solution

Question: If you enforce Office 365 identities in Yammer, what is the impact for Yammer
users with no Office 365 identities?
Question: Which Windows PowerShell cmdlets can you use to create an Office 365 group
and to add the group owner?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 10-39

Module Review and Takeaways


Best Practices:
• Always enable Yammer Enterprise as the primary Enterprise Social Network within Office 365.

• Design a usage policy.

• Familiarize yourself with the administration options within Yammer Enterprise.

• Support users during their initial experience of using Yammer.

• Familiarize yourself with the different OneDrive for Business sync clients and their limitations and
features.

• Create a consistent sharing policy across Office 365.

• Decide if and when you should use Office 365 groups, because they are essential to some of the
Office 365 components.

• Decide if Office 365 groups will be user centric or centrally managed.

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Synchronization is not working in


OneDrive for Business

Multiple Yammer Networks exist for


different Office 365 domains

Office 365 groups are enabled and used


without administrative awareness

Review Question
Question: Discuss the differences between Office 365 groups and Yammer and possible use
cases where you need one tool or the other.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
11-1

Module 11
Planning and configuring Rights Management and
compliance
Contents:
Module Overview 11-1 

Lesson 1: Overview of the compliance features in Office 365 11-2 

Lesson 2: Planning and configuring Azure Rights Management in Office 365 11-13 

Lesson 3: Managing the compliance features in Office 365 11-24 

Lab: Configuring Rights Management and compliance 11-41 

Module Review and Takeaways 11-48 

Module Overview
Many organizations are considering moving to the cloud—however, they still have security concerns
about making this transition. To use a trustworthy service provider, your organization needs to define
security and compliance regulations. By using a cloud service, your organization entrusts your service
provider to process your data. Security, compliance, and privacy in Microsoft Office 365 have two equally
important dimensions:

 Service provider capabilities that include technologies, operational procedures, and policies that are
enabled by default.
 Customer-managed controls that allow you to customize your Office 365 environment based on the
specific needs of your organization while still helping to maintain security and compliance.

Enhancing security and compliance is an ongoing process and not a steady state. In this module, you will
learn about the compliance features in Office 365 and how to manage them. You will plan and configure
Microsoft Azure Rights Management (Azure RMS), and you will be able to discuss the security features in
Office 365.

Objectives
After completing this module, the students will be able to:

 Describe the compliance features in Office 365.


 Configure Azure RMS in Office 365.

 Manage the compliance features in Office 365.


MCT USE ONLY. STUDENT USE PROHIBITED
11-2 Planning and configuring Rights Management and compliance

Lesson 1
Overview of the compliance features in Office 365
Office 365 complies with industry standard regulations, and its design helps you to meet the regulatory
requirements for your business. In this lesson, you will learn what compliance features are available within
Office 365 and how to use and manage them.

In modern Information Technology (IT) environments, information security is essential. Users require
access to their IT services at all times and on any device. For many devices, such as desktops, tablets, and
smartphones, you need to help ensure that data is as secure as possible. Multiple-device access benefits
your users, especially with the mass consumerization of IT, which spreads to business and government
organizations. Employees introduce technologies, and the devices they use at home and in their
workplaces with this type of access provide malicious hackers a larger surface of attack areas.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the Office 365 compliance and security features.

 Describe Office 365 Protection Center.

 Configure permissions in the Protection Center.

 Describe advanced security and compliance features in Office 365 Enterprise E5 subscriptions.

Security considerations when planning an Office 365 implementation


When you consider using Office 365 for your
organization, one important feature to consider is
security.

Security is essential; therefore, you must have a


service provider that you trust to process your
organization’s data.

Office 365 has service-level capabilities that


include technologies, operational procedures, and
policies that are enabled by default for customers
who use this service.

Office 365 requires customer controls to include


features that allow you to customize your Office 365 environment based on the specific needs of your
organization.

The security considerations in planning an Office 365 implementation cover a large set of topics, which
include:

 Service-level security features. This level of security enhancement exists to help protect your service
and data through layers of security features, including physical, logical, and data layers. This level of
security enhancement provides many features, including:

o Port scanning and remediation.

o System security updates.


o Help with detecting network-level distributed denial of service (DDoS) attacks.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-3

o Azure Multi-Factor Authentication for service access.

o The auditing of all operators and administrators.

o User rights only when needed.

 The ability to detect accounts that you no longer need.

 Security-related customer controls. Each service within Office 365 offers its own and individual
security features you can control. These features help you to meet your compliance requirements,
control spam and antimalware settings, encrypt data, and control access to content for your users.
You use encryption technologies at the Office 365 service level. The technologies you can configure
within your Office 365 tenant include:

o The Microsoft Rights Management service.

o Security-enhanced email traffic through Secure Multipurpose Internet Mail Extensions (S/MIME).

o Office 365 message encryption.

o Transport Layer Security (TLS) for Simple Mail Transfer Protocol (SMTP) messages to partners.

 Privacy by design. The key principles in the data security features within Office 365 are:

o No data mining for advertising.

o You own the data. If you cancel the service, you get your data back.

o Data access is limited, audited, and logged.

 Privacy-related customer controls. Customer controls allow you to use policies and features within
Office 365, including:

o Rights Management in Office 365. This capability restricts access to documents, workbooks, and
presentations. Azure RMS helps you to prevent sensitive information from being printed,
forwarded, or copied by unauthorized people

o Privacy-related controls for sites, libraries, and folders. Microsoft SharePoint Online sites are set to
private by default. Microsoft OneDrive for Business does not share uploaded documents until the
user provides explicit permissions and identifies whom to share with.

o Privacy-related controls for communications. Communication controls allow you to communicate


in a security-enhanced way. In Microsoft Skype for Business Online, you can control the
federation level—for example, no federation, federation with other Skype for Business users, or
federation only with those domains you allow. If you decide to allow or prohibit communications
with a Skype consumer, you can also do that.

 Service compliance. Compliance obligations and non-Microsoft audits are required to help meet
compliance and security goals. In addition, governmental requirements exist, including industry
requirements, internal policies, and requirements derived from industry best practices. As a result,
Office 365 has obtained independent verifications, including:

o International Organization for Standardization (ISO) 27001.

o Statement on Standards for Attestation Engagements 16 (SSAE 16) Service Organization Control
1 (SOC 1) (Type II) audits.

o Data transfer for data outside of the European Union (EU) through the EU Model Clauses.

o A Health Insurance Portability and Accountability Act (HIPAA) business associate agreement with
all customers.

o The Federal Information Security Management Act (FISMA).


o The Cloud Security Alliance public registry.
MCT USE ONLY. STUDENT USE PROHIBITED
11-4 Planning and configuring Rights Management and compliance

o The Microsoft data processing agreement.

o Payment Card Industry Data Security Standard (PCI DSS) Level One.

 Customer compliance. Customer compliance helps users to control their security and compliance
needs within the enterprise. Examples include:

o Data loss prevention (DLP).


o eDiscovery.

o Auditing and reporting functionality.

o The Rights Management service for file-level access restrictions.

o Multi-Factor Authentication

o S/MIME for security-enhanced, certificate-based email access.

When you plan an Office 365 implementation, it is important to review your internal security
requirements and then create a checklist with the following questions:

 What service level do you need?

 Are any privacy controls already in place?

 What security features do you have, and what is available with Office 365? What are the built-in
security features, and which customer controls does Office 365 offer?

 What are your onboarding and offboarding strategies?


 Are you currently aware of any security breaches?

 Are you transparent in the way you use and access data?

 Is data encryption currently in place?

 Does a data backup strategy already exist?

 Do specific storage requirements exist that are related to your region?

 Is your password policy security enhanced?

Compliance and security features in Office 365

Compliance standards for Office 365


Office 365 offers a variety of security and
compliance features to help organizations comply
with certain federal regulations and help keep
customer data secure. These features help to
safeguard information according to:
 HIPAA. HIPAA imposes strict privacy
regulations for customers who process
electronic protected health information.
 Data processing agreements. A data
processing agreement describes how the data processor handles and safeguards customer data. For
example, the data processor for Office 365 is Microsoft, and the regulations are covered worldwide.
You can sign data processing agreements either online within your Office 365 subscription at
https://portal.office.com/Commerce/supplements.aspx or through your enterprise agreement. To use
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-5

Office 365, many organizations defer to legal counsel to help ensure that they are legally safe.
Optional contractual supplements are available, including:

o The Office 365 security amendment, for customers outside of Europe.

o Office 365 and Microsoft Dynamics CRM Online data processing agreements (with EU standard
contractual clauses).

o Office 365 and Microsoft Dynamics CRM Online data processing agreements.

o The Office 365 and Microsoft Dynamics CRM Online HIPAA and Health Information Technology
for Economic and Clinical Health (HITECH) business associate agreement (with an
implementation guide).

 FISMA. United States federal agencies can procure information systems and services only from
organizations that meet the FISMA regulations.
 ISO/IEC 27001:2013. This standard from ISO and the International Electrotechnical Commission (IEC)
is widely used and the best-known standard for an information security management system. Office
365 meets this security benchmark with physical, logical, process, and management controls. Since
2015, even ISO 27018 privacy controls for the most recent Office 365 audit are included.

 EU Model Clauses. The EU Data Protection Directive is a key instrument for the EU privacy and human
rights law. The EU Model Clauses legitimize the transfer of personal data outside the EU, and they
comprise the preferred method for the data transfer of personal data outside the EU.

 The U.S.–EU Safe Harbor Framework. The U.S.–EU Safe Harbor Framework also addresses the transfer
of personal data outside the EU. Office 365 follows the principles and processes stipulated by this
framework.

Note: At the end of 2015, the European Court of Justice declared the U.S.-EU Safe Harbor
Framework invalid, and it is currently undergoing revisions.

 The Family Educational Rights and Privacy Act (FERPA). United States educational organizations are
required to follow FERPA regulations regarding the use or disclosure of student education records.
This also includes student information send in email and email attachments.

 SSAE 16. Independent organizations can audit Office 365 and provide SSAE 16 SOC 1 Type I and Type
II and SOC 2 Type II reports on how the service implements controls.
 The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA
pertains to how private sector organizations collect, use, and disclose personal information in regards
to commercial business.
 The Gramm–Leach–Bliley Act (GLBA). This act protects customers’ nonpublic personal information,
and financial institutions are required to follow these regulations to protect their clients’ information.

Security and privacy within Office 365


To help protect customer data and privacy, Microsoft uses the following safeguards:
 Restricted access. Microsoft restricts physical datacenter access to authorized personnel and has
implemented multiple layers of physical security. Video camera surveillance and security breach
alarms always control access.

 Data encryption. Data is encrypted both at rest and in transit between datacenters and between
datacenters and users.
 Data mining. You cannot access data for advertising purposes.
MCT USE ONLY. STUDENT USE PROHIBITED
11-6 Planning and configuring Rights Management and compliance

 Data ownership. The data stored within Office 365 is available to you at virtually any time.

 Data backup. Microsoft regularly backs up your data.

 Data deletion. If you decide to leave Office 365, Microsoft provides the support to return or offboard
your data.

 Data regions. You decide which region will host your data.

Additional Reading: For more information about data regions, refer to Where is my data?:
http://aka.ms/l4tjga.

 Password policy. Password policies enforce secure-enhanced passwords.

 Custom controls about privacy features. You can turn features that impact privacy on or off to meet
your needs.

 Data processing. Microsoft contractually commits to the data processing agreement.

Additional Reading: For more information, refer to Office 365 Trust Center:
http://aka.ms/vjvvco.

Overview of the Protection Center for Office 365


The Office 365 Protection Center, formerly the
Compliance Center, is available through
https://protection.office.com/. In the Office 365
Protection Center, you can manage your security
and compliance needs for helping to protect your
data within Office 365. If you want to access the
previous Compliance Center, in the Office365
admin center, select Admin centers and then
click Compliance.

Navigation through the Protection


Center
In the Protection Center, on the left side, the
navigation pane has the following menu items:

 Home. This page provides top-level information about the Protection Center and what is available
here.

 Permissions. This page provides an overview of all the permissions granted to users in your
organization for compliance tasks, such as device management, DLP, eDiscovery, and retention.

 Security policies. On this page, you can manage devices and set up DLP policies.

 Data Management. This page has options for importing data from other systems. You can also set
data retention policies here.

 Search & Investigation. On this page, you can use eDiscovery to manage cases.

 Reports. Here, you find user activity reports.

 Service Assurance. Service Assurance provides information about how Microsoft helps to maintain
the security, privacy, and compliance of Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-7

Microsoft Cloud Service Trust Portal


The Microsoft Cloud Service Trust Portal gives you access to information about how Microsoft helps to
maintain security, privacy, and compliance. The Trust Portal delivers access to audit reports across
Microsoft cloud services, including those for Azure, Microsoft Dynamics CRM, and Office 365. The
following sections are available in the Trust Portal:

 Home

 Compliance Reports

 Trust Documents
 Settings

 Contact Us

Additional Reading: For more information, refer to Office 365 Service Trust Portal:
http://aka.ms/vqu38w.

Office 365 Secure Score


The Office 365 Secure Score is designed to help you analyze data so that you can improve your potential
security risks. With the help of the Office 365 Secure Score, organizations can better understand the
extent to which they have adopted robust security configurations, behaviors, and best practices. The
service is a three-step process that includes:

1. Collect data. Collect the data that will help you analyze your score.

2. Analyze the results. The results are presented in an interactive web experience.
3. Act. Suggested recommendations are made based on the results.

Additional Reading: Office 365 Secure Score is in preview at the time of this writing, so its
features and availability might change. For more information, refer to Office 365 Secure Score:
http://aka.ms/h7br1z.

Configuring permissions in the Protection Center


If you want to allow users in your organization to
perform tasks in the Protection Center, you need
to grant them permissions. Then users will be able
to perform compliance tasks such as device
management, eDiscovery, and retention or DLP.
Permissions in the Protection Center are based on
the role-based access control (RBAC) permissions
model. This model is also used in Microsoft
Exchange Online. It grants permissions to
administrators and users based on management
roles. Exchange role groups and Protection Center
role groups do not share membership or
permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
11-8 Planning and configuring Rights Management and compliance

Within Office 365 you’ll find Administrator roles, like the Global admin or Limited admin access. The
Limited admin access roles contain admin roles like Billing administrator, Password administrator, Service
administrator, User management administrator, Exchange administrator, SharePoint administrator and
Skype for Business administrator.

Relationship between roles and role groups


Roles grant permissions for a set of tasks. Role groups allow users to perform their jobs across the
Protection Center. A role group includes a set of permission roles.

Existing role groups in the Protection Center


To manage access to the various compliance roles, the Protection Center makes certain role groups
available:

 ComplianceAdministrator. The ComplianceAdministrator manages settings for auditing, device


management, DLP, reports, and preservation. The assigned roles include:

o Case Management

o Compliance Search
o Hold

o Organization Configuration

o View-Only Audit Logs

o View-Only Recipients

 eDiscoveryManager. The eDiscovery Manager performs searches and places holds on mailboxes,
SharePoint Online sites, and OneDrive for Business locations. The eDiscovery Manager can also create
and manage eDiscovery cases, including adding and removing members from a case. The eDiscovery
Manager creates and edits compliance searches associated with a case. The assigned roles include:

o Case Management
o Compliance Search

o Export

o Hold
o Preview

o Review

 OrganizationManagement. The OrganizationManagement role group controls permissions for


accessing features in the Protection Center. The Organization Manager manages settings for auditing,
device management, DLP, reports, and preservation. Global administrators are automatically
members of this group. The assigned roles include:
o Audit Logs

o Case Management

o Compliance Search
o Hold

o Organization Configuration

o Role Management

o Search And Purge


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-9

o Service Assurance View

o View-Only Audit Logs

o View-Only Recipients

 Reviewer. The Reviewer uses a limited set of the analysis features in Equivio Analytics. Members of this
group can see only the documents that are assigned to them. They cannot create, open, or manage
an eDiscovery case. The assigned role includes:

o Review

 Service Assurance User. The Service Assurance User accesses the Service Assurance section within the
Protection Center. Members of this role group can use this section to review documents related to
security, privacy, and compliance in Office 365 to perform risk and assurance reviews for their own
organization. The assigned role includes:
o Service Assurance View

 Supervisory Review. The Supervisory Reviewer controls policies and permissions for reviewing
employee communications. The assigned role includes:
o Supervisory Review Administrator

 Retention policy and archiving. These permissions are set in the Exchange admin center. Members of
this group can configure compliance features such as Retention Policy Tags (RPTs), message
classifications, and transport rules. The assigned roles include:

o Audit Logs

o Journaling
o Message Tracking

o Retention Management

o Transport Rules
 Document deletion. These permissions are set in the Document Deletion Policy Center. You can find
the Document Deletion Policy Center at https://<tenantname>.sharepoint.com/sites
/CompliancePolicyCenter/. The Compliance Policy Center contains policies to protect the SharePoint
content you want, and you can set policies to delete content you do not want. Policies created here
are assigned to a site collection or template. Because of compliance, legal, or other business
requirements you might be required to retain documents for a certain time frame. Other documents
held longer than required can create an unnecessary legal risk. By creating a document deletion
policy, you can delete documents after a specific time frame. For instance, a document deletion policy
can delete all the documents in OneDrive for Business that are older than seven years.

Give users access to the Protection Center


Before users can manage security or compliance features, you need to assign them the appropriate
permissions. Each Office 365 global administrator or member of the OrganizationManagement role group
in the Protection Center can grant permissions to users. If you assign users only selected permissions, they
will be able to manage only the security or compliance features you give them access to.

You can grant users access in two ways: through the Office 365 Protection Center or through Windows
PowerShell.

To grant users access through the Office 365 Protection Center, complete the following steps:

1. Sign in to the Office 365 portal.

2. In the app launcher, select the Admin icon.


MCT USE ONLY. STUDENT USE PROHIBITED
11-10 Planning and configuring Rights Management and compliance

3. In the Office 365 admin center, open the Admin centers link, and then click Compliance.

4. In the Protection Center, go to Permissions.

5. Choose the role group that you want to add the user to, and then click Edit.

6. On the role group's properties page, under Members, click Add, and then add the user you want.

7. After you select all the users you want, click Add, and then click OK.

8. Click Save.

To grant user access through Windows PowerShell, complete the following steps:

1. Connect to the Office 365 Protection Center by using remote Windows PowerShell.
2. On your local computer, open Windows PowerShell, type the following command, and then press
Enter.

$UserCredential = Get-Credential

3. Type your Office 365 user name and password, and then click OK.
4. Connect to remote Windows PowerShell, type the following command, and then press Enter.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri


https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential
$UserCredential -Authentication Basic-AllowRedirection

5. Type the following command, and then press Enter.

Import-PSSession $Session

6. Type the Add-RoleGroupMember command to add a user to the OrganizationManagement role,


and then press Enter.

Add-RoleGroupMember -Identity "OrganizationManagement" -Member Holly

7. After you finish adding users, type the following command, and then press Enter to close the
Windows PowerShell session.

Remove-PSSession $Session

Advanced security and compliance features in Office 365 Enterprise E5


subscriptions
Office 365 Enterprise E5 is a subscription that
extends the compliance and security features of
Office 365 with advanced compliance and security
features. Office 365 Enterprise E5 offers extensions
around real-time communications and analytics.
Through advanced security features, you can add
Office 365 Equivio Analytics for eDiscovery, the
Secure Attachments and Safe URLs features of
Exchange Online Advanced Threat Protection, and
access control through Customer Lockbox to your
Office 365 tenant.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-11

Customer Lockbox
Office 365 operates with the principles of least privilege and just-in-time access. Therefore, Microsoft
personnel do not have permission to access customer content on an ongoing basis. If permission is
granted, it is for a limited time. A customer must provide explicit approval if Microsoft personnel needs to
access the customer content to perform a service operation. The already-existing approval workflow for
this type of access is extended to customers. Customer Lockbox addresses customer concerns about
access to their data in the service by the service provider. Customer Lockbox technology obtains access to
customer data on all Office 365 services. Customer Lockbox enforces multiple levels of approval within
Microsoft so that Microsoft engineers receive access to customer data when it is necessary and for a
limited time. All access control activities in the service are logged and audited. With Customer Lockbox,
you as a customer are part of this approval process. Until you approve a request, the Microsoft engineer
will not be granted access.

The most common scenario where Microsoft engineers might need to access customer content is when
the customer makes a support request that requires access for troubleshooting.
People who are members of the customers control group provide approvals or rejections of Customer
Lockbox requests. Customer Lockbox is enabled in the initial release through remote Windows PowerShell
commands. Examples of customer content include:
 Email bodies and email attachments.

 Content in SharePoint sites.

 Information in the body of a SharePoint file.


 Information in the presentation file body within Skype for Business.

 Conversations via IM or voice.

 Binary large objects (BLOBs) or structured storage data (for example, Microsoft SQL Server containers)
created by a customer.

 Security information—for example, certificates, encryption keys, and passwords owned by a customer.

 Inferences, and all subsequent inferences, if customer content remains.

Office 365 Advanced eDiscovery


You use Equivio machine learning, predictive coding, and text analytics capabilities within Office 365
Advanced eDiscovery. Equivio is a provider of machine learning technologies for eDiscovery and
governance. This helps to sort large quantities of data for eDiscovery purposes and might include millions
of data pieces, emails, messages, and documents for a small subset of relevant files. Office 365 Advanced
eDiscovery eliminates duplicate files and helps to reconstruct email threads, identify key themes and data
relationships. Through Equivio machine learning mechanisms, you can train the system to find content
faster.

Exchange Online Advanced Threat Protection


Exchange Online Advanced Threat Protection is part of Exchange Online Protection. Exchange Online
Advanced Threat Protection consists of a collection of features, including Safe Attachments and Safe Links,
designed to combat zero-day attacks. Unknown attachments are opened in a special hypervisor
environment that helps to detect malicious activity. Safe Links is a feature that helps to prevent users from
going to malicious websites when they click them in email. The service helps to protect internal email
only.

Note: Because attachments need to be checked, they are first blocked for the recipient.
Safe Attachments launches a unique hypervisor to open an attachment, and this can result in a
delivery delay of up to 30 minutes. (The average delay is 7–10 minutes.)
MCT USE ONLY. STUDENT USE PROHIBITED
11-12 Planning and configuring Rights Management and compliance

Check Your Knowledge


Question

What are the customer compliance setting elements?

Select the correct answer.

x DLP

A data processing agreement


x
The Rights Management service for file-level access restrictions

ISO 27018

x S/MIME for security-enhanced, certificate-based email access

Check Your Knowledge


Question

What are the role groups that exist in the Protection Center?

Select the correct answer.

x eDiscovery Manager

Legal Hold Manager

x Service Assurance User

ComplianceUser

ComplianceReviewer
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-13

Lesson 2
Planning and configuring Azure Rights Management in
Office 365
In this lesson, you will begin to understand the integrated security features within Office 365 and how to
use them. In addition, you will look at the Rights Management features and how to use them. With Azure
RMS, your organization can help to protect content in Office 365. Various Rights Management templates
are available to help protect content in Office 365.

You will also learn about the differences between Active Directory Rights Management and Azure Active
Directory (Azure AD) Rights Management.
With the integration of Azure RMS, you will learn how to help make Office 365 more secure on your
terms.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe Microsoft Azure RMS in Office 365.


 Explain how Azure Rights Management works.

 Compare AD RMS and Azure RMS.

 Plan Azure RMS integration with Office 365.


 Configure Azure RMS integration.

Overview of Azure RMS in Office 365


Azure RMS is a cloud-based solution that is an
information protection solution for Office 365.
Users share daily information through email, file-
sharing sites, and cloud services. Traditional
security controls, such as New Technology File
System (NTFS) permissions, firewalls, and access
control lists are not effective enough to meet
these needs.

Azure RMS uses encryption, identity, and


authorization policies to help protect information
both within your organization and outside your
organization, and on virtually any device. The
protection enhancement remains with the data—for example, when people mail data to other users or
store it in their personal cloud drives, Azure RMS helps to protect it. Azure RMS provides persistent
protection enhancement, which helps to secure your organization’s data.
Authorized users and services (such as search and indexing) can continue to read and inspect the data
that Azure RMS helps to protect. This is called reasoning over data and is a crucial element in maintaining
control of your organization’s data.

Azure RMS is included in Office 365 Enterprise E3, Office 365 Enterprise E5, Enterprise Mobility Suite, and
Enterprise Cloud Suite and is available as a standalone plan through Azure RMS Premium.
MCT USE ONLY. STUDENT USE PROHIBITED
11-14 Planning and configuring Rights Management and compliance

To use Azure RMS you must have Azure AD. You use your organizational account to sign in to the Azure
classic portal, where you can configure and manage Rights Management templates.

Activate Azure AD
1. Sign in to the Office 365 portal with your global administrator account.

2. In the app launcher, click the Admin icon.

3. In the Office 365 admin center, open Admin centers, and then click Azure AD.

4. Sign up and type your organizational data.

Note: To activate Azure AD within your Office 365 account, you do not need a credit card.

Client devices that support Azure RMS


 Windows 10 devices (x86 and x64)

 Windows 8.1 devices (x86 and x64)


 Windows 8 devices (x86 and x64)

 Windows 7 devices (x86 and x64)

 Devices running Mac OS X 10.8 Mountain Lion or later


 Windows Phones running Windows Phone 8.1

 Android phones and tablets running Android 4.0.3 or later

 iPhones and iPads running iOS 7.0 or later


 Tablets running Windows RT 8.1 or Windows RT 8

Apps and Subscriptions that support Azure RMS


 Office 365 ProPlus
 Office 2016 for Mac

 Office 365 Enterprise E3

 Office 365 Enterprise E5


 Office Professional Plus 2016

 Office Professional Plus 2013

 Office Professional Plus 2010

Note: Currently, certain apps do not support Azure RMS, including:

 Office for Mac 2011

 OneDrive for Business in SharePoint Server 2013

 XML Paper Specification (XPS) Viewer


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-15

How Azure RMS Works


The Azure RMS service (and Microsoft) do not see
or store your data as part of the information
protection process. To help protect information,
data is never sent or stored in Azure unless you
intentionally store it there or use another cloud
service that stores it in Azure.

Azure RMS encrypts your data at the application


level and includes a policy that defines the
authorized use for that document. If a legitimate
user or an authorized service accesses the data,
the document is decrypted, and the rights that are
defined in the policy are enforced.

A content key helps to protect an Azure RMS protected document. This content key is unique for each
document and is placed in the file header, where your Azure RMS tenant root key helps to protect it.
Microsoft either generates or manages this tenant root key, or you can generate and manage your own
tenant key.

Cryptographic controls used by Azure RMS


The Azure RMS security-enhanced protection is industry standard—for encryption, Azure RMS uses the
following algorithms and key lengths:

 Documentation protection method. The algorithm is Advanced Encryption Standard (AES), and the
key lengths are 128 bits and 256 bits.

 Key protection method. The algorithm is Rivest-Shamir-Adleman (RSA), and the key length is 2,048
bits.

 Certificate signing. The algorithm is Secure Hash Algorithm (SHA)-256.


The protection process on the client works as follows:

1. The user prepares the user environment on the client in a one-time process by installing the RMS
client application.
2. The Azure RMS client connects to Azure RMS and authenticates the user with that user’s Azure AD
account (Office 365 organizational account).

Note: The authentication is automatic, and no user prompts appear when the tenant
domain and users’ accounts are federated with Azure AD.

 As soon as the user is authenticated, certificates are issued that allow the user to authenticate to
Azure RMS in order to consume protected content and to protect content offline. A copy of the user’s
certificate is stored in Azure RMS. This helps to ensure that if the user moves to another device, that
user will have access to his or her protected data.

 Now that the user is protecting data, the Azure RMS client creates a random content key and
encrypts the document with it.

 The Azure RMS client creates a certificate with an included policy. This policy is based on a template
or specific document rights, the policy includes:

o Rights for users and groups.

o Restrictions like read only or an expiration date.


MCT USE ONLY. STUDENT USE PROHIBITED
11-16 Planning and configuring Rights Management and compliance

 After that, the organization’s key is used to encrypt the policy and the symmetric content key.

 The Azure RMS client signs the policy with the user’s certificate.

 The policy is embedded into a file with the body of the document previously encrypted.

 The policy stays with the encrypted document as long as it stays encrypted.

 Now you can store the document virtually anywhere or share it by using essentially any method.

How content consumption works


When a user wants to consume a protected document, the Azure RMS client starts by using the following
process to request access to the Azure RMS service:

1. The authenticated user sends the document policy and the user’s certificates to Azure RMS.

2. Azure RMS decrypts and evaluates the policy.

3. The service builds a rights list for the user.


4. Azure RMS extracts the AES content key from the decrypted policy and then encrypts this key with
the user’s public RSA key that was obtained with the request.

5. An encrypted user license with the list of user rights is returned to the Azure RMS client.
6. The Azure RMS client decrypts this encrypted use license by using its own user private key.

7. The Azure RMS client also decrypts the rights list and passes it to the application.

Comparing AD RMS and Azure RMS


You can compare Active Directory Rights
Management Services (AD RMS) with Azure RMS
in terms of functionality and requirements. This
topic describes in detail the comparison between
the two offerings.

AD RMS
AD RMS supports on-premises Microsoft server
products such as Exchange Server, SharePoint
Server, and file servers that run Windows Server
and File Classification Infrastructure (FCI). When
comparing AD RMS to Azure RMS, several
differences exist, such as the following:

 You must define a trust between two organizations in a direct, point-to-point relationship. To define
this relationship, you can use either trusted user domains or federated trusts that you create by using
Active Directory Federation Services (AD FS).

 No default policy templates are available. Instead, you need to create each policy.

 Users can define their own permission sets if the templates are not sufficient.
 The supported Office applications are:

o Office 2007 and later.

o Office for Mac 2011 and later.

 Rights Management sharing apps for mobile devices are supported.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-17

 Sharing with people in another organization is not supported.

 The supported Windows clients are those running Windows Vista with Service Pack 2 and later.

 Mobile device support requires the AD RMS mobile device extension.

 Smart card authentication is supported if Microsoft Internet Information Services (IIS) is configured to
request certificates.
 Cryptographic Mode 1 is supported by default, and additional configuration is required to support
Cryptographic Mode 2 for stronger security enhancement.

 A Rights Management license is required to protect content and to consume content.


 AD RMS supports RSA-1024 and RSA-2048, and it supports SHA-1 or SHA-256 for signing operations.

 AD RMS supports bring your own key for Exchange Online.

Azure RMS
Azure RMS supports online and on-premises Microsoft server products such as Exchange Server,
SharePoint Server, and file servers that run Windows Server and FCI. Azure RMS does this by:

 Supporting the Information Rights Management (IRM) capabilities in Microsoft online services such as
Exchange Online, SharePoint Online, and Office 365.

 Supporting on-premises Microsoft server products such as Exchange Server, SharePoint Server, and
file servers that run Windows Server and FCI.

Note: On-premises systems require Azure AD Premium, which is not part of the Office 365
Enterprise services.

 Allowing protected content to be shared among users within the same organization or across
organizations when the users have Office 365 or Azure RMS or they sign up for Rights Management
for individuals without the need to build explicit trust relationships.

 Making two default rights policy templates available and allowing you to create custom templates.
You can create custom templates for only a subset of users.

 Allowing users to define their own permission sets if the templates are not sufficient.

 Supporting the following Office applications:

o Office 2010 and later.

o Office for Mac 2016 and later.

 Supporting Rights Management sharing apps for mobile devices.

 Supporting the Rights Management sharing app, which supports sharing of files with people in
another organization, document tracking, and email notifications.

 Supporting Windows clients running Windows 7 or later.

 Providing mobile device support.

 Supporting Multi-Factor Authentication for computers and mobile devices.


 Supporting Cryptographic Mode 2 without additional configuration, which provides stronger security
enhancement for key lengths and encryption algorithms.

 Supporting migration from AD RMS and, if required, to AD RMS.


MCT USE ONLY. STUDENT USE PROHIBITED
11-18 Planning and configuring Rights Management and compliance

 Requiring a Rights Management license to protect content. No such license is required to consume
content that has been protected by Azure RMS (which includes users from another organization).

 Always using RSA-2048 for public key cryptography and SHA-256 for signing operations.

Note: Azure Rights Management does not currently support bring your own key for
Exchange Online.

Planning Azure RMS integration with Office 365

Activate Azure RMS


To activate Azure RMS you need to have user
accounts and groups, as cloud accounts or synced
accounts, including mail-enabled groups in the
cloud that you will use with Rights Management.

By default, Azure RMS is disabled in Office 365.


Therefore, before you can use Azure RMS, you
need to activate it within your Office 365 tenant.
After you activate Azure RMS all the users in your
organization can apply and consume information
protection for their files.

Activate Rights Management from the Office 365 admin center


To activate Rights Management from the Office 365 admin center, complete the following steps:
1. Sign in to the Office 365 sign-in portal with your global administrator account.

2. In the app launcher, click the Admin icon.

3. In the Office 365 admin center, in the left side menu, select Settings and then click Apps.
4. Click Microsoft Azure Rights Management.

5. On the Microsoft Azure Rights Management page, click Manage Microsoft Azure Rights
Management settings.
6. On the Rights Management page, click activate.

7. When prompted with Do you want to activate Rights Management?, click activate.

Note: You can also enable Rights Management through Windows PowerShell with
Enable-Aadrm.

Configure the onboarding controls for a phased deployment


If you do not want all users to immediately protect files by using Azure RMS, you can configure the user
onboarding controls through Windows PowerShell.

Additional Reading: For more information, refer to Azure Rights Management


Administration Tool: http://aka.ms/u8tiut.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-19

If you want to help ensure that only those users who are correctly licensed to use Azure RMS can protect
content, use the following command.

Set-AadrmOnboardingControlPolicy -UseRmsUserLicense $true

Configuring Azure RMS integration


After you enable Azure RMS, you can start to
configure it. Additional configuration points
include:

 Configure custom templates for Azure RMS.

 Log and analyze Azure RMS usage.

 Configure applications for Azure RMS

 Configure a super user account for Azure


RMS.

 Deploy the Azure RMS connector (only with


Azure AD Premium).

Configure custom templates for Azure RMS


After Azure RMS activation, two templates are available:

 Read-only viewing for the protected content:


o Display name: <organization name> - Confidential View Only

o Specific permission: View Content

 Read or modify permissions for the protected content:


o Display name: <organization name> - Confidential

o Specific permissions: View Content, Save File, Edit Content, View Assigned Rights, Allow Macros,
Forward, Reply, Reply All

Users can set their permissions through the Rights Management sharing application. In Microsoft Outlook
and Outlook Web App, users can select the Do Not Forward option for email messages. In addition, you
can create custom templates for:

 Granting rights to a group of users.

 Allowing a subset of users to use departmental templates.

 Defining custom rights, such as View and Edit (but not Copy or Print), for a template.

The configuration of additional options in a template includes an expiration date and whether you can
access the content without an Internet connection.

Create, configure, and publish a custom template


To create, configure and publish a custom template, complete the following steps:

1. Sign in to the Office 365 portal with your global administrator account.

2. In the app launcher, click the Admin icon.


3. In the Office 365 admin center, in the left side menu, select Admin centers.

4. Select Azure AD.


MCT USE ONLY. STUDENT USE PROHIBITED
11-20 Planning and configuring Rights Management and compliance

5. In the classic portal, click Active Directory.

6. Select Rights Management.

7. Select the directory you want to manage.

8. Select Create a new rights policy template.

9. Select Language, name and description of the template.

10. Click Manage your rights policy templates.

11. See your newly created template added to the list of templates, with a status of Archived. At this
stage, the template is created but not configured, and it is not visible to users.

12. Select the template.

13. Click Configure rights for users and groups. Get started and add the users and groups you want to
add to this template.
14. Select the following rights for the users or groups:

o Viewer

o Reviewer

o Co_Author

o Co-Owner

o Custom
15. If you want this template to be a departmental template, select scope.

16. Click GET STARTED NOW.

17. Select the users and/or groups whom you want to be able to see the template.
18. Click CONFIGURE, and then add the additional languages that users will employ together with the
name and description of the template in that language.

19. Optionally set the value for content expiration by specifying a date or a number of days starting from
the time that the protection is applied to the file. For offline access, you can specify that the content is
not available without an Internet connection or that the content is available only for a specified
number of days. When users reach this threshold, they must be reauthenticated, and their access is
logged.

20. Publish the template by selecting Publish and then saving.

Log and analyze Azure RMS usage


The Azure RMS service can log requests that it makes for your organization through:

 Requests from users.

 Actions performed by Rights Management administrators in your organization.


 Actions performed by Microsoft operators to support your Azure RMS deployment.

For business purposes, this provides better business insights, monitors for abuse, and performs forensic
analysis.

Note: To enable Azure RMS logging, you need an Azure subscription.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-21

Configure applications for Azure RMS


Configuring applications for Azure RMS includes installing the Rights Management sharing application
and enabling support for the IRM features in SharePoint Online or Exchange Online. Here is what you
need to configure the following applications for Azure RMS:

 Office 365. Office 365 natively supports Azure RMS. Therefore, no client computer configuration is
required to support the IRM features for applications such as Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Outlook, and Outlook Web App.

 Exchange Online. To configure Exchange Online to support Azure RMS, you must configure the IRM
service for Exchange Online. To do this, open Windows PowerShell (there is no need to install a
separate module), and run the following Windows PowerShell commands for Exchange Online.

Set-ExecutionPolicy RemoteSigned
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication
Basic -AllowRedirection
Import-PSSession $Session
Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-
rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Note: Depending on the location of your tenant, replace the link in the preceding
command with one of the following:

 For Europe: https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

 For Asia: https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

 For South America: https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"


Set-IRMConfiguration -InternalLicensingEnabled $true

You can use the following optional command to test the configuration.

test the configuration: Test-IRMConfiguration -Sender <user email address>


Remove-PSSession $Session

 SharePoint Online and OneDrive for Business. These applications support Azure RMS. SharePoint
Online relies on Azure RMS to assign usage restrictions and encrypt messages. You need to set up
Rights Management in SharePoint Online, as well. To protect SharePoint lists and libraries, you must
first activate Azure RMS for your organization and then turn on IRM in SharePoint Online by
completing the following steps:

a. Sign in to the Office 365 portal with your global administrator account.

b. In the app launcher, click the Admin icon.

c. In the Office 365 admin center, select Admin centers.

d. Select SharePoint.
e. In the SharePoint admin center, select settings.

f. On the Settings page, in the IRM section, select Use the IRM service specified in your
configuration, and then select Refresh IRM Settings.

g. After you enable IRM in SharePoint Online, you can protect SharePoint lists and libraries.
MCT USE ONLY. STUDENT USE PROHIBITED
11-22 Planning and configuring Rights Management and compliance

Note: After IRM is enabled for a list or library, each downloaded file is encrypted so that
only authorized users can view it.

The supported file types in SharePoint Online IRM include:

 Portable Document Format (PDF)

 Office file types

 Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint

 XPS

Client configuration
Several configuration options are available, depending on what clients you use:

 Clients running Office 2016 or Office 2013. These versions of Office natively support Azure RMS.
Therefore, no client computer configuration is required to support the IRM features for applications
such as Word, Excel, PowerPoint, Outlook, and Outlook Web App.

 Clients running Office 2010. Your users must have installed the Rights Management sharing
application for Windows.

 All computers and mobile devices that support Azure RMS. The Rights Management sharing
application is required for client computers to use Azure RMS with Office 2010, and it is
recommended for all computers and mobile devices that support Azure RMS. You can centrally roll
out the application, or each user can download it individually.

Additional Reading: For more information about downloading the mobile applications
and the application for the desktop client, refer to Microsoft Rights Management:
http://aka.ms/j19a1v.

Super user accounts and the Rights Management connector


The super user account and the Rights Management connector are advanced configuration options that
allow you to:

 Configure a super user account for Azure RMS. In certain instances. authorized users need to access
Azure RMS protected files. For these cases, you can configure a super user account for your
organization. The super users always have full owner rights, and they are able to remove or change
the protection that was previously applied. This ability, which is sometimes referred to as reasoning
over data, is a crucial element in maintaining control of your organization’s data. The following
scenarios show why configuring super users might be necessary:

o An employee leaves the organization, and you need to read the files that he or she protected.

o You need to apply a new protection policy.

o Exchange Server needs to index mailboxes for search operations.

o You have existing IT services for DLP solutions, content encryption gateways, and antimalware
products that need to inspect files that are already protected.

o You need to decrypt files in bulk for auditing, legal, or other compliance reasons.

By default, the super user feature is not enabled, and no users are assigned this role.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-23

If you need to manually enable the super user feature, use the Windows PowerShell cmdlet Enable-
AadrmSuperUserFeature, and then assign users (or service accounts) as needed by using the Add-
AadrmSuperUser cmdlet.

 Deploy the Azure RMS connector (only with Azure AD Premium). The Rights Management connector
allows you to quickly enable existing on-premises servers to use their IRM functionality with the
cloud-based Azure RMS service. This requires an Azure AD Premium license.

Check Your Knowledge


Question

Which groups are available for custom Azure RMS templates?

Select the correct answer.

x Viewer

Author

Reader

Blocker

x Co-Author

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

To use Azure RMS between two organizations, a trust must be defined in a


direct, point-to-point relationship. F
MCT USE ONLY. STUDENT USE PROHIBITED
11-24 Planning and configuring Rights Management and compliance

Lesson 3
Managing the compliance features in Office 365
In this lesson, you will learn how to configure the advanced security features in Office 365. You will learn
about retention tags, archive mailboxes, and DLP.

Lesson Objectives
After completing this lesson, you will be able to:

 Configure archive mailboxes.

 Configure retention tags and policies.

 Configure document deletion policies in both SharePoint Online and OneDrive for Business.

 Configure preservation policies.

 Configure DLP policies for email.

 Describe DLP policies for SharePoint Online content.

 Configure Office 365 Advanced eDiscovery and compliance searching.

 Configure audit reports.

Configuring archive mailboxes


Exchange Online Archiving is an Office 365, cloud-
based, enterprise-class archiving solution for
organizations that have deployed specific Office
365 plans. Exchange Online Archiving assists with
archiving, compliance, regulatory, and eDiscovery
challenges while helping to simplify the on-
premises infrastructure, reduce costs, and ease IT
burdens.

Online personal archiving is a service in Office 365


that provides an additional user mailbox for
storing old messages, such as calendar items from
two or more years ago, or sent items that are no
longer important. The online archive mailbox looks just like an ordinary mailbox, and you can create
folders in it, search it, and carry out the same administrative tasks as with a regular mailbox.

Online archiving applies only to certain plan levels in Office 365. The following plans have the service
integrated:

 Office 365 Enterprise E3


 Office 365 Enterprise E5

 Office 365 Education E3

 Office 365 Education E5

 Office 365 Government G3

 Office 365 Government G5

 Exchange Online (Plan 2)


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-25

Online archiving is also available as an add-on with the following plans:

 Exchange Online (Plan 1)

 Exchange Online Kiosk

 Office 365 Midsize Business

 Office 365 Enterprise E1

 Office 365 Enterprise K1

 Office 365 Government G1

 Office 365 Government K1


 Office 365 Education E2

Note: Online archives can theoretically be of unlimited size but, in fact, have an initial fair
use quota of 160 gigabytes. You can raise this limit by calling support.

Enable an In-Place Archive


To enable an In-Place Archive for a user mailbox in the Protection Center, complete the following steps:
1. In the Protection Center, navigate to Data management and then click Archive.

2. Click a mailbox to select it.

3. In the details pane, on the Archive page, click Enable.


4. In the warning message box, click yes.

5. In the In-Place Archive section, click View details. Note that until the user signs in and opens his or
her In-Place Archive, this section provides a warning message. Click OK, and then click cancel to close
the Archive Mailbox dialog box.

You can also enable archives in bulk by selecting multiple mailboxes, and then in the details pane, clicking
Enable.
To enable an In-Place Archive by using Windows PowerShell, type the following command, and then press
Enter.

Enable-Mailbox "User Name" -Archive

To enable an archive for all users, type the following command, and then press Enter.

Get-Mailbox -Filter {ArchiveStatus -Eq "None" -AND RecipientTypeDetails –eq "UserMailbox"}


| Enable-Mailbox -Archive

To check which mailboxes are enabled for archiving, type the following command, and then press Enter.

Get-Mailbox -Archive -ResultSize Unlimited

Disable an In-Place Archive


To disable an In-Place Archive, complete the following steps:

1. In the Protection Center, navigate to Data management and then click Archive.

2. Click a mailbox to select it.

3. In the details pane, on the Archive page, click Disable.


MCT USE ONLY. STUDENT USE PROHIBITED
11-26 Planning and configuring Rights Management and compliance

4. In the warning message box, click yes.

To disable an In-Place Archive by using Windows PowerShell, type the following command, and then
press Enter.

Disable-Mailbox -Identity "User Name" –Archive

This command does not disable the mailbox.

To connect a disabled archive to a mailbox user, you have to use Windows PowerShell and establish the
GUID of the disconnected archive. To do so, type the following command, and then press Enter.

Get-MailboxDatabase | Get-MailboxStatistics -Filter 'DisconnectDate -ne $null'

You then type the following command, replacing the GUID shown with the one resulting from the
previous command.

Connect-Mailbox -Identity "8734c04e-981e-4ccf-a547-1c1ac7ebf3e2" -Archive -User "User


Name"

After you enable an In-Place Archive, the user has several ways of moving messages to it:

 Manually transferring messages by dragging them or using the Move command


 Setting up Inbox rules to transfer messages

 Configuring AutoArchive

 Applying personal retention policies

Configuring retention tags and policies


A retention tag is the main component of
messaging records management (MRM). MRM
helps organizations to manage email lifecycles
and to reduce the legal risks associated with email
and other communications.

The following three types of retention tags apply


to different levels:

 Default Policy Tags (DPTs). Automatically


apply to messages in an entire mailbox if no
other policy tag applies.

 RPTs. Automatically apply to the default


folders, such as Inbox and Calendar.

 Personal tags. Manually set to messages and folders through user assignment.

These retention tag types include some or all of the following elements:

 A unique name.

 A default folder (for RPTs).


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-27

 A retention action. The available retention actions are:

o Delete and allow recovery.

o Permanently delete (do not allow user recovery).

o Move to archive (for archiving tags and not for RPTs).

 A retention period, measured in days (with the option of Never for personal tags).

These retention tags are then linked in to a retention policy, and that policy is applied to mailboxes,
folders, and messages.

Office 365 includes the following predefined retention tags:

 Personal: 1 month delete

 Personal: 1 week delete

 Personal: 1 year delete


 Personal: 5 year delete

 Personal: 6 month delete

 Default: 2 year move to archive


 Personal: Never delete

 Personal: 1 year move to archive

 Personal: 5 years move to archive


 Personal: Never move to archive

If necessary, you can create additional retention tags to meet your organization’s requirements and either
add those tags to the default retention policy or create a new retention policy to hold them.
In their own mailbox settings, users can select which personal retention tags to apply from all the defined
retention policies.

A retention policy is a collection of retention tags that can consist of one or two DPTs along with a
maximum number of RPTs and a virtually unlimited number of personal tags. The organization can apply
the retention policy to user mailboxes, and users can select which personal tags to apply to folders and
messages in their mailboxes.

Note: Users cannot see the retention policy names. They see only the retention tags within
those policies. However, a mailbox can have only one mailbox policy applied.

A retention policy can have two DPTs, each with a different retention action, along with one RPT for each
default folder and virtually any number of personal tags.

The default MRM policy contains the following retention tags:

 Default 2 year move to archive

 Never Delete

 5 Year Delete
 1 Year Delete

 6 Month Delete

 1 Month Delete
MCT USE ONLY. STUDENT USE PROHIBITED
11-28 Planning and configuring Rights Management and compliance

 1 Week Delete

 Recoverable Items 14 days move to archive

 Personal 1 year move to archive

 Personal 5 year move to archive

 Personal never move to archive

If these retention tags meet your organization’s requirements for retaining and deleting messages, you do
not have to define any more retention tags or policies. Alternatively, you can create additional retention
tags and add them to the default MRM policy.

If your organization’s requirements do not align with what the default MRM policy provides, you need to
define the retention tags and create a new retention policy that includes those tags together with any of
the existing retention tags.

Alternatively, you might have a situation where, for legal or regulatory reasons, individual employees or
entire departments have different retention needs. You can then create a new retention policy for those
employees, link the appropriate retention tags, and then apply the policy to those mailboxes.

To globally manage retention tags and policies across an organization, use Windows PowerShell to
connect to Exchange Online.

You configure a retention tag through the Protection Center or by using Windows PowerShell commands
while connected to Exchange Online.

To create a retention tag through the Protection Center, complete the following steps:

1. In the Protection Center, expand Data management click Retention and then click Manage
Retention tags for mailboxes.

2. In the Retention tags window, click new, which is the plus sign (+), and then select one of the
following:
o Applied automatically to an entire mailbox (default)

o Applied automatically to a default folder

o Applied by users to items or folders


3. What you see varies, according to the option you selected.

4. Set a name, configure the retention action and retention period, and then click Save to add the
retention tag to the list of default tags.
To create a retention tag by using Windows PowerShell, open a Windows PowerShell connection to
Exchange Online by using the Connect-MsolService cmdlet and administrative credentials. Then in the
Windows PowerShell window, type the following command, and then press Enter.

New-RetentionPolicyTag "Tag name" -Type <tagtype> -AgeLimitForRetention <days> -


RetentionAction <specify retention action>

The new retention tag is visible in the Exchange admin center and can be added to retention policies.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-29

Configure retention policies


Configuring retention policies is simply a matter of creating a new policy and then adding the tags you
want to that policy. You can complete this process by using the Protection Center or Windows PowerShell.

To configure retention policies by using the Protection Center, complete the following steps:

1. In the Protection Center, expand Data management, click Retention, and then click Manage
Retention policies for mailboxes.

2. ON the retention tags page, click new, which is the plus sign (+).

3. Type a name for the new policy.

4. Click new, which is the plus sign (+), and then select policy tags from those listed.

5. Click Save.

The equivalent Windows PowerShell cmdlet is New-RetentionPolicy, which uses the following syntax.

New-RetentionPolicy <name> -RetentionPolicyTagLinks <list of retention tags>

Assign retention policies to mailboxes


To apply a retention policy to a single mailbox or to multiple mailboxes, you can use the Protection
Center or Windows PowerShell. In the Protection Center, complete the following steps:

1. In the Protection Center, expand Data management, click Retention, and then click Assign
retention policies for mailboxes.

2. In the list view, select the mailbox to which you want to apply the retention policy, and then click the
edit icon.

3. On the User Name page, click Mailbox features.

4. Under Retention policy, select the policy you want to apply to the mailbox, and then click Save.
For multiple recipients, use the following process:

1. In the list view, select multiple mailboxes.

2. In the details pane, click More options.

3. Under Retention Policy, click Update.

4. On the Bulk assign retention policy page, select the retention policy you want to apply to the
mailboxes, and then click Save.

To use Windows PowerShell to change the policy for one mailbox, type the following command, and then
press Enter.

Set-Mailbox "Mailbox Name" -RetentionPolicy "RetentionPolicyName"

To change policy for all mailboxes, type the following command, and then press Enter.

Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetentionPolicy "RetentionPolicyName"


MCT USE ONLY. STUDENT USE PROHIBITED
11-30 Planning and configuring Rights Management and compliance

To change an old retention policy to a new one, type the following command, and then press Enter.

$OldPolicy={Get-RetentionPolicy "Old-Retention-Policy"}.distinguishedName
Get-Mailbox -Filter {RetentionPolicy -eq $OldPolicy} -Resultsize Unlimited | Set-Mailbox -
RetentionPolicy "New-Retention-Policy"

To test whether a mailbox policy has been applied, type the following command, and then press Enter.

Get-Mailbox “Mailbox Name” | Select RetentionPolicy

Configuring document deletion policies in SharePoint Online and


OneDrive for Business
Because of compliance, legal, or other business
requirements, you might be required to retain
documents for a certain time frame. However,
keeping documents longer than required can
create unnecessary legal risks. With a document
deletion policy, you can proactively reduce the
risks by deleting documents from a site after a
specific time frame has passed. With document
deletion policies, you can:

 Create and manage policies your site owners


can choose from or opt out from altogether.

 Enforce a single mandatory policy on all the


sites in a site collection.

 Provide a default policy with a default rule that automatically applies without any action required by
site owners.

 Create a policy that includes several deletion rules that a site owner can choose from.

Create a document deletion policy


To create a document deletion policy, complete the following steps:
1. In the Protection Center, in the navigation pane, select Data management, and then click Retention.
On the Retention page, in the Delete section, click Manage document deletion policies for
SharePoint Online and OneDrive for Business. The Document Deletion Policy Center opens in a
new browser tab.

2. The first time you navigate from the Protection Center to the Document Deletion Policy Center, the
policy center is automatically created for you. Alternatively, you can manually create the policy center
by creating the site collection and selecting Compliance Policy Center on the Enterprise tab.

3. Select Deletion Policies.

4. Select a new item.

5. Type a policy name and description.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-31

6. Select New, type a name, and then complete the following steps to create a rule:

a. Select either permanently delete or delete to the Recycle Bin. The Recycle Bin helps to provide
a second-stage safety net before an item is permanently deleted from a site.

b. Choose whether the deletion date is calculated from the date when a document was created or
when it was last modified.

c. Type a number of days, months, or years as the time frame after which a document will be
deleted.

d. Choose whether the rule is a default rule. The first rule that you create is automatically set as the
default rule. A default rule is automatically applied to all libraries in the sites that use the policy.

7. Click Save.

Assign a document deletion policy to a site collection template


To assign a document deletion policy to a site collection template, complete the following steps:

1. In the Protection Center, in the navigation pane, expand Data management, and then click
Retention. On the Retention page, in the Delete section, click Manage document deletion
policies for sites. The Document Deletion Policy Center opens in a new browser tab.

2. Click Policy Assignments for Templates.

3. Select New Item.


4. Decide whether to assign the policy to a site collection template or to OneDrive for Business.

5. Click Save.

6. Select Manage Assigned Policies, and then select the policy you want to assign.

7. Click Save.

Note: If you want to enforce the policy with no option for site owners to opt out, select the
Mark Policy as Mandatory check box.

Assign a document deletion policy to a site collection


You can also assign a policy to a specific site collection by completing the following steps:

1. In the Protection Center, in the navigation pane, expand Data management, click Retention, and
then under Delete, click Manage document deletion policies for sites. The Document Deletion
Policy Center opens in a new browser tab.

2. Select Policy Assignments for Site collections.

3. Select New Item.

4. Select Choose a site collection. You can search for the site collection by name or by URL. After you
have find it, select the appropriate site collection, and then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
11-32 Planning and configuring Rights Management and compliance

Delete a document deletion policy from a site collection


If you want to remove a document deletion policy, complete the following steps:

1. In the Protection Center, in the navigation pane, expand Data management, click Retention, and
then under Delete, click Manage document deletion policies for sites. The Document Deletion
Policy Center opens in a new browser tab.

2. Select either Policy Assignments for Site collections or Policy Assignments for Templates.

3. Select the assignment item you want to delete.

4. Select Delete.
5. Click OK.

Configuring preservation policies


Preservation policies help to keep the content you
need by preserving email and documents if they
are changed or deleted. Because of industry
regulations or internal policies, you might want to
preserve content for a certain time frame for your
organization.
You can preserve content in sites and mailboxes
indefinitely or for a specific duration with a
preservation policy in Office 365. To optimize the
results, you can filter the content by supplying
keywords or a date range to narrow the results.

Create a preservation policy


To create a preservation policy, complete the following steps:

1. In the Protection Center, in the navigation pane, expand Data management, and then click
Retention.
2. On the Retention page, in the Preserve section, click New, which is the plus sign (+).

3. Type a name and description, and then click Next.

4. Select what you want to preserve: Mailbox, SharePoint Online, OneDrive for Business.

5. Click Next.

6. Select the mailboxes you want to preserve.

7. Click Next.

Note: An optional step is to type the keywords you want to search for in the What do you
want to look for? (optional) box.

8. Select a start and an end date.

9. Select the time frame for preservation.

10. See the overview, and choose whether you want the preservation policy on or off.

11. Click Finish.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-33

Edit, disable, or delete a preservation policy


To edit, disable, or delete a preservation policy, complete the following steps:

1. In the Protection Center, in the navigation pane, expand Data management, and then click
Retention.

2. Click the preservation policy window.

3. To edit, click Edit.

4. To delete, click the Recycle Bin.

5. To enable or disable the policy, click Status info.

Configuring DLP policies for email


You use DLP policies to help protect and manage
your organization’s information across various
locations. For example, you can set up policies to
block access to content, automatically encrypt
documents, or notify users if content is saved to
the wrong location.

To help protect sensitive information and prevent


its inadvertent disclosure, you use DLP within
Office 365. Examples of sensitive information
include:
 Financial data

 Credit card information

 Personally identifiable information

 Social security numbers

 Health records

Sensitive information lookup is a sophisticated process and is detected by the following:

 Keywords

 Internal functions for checksum or composition validations

 Regular expressions to find patterns


 Other content examination

DLP policies help you to identify, monitor, and automatically protect sensitive information across Office
365. A DLP policy contains the location of the content to be protected, and these locations might include
Mailboxes, SharePoint Online, or OneDrive for Business. The DLP policy also contains the DLP rules, which
are built through conditions and actions.

Create a DLP policy for emails


To create a DLP policy for emails, complete the following steps:

1. In the Protection Center, in the navigation pane, expand Security policies, and then click Data loss
prevention.

2. On the Data loss prevention page, click go to the Exchange admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
11-34 Planning and configuring Rights Management and compliance

3. A windows with the DLP policies opens.

4. Select New, which is the plus sign (+).

5. Select among the following three options:

o New DLP policy from template

o Import DLP policy

o New custom DLP policy

6. Click New DLP policy from template.

7. Type a name and description for the policy.


8. Select one of the available DLP policies.

9. Click Save.

Create a custom DLP policy


To create a custom DLP policy, complete the following steps:

1. In the Protection Center, in the navigation pane, expand Security policies, and then click Data loss
prevention.
2. On the Data loss prevention page, click go to the Exchange admin center.

3. A pop-up with the DLP policies opens.

4. Select New, which is the plus sign (+).

5. Click Custom DLP policy from template.

6. Type a name and description for the policy.

7. Select the state of the policy (enabled or disabled).


8. Choose a mode for the policy (Enforce, Test with policy tips, or Test without policy tips).

9. Click Save, and then wait for the policy to be created.

10. Click Edit, and then click Rules.

11. Click New, which is the plus sign (+).

12. Choose between a new rule and one of the predefined rules.

13. Click the settings you want.


14. Click Save.

View DLP policy detection reports


To view DLP policy detection reports, complete the following steps:

1. In the Protection Center, in the navigation pane, select Security policies, and then click Data loss
prevention.

2. On the Data loss prevention page, click go to the Exchange admin center.

3. A pop-up with the DLP policies opens.

4. Select Reports.

5. Open the report you want.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-35

Creating DLP policies for SharePoint Online and OneDrive for Business
You use DLP policies to help protect and manage
your organization’s information across various
locations. For example, you can set up policies to
block access to content, automatically encrypt
documents, or notify users if content is saved to
the wrong location.

To help protect sensitive information and prevent


its inadvertent disclosure, you use DLP within
Office 365. In this topic, you will create DLP
policies for SharePoint Online and OneDrive for
Business.

Create a DLP policy for SharePoint Online and OneDrive for Business
To create a DLP policy for SharePoint Online and OneDrive for Business, complete the following steps:

1. In the Protection Center, in the navigation pane, expand Security policies, and then click Data loss
prevention.

2. Select New, which is the plus sign (+).

3. Choose among the following DLP policies:

o New custom policy. This option allows you to create a new custom DLP policy without any
predefined settings.

o Financial. This option helps to detect the presence of information commonly considered to be
financial data.

o Medical. This option helps to detect the presence of information commonly considered to be
related to health records.
o Privacy. This option helps to detect the presence of information commonly considered to be
personally identifiable information.

4. Click Next.

5. Select whether the policy applies to SharePoint Online, OneDrive for Business, or both. You can also
select specific site collections.

6. Click Next.
7. Click New, which is the plus sign (+).

8. Add conditions and actions for your policy.

9. Click Options to add the settings for an incident report. Add the severity level, with the available
range from Low to High, and whether to email the incident report to someone.

10. Click OK.

Note: Before you enforce DLP policies, you should consider rolling them out gradually to
assess their impact.
MCT USE ONLY. STUDENT USE PROHIBITED
11-36 Planning and configuring Rights Management and compliance

Edit or turn off a DLP policy


To edit or turn off a DLP policy, complete the following steps:

1. In the Protection Center, in the navigation pane, expand Security policies, and then click Data loss
prevention.

2. Click Edit to edit the policy, or click Delete to delete the policy.

Compliance search and Office 365 Advanced eDiscovery


Many organizations need to search content when
they perform compliance audits. As part of a DLP
strategy, you need a way to identify user data that
might violate the organization’s compliance
policy.

So you do not get overwhelmed with results, you


can search for content that contains certain
keywords and then select conditions to further
scope the search query. For example, you can
search for keywords that exist in sent email
messages after a specific date, such as Sun AND
Seattle AND 2015. You can then export and
download the results for further analysis.

You can find all content and user activity by using Office 365 Advanced eDiscovery—whether that content
and activity exists in Exchange Online, SharePoint Online, or OneDrive for Business—helping to provide
you with unified protection for your Office 365 organization.

Create a content search


1. In the Protection Center, in the navigation pane, select Search & investigation and then click
Content search.

2. Click New, which is the plus sign (+).

3. In the New search box, type a name to search for.

4. Select the mailboxes you want to search, or select all mailboxes.

5. Select the sites you want to search.

6. Click Next.

7. Type the keywords you want to search for, or leave it empty to search for all content.

8. Click Search.

After a search successfully runs, you can prepare the search results for further analysis with Office 365
Advanced eDiscovery. This allows you to analyze large, unstructured data sets and reduce the amount of
data that is relevant to a legal case. The Office 365 Advanced eDiscovery features include:

 Near-duplicate detection

 Email threading

 Predictive coding

 Themes

 Exporting data for review applications


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-37

Note: To analyze user data with Office 365 Advanced eDiscovery, the user must have an
Office 365 Enterprise E5 license assigned or the appropriate standalone license. Administrators
and compliance officers who are assigned to cases and use Office 365 Advanced eDiscovery to
analyze data do not need an Office 365 Enterprise E5 license.

Prepare search results for an Office 365 Advanced eDiscovery search


You can prepare the results of a compliance search listed on the Search page in the Protection Center for
a search that is associated with an Office 365 Advanced eDiscovery case. To prepare search results for an
Office 365 Advanced eDiscovery search, complete the following steps:

1. In the Protection Center, in the navigation pane, select Search & investigation.

2. Select Content search.

3. In the details pane, under Analyze, click Analyze with Equivio Analytics.

4. On the Prepare the search results page, choose if you want only indexed items or all document
versions and if you want a notification message sent to a user when the preparation is ready.
5. Click Start export with Equivio.

View the preparation status


1. In the Protection Center, in the navigation pane, select Search & investigation, and then select
Search.

2. In the details pane, under Analyze, click View analysis.

Add the search results to a case


After the preparation is finished, go to Office 365 Advanced eDiscovery, and then add the data from the
search to an Office 365 Advanced eDiscovery case:

1. In the Compliance Center, click eDiscovery, and then click Go to Equivio Analytics.
2. Navigate to the Cases page in Office 365 Advanced eDiscovery.

3. Select the case that you want to add the data to, and then click Go to case.

4. Navigate to the Process page, and then under Container, click the item that corresponds to the
results from your previous search. Note that the titles in the list match the names of searches from the
Protection Center.

5. Click Process to add the selected search results to the case database.
MCT USE ONLY. STUDENT USE PROHIBITED
11-38 Planning and configuring Rights Management and compliance

Configuring audit reports


You can use the auditing functionality to track
changes in Office 365. Microsoft or your
organization’s administrators make changes, and
so do users who make changes to documents and
other items in the site collections of your
SharePoint Online organization. Mailbox audit
logging tracks changes made by administrators,
delegated users, and mailbox owners.

You can view audit reports and export the audit


logs. The following audit options are available:

 Auditing in Exchange Online

 Auditing in SharePoint Online


 Azure AD sign-in and audit reports

The Protection Center makes a unified audit log search available. The advantage of the audit log search is
that you can search in one place.
 User activity in SharePoint Online and OneDrive for Business:

o File and folder activities

o Sharing activities

o Invitation and access request activities

o Synchronization activities

o Site administration activities


 User activity in Exchange Online:

o Exchange mailbox audit logging

o Exchange mailbox activities


 Admin activity in SharePoint Online

 Admin activity in Azure AD, the directory service for Office 365:

o User administration activities

o Group administration activities

o Application administration activities

o Role administration activities

o Directory administration activities

 Admin activity in Exchange Online

Additional Reading: For more information, refer to Search the audit log in the Office 365
Protection Center: http://aka.ms/V27n6z.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-39

Audit log requirements


You must enable audit logging before you can start searching the Office 365 audit log. To enable audit
logging, click Start recording user and admin activity on the Audit log search page in the Protection
Center. This is a onetime process and might take a few hours to finish.

The Office 365 audit log records activities performed within the last 90 days. Note that after an event
occurs in Exchange Online, Azure AD, SharePoint Online, or OneDrive for Business, there might be some
delay for the corresponding audit log entry to be displayed. The Azure AD audit log contains user, group,
application, domain, and directory activities performed in the Office 365 admin center or in the Microsoft
Azure Management Portal. To run an audit log search, complete the following steps:

1. In the Protection Center, in the navigation pane, select Search & investigation.

2. Select the audit log search.

3. Select the activities you want to search.

4. Select the date range to search.

5. Optionally configure the users, files, folders, or sites you want to search.

View the search results


Your audit log search results are visible under Results on the Audit log search page. A maximum of the
most-current 1,000 events are displayed.

Filter the search results


1. In the Protection Center, in the navigation pane, select Search & investigation and then click Audit
log search.

2. Run an audit log search.

3. When the results display, click Filter results.

4. Adjust the filter to meet your needs.

5. To clear the filter, click Hide Filtering.

Export the search results to a file


To export the search results to a .csv file, complete the following steps:
1. In the Protection Center, in the navigation pane, select Search & investigation and then click Audit
log search

2. Run an audit log search.

3. Click Export results.

4. Select either Save loaded results or Download all results.


MCT USE ONLY. STUDENT USE PROHIBITED
11-40 Planning and configuring Rights Management and compliance

Check Your Knowledge


Question

Select the types of possible retention tags actions.

Select the correct answer.

x A unique name

x A delete action

x An allow recovery action

A do not allow recovery action

A create action

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

Preservation policies help to keep the content you need by preserving email
and documents.
T
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-41

Lab: Configuring Rights Management and compliance


Scenario
The compliance and security groups at A. Datum Corporation have concerns with the implications of
moving internal services and content to a cloud-based solution, such as Office 365. To receive project
approval, you need to show how you can use the Rights Management and compliance features to address
these concerns.

Objectives
After completing this lab, you will be able to:

 Configure Rights Management in Office 365.

 Configure compliance features in Office 365.

Lab Setup
Estimated Time: 75 Minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, and 20347A-LON-CL1


User name: Adatum\Administrator

Password: Pa$$w0rd

In all the tasks, where you see references to Adatumyyxxxxx.onmicrosoft.com, replace


Adatumyyxxxxx with your unique Office 365 name that is displayed in the online lab portal.

Where you see references to Adatumyyxxxxx.hostdomain.com, replace Adatumyyxxxxx with your


unique hostdomain.com name displayed in the online lab portal.
This lab requires the following virtual machines (use only the virtual machines required for your lab):

 LON-DC1:

o Sign in as Adatum\administrator with the password Pa$$w0rd.


 LON-DS1:

o Sign in as Adatum\administrator with the password Pa$$w0rd.

 LON-CL1: 

o Sign in as Adatum\Holly by using the password Pa$$w0rd. 

Exercise 1: Configuring Rights Management in Office 365


Scenario
You need to configure Rights Management in Exchange Online and SharePoint Online to help ensure that
confidential information is not shared with unauthorized users.

The main tasks for this exercise are as follows:

1. Activate Rights Management in Office 365.

2. Configure Rights Management for Exchange Online.

3. Configure Rights Management for SharePoint Online.

4. Validate the Azure Rights Management functionality.


MCT USE ONLY. STUDENT USE PROHIBITED
11-42 Planning and configuring Rights Management and compliance

 Task 1: Activate Rights Management in Office 365


1. On LON-CL1, open Microsoft Edge, and then connect to the Office 365 portal.

2. Sign in as holly@Adatumyyxxxxx.onmicrosoft.com with the password Pa$$w0rd.


services and add-ins
3. Access Microsoft Azure Rights Management under Settings/Apps menu, and then activate Rights
Management. On page on right find Microsoft Azure Rights Management

 Task 2: Configure Rights Management for Exchange Online


1. Open Windows PowerShell.

2. Use the following commands to connect to remote Exchange Online with remote PowerShell. Use
Holly’s credentials to connect.

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication
Basic -AllowRedirection
Import-PSSession $Session

3. Use the following command to set the IRM sharing location to the region you are in.

Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-


rms.na.aadrm.com/TenantManagement/ServicePartner.svc

Note: Depending on the location of your tenant, replace the link in the preceding
command with one of the following:

 For Europe: https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

 For Asia: https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

 For South America: https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

4. Use the following command to configure Azure RMS as a trusted publishing domain.

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

5. Use the following command to set the IRM configuration for licensed users only.

Set-IRMConfiguration -InternalLicensingEnabled $true

6. Use the following command to test the configuration.

Test-IRMConfiguration -Sender holly@adatumyyxxxxx.hostdomain.com

7. Remove the remote Windows PowerShell session, and then close Windows PowerShell.

 Task 3: Configure Rights Management for SharePoint Online


1. From the Office 365 admin center, connect to the SharePoint admin center.

2. Go to the settings page.

3. Enable IRM, and refresh the IRM settings


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-43

 Task 4: Validate the Azure Rights Management functionality


1. On LON-CL1, open Word 2016, and add holly@adatumyyxxxxx.hostdomain.com as the Office
account.

2. Close Word 2016.

3. Open Outlook 2016. Create a new message for Brad Sutton. On the Options tab, click Permission,
and then connect to the Rights Management server to get templates.

4. Click Permission again, apply the Do not Forward policy, and then send the message.

5. In Microsoft Edge, connect to https://adatumyyxxxxx.sharepoint.com/sites/marketing.

6. Click Documents, and then access the library settings.

7. Enable Information Rights Management (IRM), and then configure a policy with the following
settings:

o Restrict permissions on this library on download

o Title: Marketing Policy.

o Description: Marketing policy for downloads

o Allow viewers to write on a copy of the downloaded document.


8. Close Microsoft Edge.

9. Open Microsoft Edge, and then connect to https://portal.office.com. Sign in as


Brad@adtumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

10. Check Brad’s email, and then verify that you received an email from Holly that is IRM protected. Click
the message.

11. Verify that you do not have the option to forward or print the message.

12. In Microsoft Edge, connect to https://adatumyyxxxxx.sharepoint.com/sites/marketing.

13. Open the document in the Documents library, and then verify that you get a message that the
document is read-only.

14. Close Microsoft Edge.

To test in SharePoint. save a doc to Team site, In File, Info, Protect the document.

Results: After completing this exercise, you will have configured Rights Management for Exchange Online
and SharePoint Online.

Exercise 2: Configuring compliance features


Scenario
You need to implement the compliance features required to address the security requirements.

The main tasks for this exercise are as follows:

1. Configure Protection Center permissions and audit logging.


2. Configure archive mailboxes.

3. Configure retention tags and policies.

4. Configure content deletion and preservation policies.


MCT USE ONLY. STUDENT USE PROHIBITED
11-44 Planning and configuring Rights Management and compliance

5. Configure data loss protection policies in SharePoint Online.

6. Configuring data loss protection policies for email.

7. Create compliance check content.

8. Validate the configuration.

 Task 1: Configure Protection Center permissions and audit logging


1. On LON-CL1, open Microsoft Edge, and then sign in to https://portal.office.com as
holly@Adatumyyxxxxx.hostdomain.com.

2. In the Office 365 admin center, click Compliance, and then open the Protection Center.

3. In the Protection Center, configure Brad Sutton as a Compliance Administrator and Christie Thomas
as an eDiscovery Manager.

4. Click Reports, and then click View reports.

5. Click Office 365 audit log report.


6. On the Audit log search page, click Start recording user and admin activities, and then click Turn
on and click OK.

7. Close Microsoft Edge

 Task 2: Configure archive mailboxes


1. On LON-CL1, open Microsoft Edge, and then connect to https://protection.office.com as
Brad@Adatumyyxxxxx.hostdomain.com. Brad is a member of the Compliance Administrator role
group, so he can connect to the protection website.
2. In the navigation pane, click Data management, and then click Archive.

3. Configure Christie Thomas and Jessica Jennings with archive mailboxes.

 Task 3: Configure retention tags and policies


1. In the retention area of the Protection Center, create the following retention tags for your
organization:

 Default Policy Tag (DPT):

o Name: Research User 1 year move to archive

o Retention Action: Move to Archive

o Retention Period: 365 days

 DPT:

o Name: Default 2 years move to Deleted Items

o Retention Action: Delete and Allow Recovery

o Retention Period: 730 days

 Retention Policy Tag (RPT) on the Deleted Items folder:

o Name: Purge Deleted Items 30 days

o Retention Action: Permanently Delete

o Retention Period: 30 days


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-45

 Personal tag:

o Name: 2 Year Delete

o Retention Action: Delete and Allow Recovery

o Retention Period: 730 days

 Personal tag:

o Name: Never archive

o Retention Action: Move to Archive

o Retention Period: Never


2. Create the following retention policies for your organization:

o Retention policy for Research users:


 Name: Research MRM Policy
 Retention tags included:
 6 Month Delete
 1 Year Delete
 2 Year Delete
 Never Delete
 Research user 1 year move to archive
 Default 2 year move to Deleted Items
 Purge Deleted Items 30 days
 Personal 1 year move to archive
 Never archive
3. Apply the retention policy for Research users to Christie Thomas’s mailbox.

 Task 4: Configure content deletion and preservation policies


1. On the Retention page, click Manage document deletion policies for SharePoint Online and
OneDrive for Business.

2. Verify that Brad does not have permission to configure SharePoint Online deletion settings. Close
Microsoft Edge.

3. Open Microsoft Edge, and then connect to https://protection.office.com as


holly@Adatumyyxxxxx.hostdomain.com.
4. Access the Retention page, and then select the option to manage document deletion policies for
SharePoint Online and OneDrive for Business.

5. On the Compliance Policy Center page, edit Sample Document Policy by using the following
settings:

a. Set the name as Marketing Document Policy.

b. Create a new rule named Delete Messages at 7 years that will permanently delete messages
seven years after they were created.

c. Set the new rule as the default rule.

6. On the Compliance Policy Center page, click Policy Assignments for Site Collections.
MCT USE ONLY. STUDENT USE PROHIBITED
11-46 Planning and configuring Rights Management and compliance

7. Apply Marketing Document Policy to the Marketing site collection, and then mark the policy as
mandatory.

8. On the Retention page, under Preserve, create a new preservation policy as follows:

a. Type Retain contract details as the policy name, and then click Next.

b. Make sure that the search locations include Francisco Chaves’s mailbox and the
https://adatumyyxxxxx.sharepoint.com/sites/AcctsProj/ site collection

c. Configure the policy to search for the word Contract.

d. Configure the policy to retain content for seven years.

 Task 5: Configure data loss protection policies in SharePoint Online


1. Open Microsoft Edge, then and connect to https://protection.office.com as
Brad@Adatumyyxxxxx.hostdomain.com.

2. In the navigation pane, click Security Policies, and then click Data loss prevention.

3. Create a new DLP policy from a template with the following settings:

o Information to protect: Custom

o DLP rule condition: Content contains sensitive information


o Sensitive information type: IP address

o Action: Send an incident report to Christie Thomas

o Rule name: IP address check


o DLP policy name: Test DLP policy

o Configure the policy to send notifications and provide policy tips for users.

 Task 6: Configuring data loss protection policies for email


1. Open Microsoft Edge, connect to https://protection.office.com, and then sign in as
holly@Adatumyyxxxxx.hostdomain.com.

2. In the Protection center, click Security Policies, and then click Data Loss Prevention.

3. On the Data loss prevention page, click go to the Exchange admin center.

4. Create a new custom DLP policy as follows:

a. Set the policy name as Test DLP policy for email.

b. Set the policy as enforced.

c. Create a new rule that will Block messages with sensitive information unless the sender
overrides.

d. Configure the sensitive information as IP addresses.

e. Send a notification to Christie Thomas.

f. If the user overrides the block, configure the email to use rights protection.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 11-47

 Task 7: Create compliance check content


1. Open Microsoft Edge, and then connect to https://portal.office.com as
Brad@Adatumyyxxxxx.hostdomain.com.

2. Send a new email to your Microsoft account with a subject of Server IP address and a message body
of 10.10.10.10.

3. Override the message block, and then send the message.

 Task 8: Validate the configuration


1. Connect to your Microsoft account mailbox, and then verify that you received the message from Brad
but that the message attachment is encrypted and inaccessible.

2. Sign in to Office 365 as Christie@Adatumyyxxxxx.hostdomain.com.

3. Access Christie’s mailbox, and then verify that she has an In-Place Archive.

4. Verify that she received a notification about the message that Brad sent to your Microsoft account.

Results: After completing this exercise, you will have implemented the Office 365 compliance features.

Question: What is the best approach to protect organizational financial data?

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

Retention policies are helpful for reducing space in your mailbox.


MCT USE ONLY. STUDENT USE PROHIBITED
11-48 Planning and configuring Rights Management and compliance

Module Review and Takeaways


Security, compliance, and governance are key elements of Office 365. With these Office 365 features, it is
possible to work within Office 365 in a security-enhanced and protection-enhanced way.

Best Practice: Security enhancement is a continuous process. Good planning and tenant
preparation helps to secure the environment for users.

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Encrypted content is not accessible.


MCT USE ONLY. STUDENT USE PROHIBITED
12-1

Module 12
Monitoring and troubleshooting Microsoft Office 365
Contents:
Module Overview 12-1

Lesson 1: Troubleshooting Office 365 12-2

Lesson 2: Monitoring Office 365 service health 12-12

Lab: Monitoring and troubleshooting Office 365 12-22

Module Review and Takeaways 12-25

Module Overview
As an administrator, you regularly need to monitor Microsoft Office 365 services and troubleshoot any
issues that result in service interruptions. In this module, you will learn about the different troubleshooting
and monitoring options that are available for Office 365.

Objectives
After completing this module, you will be able to:

 Troubleshoot Office 365 connectivity and service issues.


 Monitor Office 365 service health.
MCT USE ONLY. STUDENT USE PROHIBITED
12-2 Monitoring and troubleshooting Microsoft Office 365

Lesson 1
Troubleshooting Office 365
You can use several tools to troubleshoot a cloud service. In this lesson, you will learn about some
common tools that you can use to troubleshoot Office 365. Additionally, you will learn about some
self-service tools that you can use to analyze Office 365 issues.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the Office 365 troubleshooting tools.

 Describe the Microsoft Remote Connectivity Analyzer.


 Describe the Microsoft Office 365 Support and Recovery Assistant tool.

 Explain how to use message tracking tools.

 Describe the hybrid environment free/busy troubleshooter.

 Describe the do-it-yourself troubleshooter.

Overview of Office 365 troubleshooting


You can use a range of tools and resources to
identify and isolate service interruptions.
Additionally, you can use these tools to help
troubleshoot issues in Office 365 and in related
services such as Microsoft Exchange Online, Skype
for Business Online, and Microsoft SharePoint
Online. These tools include connectivity analysis
tools and message tracking tools. You can check
network performance between your location and
Office 365 data centers by using the connectivity
analysis tools, and you can check the flow of
emails within Exchange Online by using the
message tracking tools.

Common issues with Office 365 relate to connectivity and network settings. Often you might see that
even though a service is working, your users cannot connect to it, which might be because of changes in
the firewall settings in the on-premises environment that are not working. For such issues, Microsoft
provides troubleshooting tools.

In the Office 365 admin center, in the navigation pane, you can find the following menu items that relate
to Office 365 troubleshooting and monitoring:

 Health

o Service Health

o Message Center

o Directory Sync Status


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-3

 Support:

o Overview

o Service Requests

 Reports

 Admin centers

When you sign in to the Office 365 admin center, you get an overview of the tenant’s service health. The
Service Health dashboard is divided by service. This allows you to see details about affected services.
Details include an overview of each service and the logs from the past 30 days. If your organization uses
an internal monitoring solution that can consume health status notifications via an RSS feed, then you also
can subscribe to the service health status via RSS.

Additional Reading: For information on which tools you should use for specific Office 365
problems, refer to Tools and Diagnostics: http://aka.ms/ude7mv.

Note: To administer Office 365 with a mobile device, Microsoft provides the Office 365
Admin app for Windows Phone 8 and later, which you can download: http://aka.ms/kiapdx.

Microsoft Remote Connectivity Analyzer


Microsoft provides several tools that you can use
to analyze connectivity issues in Office 365
deployments. You can use the Microsoft Remote
Connectivity Analyzer, which is an online tool, to
run tests directly from the
http://testconnectivity.microsoft.com website. You
can also use the Microsoft Office 365 Support and
Recovery Assistant tool to run similar tests as the
Microsoft Remote Connectivity Analyzer, but
these tests run locally from a client computer.
MCT USE ONLY. STUDENT USE PROHIBITED
12-4 Monitoring and troubleshooting Microsoft Office 365

The Microsoft Remote Connectivity Analyzer website provides a set of tools for identifying common
connectivity issues with Microsoft Exchange Server, Skype for Business, Microsoft Lync, and Office 365.
Not all tests in the Microsoft Remote Connectivity Analyzer are for Office 365 only; several tests are also
for on-premises systems. You can access several tests from the tabs in the Microsoft Remote Connectivity
Analyzer website.

Note: Not all occurrences of Lync in the Microsoft websites and tools have been replaced
by Skype for Business at the time of writing this module.

Tab Tests

Exchange Server  Microsoft Exchange ActiveSync Connectivity Tests:


o Exchange ActiveSync
o Exchange ActiveSync Autodiscover
 Microsoft Exchange Web Services Connectivity Tests:
o Synchronization, Notification, Availability, and Automatic Replies
o Service Account Access (Developers)
 Microsoft Office Outlook Connectivity Tests:
o Outlook Connectivity
o Outlook Autodiscover
 Internet Email Tests:
o Inbound SMTP Email
o Outbound SMTP Email
o POP Email
o IMAP Email

Skype for  Microsoft Skype for Business Tests:


Business/Lync o Skype for Business Server Remote Connectivity Test
o Skype for Business Autodiscover Web Service
 Microsoft Lync Tests:
o Lync Server Remote Connectivity Test
o Lync Autodiscover Web Service Remote Connectivity Test
 Microsoft Office Communications Server Tests:
o Office Communications Server Remote Connectivity Test

Office 365 This points to the Microsoft Office 365 Support and Recovery Assistant tool,
which is a new tool that users can run to fix common Office 365 problems. At
the time of writing this module, the tool focused on problems with Outlook.
This includes all the tests from the Exchange Server tab, in addition to the
tests mentioned below:
 Office 365 General Tests:
o Office 365 Exchange Domain Name Server (DNS) Connectivity Test
o Office 365 Lync Domain Name Server (DNS) Connectivity Test
o Office 365 Single Sign-On Test
 Free/Busy Test:
o Free/Busy
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-5

Tab Tests

Client This points to the Microsoft Office 365 Support and Recovery Assistant tool,
which is a new tool that users can run to fix common Office 365 problems. At
the time of writing this module, the tool focused on problems with Outlook.
This tool checks for network connectivity from a client to Office 365 services
to identify issues that affect network performance between client PCs and
Office 365:
 Microsoft Office 365 Support and Recovery Assistant
 Microsoft Office 365 Client Performance Analyzer
 Microsoft Lync Connectivity Analyzer Tool

Message Analyzer The Microsoft Message Analyzer strips down message headers and displays
the included values in a readable form. You can strip down an email’s
message header by pasting the message header in the text box and clicking
Analyze headers.

After a test completes, the Microsoft Remote Connectivity Analyzer provides a detailed log on the test
steps that passed successfully and the steps that failed, followed by a suggested resolution. You can save
this log information to the Clipboard or to an XML or HTML file. For most tests, a Tell me more about
this issue and how to resolve it link is available that provides additional information, which might help
you fix the issue.

The Microsoft Office 365 Support and Recovery Assistant tool


The Microsoft Office 365 Support and Recovery
Assistant tool is a downloadable client app that
you can use to identify connectivity issues
between email clients and Exchange Server, and
between email clients and Office 365. Email users
can use the Microsoft Office 365 Support and
Recovery Assistant tool to identify common
problems, whereas administrators can use it to
troubleshoot Exchange Server and Office 365
deployments.
MCT USE ONLY. STUDENT USE PROHIBITED
12-6 Monitoring and troubleshooting Microsoft Office 365

The Microsoft Office 365 Support and Recovery Assistant tool provides a wizard that presents a series of
questions that guide you into identifying the issue that you are experiencing, and then provides potential
solutions to your issue. At the time of writing this module, the tool helped troubleshoot issues related to:

 Office setup
 Outlook

 Outlook for Mac

 Mobile devices
 Outlook on the web

You can install the Microsoft Office 365 Support and Recovery Assistant tool from the Microsoft Remote
Connectivity Analyzer website at http://testconnectivity.microsoft.com. The prerequisites for the Microsoft
Office 365 Support and Recovery Assistant tool include:

 One of the following operating systems:

o Windows 10

o Windows 8

o Windows 7

o Windows Vista

o Windows Server 2012 R2

o Windows Server 2012

o Windows Server 2008 R2

o Windows Server 2008

 Microsoft .NET Framework 4.5

 Lync (Skype for Business) diagnostics require the Unified Communications Managed API (UCMA) 4.0
runtime, which only runs on 64-bit operating systems.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-7

 One of the following browsers:

o Microsoft Edge

o Internet Explorer

o Google Chrome with ClickOnce for Google Chrome

o Firefox with .NET Framework Assistant for Firefox

The Microsoft Office 365 Support and Recovery Assistant tool is similar to the Microsoft Remote
Connectivity Analyzer in that it provides a log with the test steps that passed successfully and the steps
that failed, and it then provides a Tell me more about this issue and how to resolve it link that makes
suggestions to help fix any reported issues. You can save the log as MCATestResults.html.

Message tracking tools


You can use several message tracking tools in the
Office 365 environment to diagnose email
delivery issues.

Message Analyzer
Email messages transmit between mail servers by
using Simple Mail Transfer Protocol (SMTP). SMTP
message headers contain information that records
the origins of a message and its path through one
or more SMTP servers to its destination. The
Message Analyzer feature can display the contents
of these headers and help diagnose any email
transfer issues. All Message Analyzer processing
occurs in the browser, and no additional software is necessary. You can use the Message Analyzer on any
SMTP header, whether Exchange, Office 365, or any other SMTP server or agent generates it.

After you receive a delivery failure message:

1. Note the reason for the failure, such as “NonExistentDomain” or “550 Requested action not taken:
mailbox unavailable”.

2. Copy the message headers from the message.

3. Go to http://testconnectivity.microsoft.com, and then select the Message Analyzer tab.

4. Paste the message in the text box, and then click Analyze headers.

5. Diagnostic information and the time taken for the message to be rejected will display in the Message
Analyzer.

Delivery reports
Delivery reports provide an alternative method for tracking email delivery. You can run them at the
Exchange Server or Office 365 level or within Outlook on the web to track personal messages.

Two kinds of delivery reports are available: the reports that generate when you perform message tracing
with the Exchange Online message trace tool and personal delivery reports.
MCT USE ONLY. STUDENT USE PROHIBITED
12-8 Monitoring and troubleshooting Microsoft Office 365

The Exchange Online message trace tool in the Exchange admin center
To run the Exchange Online message trace tool from the Exchange admin center, perform the following
steps:

1. Select mail flow, and then click message trace.

2. In message trace, next to Sender, click add sender, and then select the users to trace.

3. Under Date range, select one of the time periods:

o Last 24 hours

o Last 48 hours

o Last 7 days

o Custom (select start and end date and time)

4. Under Delivery status, select one of following statuses or search for all:

o Delivered

o Failed

o Pending

o Expanded

o Unknown

5. Optionally, provide a Message ID to narrow the search based on a specific Internet message ID,
which is also known as the client ID. The sending mail system generates this ID, and it is in the header
of the message with the "Message-ID:" token. Specify the full message ID of the message, which
might include angle brackets (< >).
6. Click search.

7. Double-click any returned message to view the sender, recipient, message size, message ID, IP
address information, and delivery status. The Exchange Online Message trace tool then displays a
series of events that are associated with the message; for example, RECEIVE, SUBMIT, and SEND for a
successful message; or RECEIVE, SUBMIT, and FAIL for a message that could not deliver.

Personal delivery reports in Outlook on the web Seems to have gone

To run personal delivery reports in Outlook on the web, perform the following steps:

1. On the Settings menu, click Options.

2. On the Options page, click organize email, and then click delivery reports.

3. Provide the search criteria, and then click search.

4. Double-click a message to view the delivery report.

Note: At the time of writing this module, the Options menu for Outlook on the web was
changing. You might have to access the earlier version of the Options menu to view delivery
reports. To do this, on the Settings menu, under My app settings, click Mail. On the Options
page, click Other, and then click Go to earlier version.

Note: Personal delivery reports provide limited options when compared to Office 365
message trace delivery reports. For example, individual users cannot search all mailboxes, they
can only search for messages in their own mailbox.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-9

Hybrid environment free/busy troubleshooter


The hybrid environment free/busy troubleshooter
is a guided walk-through tool. It helps you
troubleshoot free/busy issues in a hybrid
deployment of Exchange Online in Office 365
and on-premises Exchange Server.

The troubleshooter also provides links to other


tools that you can use to troubleshoot free/busy
issues, including the Microsoft Remote
Connectivity Analyzer.
The troubleshooting website for a hybrid
Exchange environment.

Additional Reading: To access the hybrid environment free/busy troubleshooter, go to:


http://aka.ms/wbpavu.

Using the hybrid environment free/busy troubleshooter


The hybrid environment free/busy troubleshooter provides the following options as a starting point to
troubleshoot issues:

 My Cloud user cannot see Free/busy for an on-premises user

 My On-premises user cannot see Free/busy for a cloud user

 I want to see some common tools for troubleshooting Free/busy issues

 I want to better understand how Hybrid Free/Busy is supposed to work

After selecting the appropriate option, the troubleshooter displays a series of items to check or test, along
with suggested solutions and relevant links if an item matches the tester's situation.
MCT USE ONLY. STUDENT USE PROHIBITED
12-10 Monitoring and troubleshooting Microsoft Office 365

Do-it-yourself troubleshooter
If something is not working correctly in an Office
365 environment, a good starting point is to use
the Office 365 troubleshooter, also known as the
do-it-yourself troubleshooter, for initial diagnosis.

Note: To access the Office 365 do-it-


yourself troubleshooter directly, go to:
http://aka.ms/w60k8n. Gone!

To troubleshoot issues in Office 365 by using the


do-it-yourself troubleshooter, perform the
following steps:

1. Select the service with which you are having issues, such as Exchange Online.

2. Select a service area, such as Mailboxes.

3. Select an issue, such as Add or remove a license.


4. The troubleshooter then provides a list of relevant support resources in the results list, such as:

o Assign or unassign licenses for Office 365 for business

o You receive a "One or more users need an assigned license in order to retain an Exchange
Online mailbox or archive" message on the Users page of the Office 365 portal

Note: Microsoft updates the troubleshooter periodically. Microsoft regularly adds new self-
service troubleshooting steps for services such as Office 365 Groups, Skype for Business, Microsoft
Office Delve, Microsoft Office Sway, and all other Office 365 services.

Check Your Knowledge


Question

Which of the following are options or tools that you can use for monitoring and troubleshooting
Office 365?

Select the correct answer.

x Service Health

Protection Center

x Service Requests

Notification Center

Alert Center
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-11

Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

The Microsoft Office 365 Support and Recovery Assistant is a new tool that T
users can run to fix common Outlook problems.
MCT USE ONLY. STUDENT USE PROHIBITED
12-12 Monitoring and troubleshooting Microsoft Office 365

Lesson 2
Monitoring Office 365 service health
In Office 365, you can monitor service health by using tools such as the RSS feed and the Service Health
dashboard. These tools provide information about planned maintenance, service updates, and historical
data. In this lesson, you will learn how to use these tools to monitor service health.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the importance of service health information in the Office 365 dashboard.

 Explain the purpose of Office 365 auditing reports.


 Explain the purpose of Office 365 mail and protection reports.

 Explain how to manage Exchange Online reports by using Windows PowerShell.

 Describe how to open Office 365 service requests.

 Explain how to monitor Office 365 with Microsoft System Center Operations Manager (Operations
Manager).

Service health information in the Office 365 dashboard


The Health page of the Office 365 admin center
provides information on the health of your online
services, and it provides access to information
about any impending maintenance tasks that
Microsoft plans.

The Health page


On the main Office 365 Home page, in the Service
health section, you can see an overview of the
current health of your online services. For detailed
information, access the Service health page from
the navigation pane or by clicking View the
service health on the Home dashboard.

One of the following statuses indicates an online service’s health:

 Normal service. This indicates that the service is available and suffered no incidents during the
reporting period. The icon for this status does not link to any additional information.

 Extended recovery. This indicates that steps have completed to resolve the service incident. However,
it will take an extended period for service operations to return to normal. During this time, some
service behaviors might take longer than normal to complete.

 Investigating. This indicates that a potential service incident is under investigation.

 Service restored. This indicates that an incident was active earlier today, but the service was restored.

 Service interruption. This indicates that the service is not functioning, and users cannot access the
service.

 Additional information. This indicates that an incident was active during a previous day. The incident
might be resolved or it might still be active.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-13

 Service degradation. This indicates that the service is slow or is occasionally unresponsive for brief
periods.

 PIR published. This indicates that a report of the service incident has published.

 Restoring service. This indicates that the service incident is in the process of resolving.

Note: In the unlikely event that the Office 365 admin center is not available, there is a
separate link to the Service Health dashboard: http://aka.ms/vlkz7v. If the issue relates to Azure
AD, for example sign-in issues, refer to: http://aka.ms/kfxpxv.

The table that you access from the Support page displays status information for the current day and the
previous six days. This table shows the status of each of the online service components, and you can click
the status icons for more information.

You can also click View history to see further historical service health data. On the history page, you can
see specific incidents that have occurred within the last 30 days and the categories they come under,
including Office 365 Portal, Identity Service, Skype for Business Online, and Exchange Online.

To see specific incident details, find the incident in the calendar, and then click it, which gives you
chronological data about the outage or issue and any resolution to the problem. If a post-incident report
has published, you can also download or view the report for more details.

Note: The Service health page only includes information about the health of your online
services; it does not cover other items, such as network infrastructure issues.

Planned maintenance
You can view information about any upcoming Office 365 maintenance tasks in the Support page. This
page displays the date and time of any planned maintenance, and you can click the link for each
maintenance task for more information.

RSS feeds
Office365 also provides a link to an RSS feed for Office 365 service health. You can add the feed to your
Common RSS Feed List. You can view this in programs that use the Common RSS Feed List, such as
Microsoft Edge and Outlook. The feed updates each time a new incident event adds or an existing
incident event updates.

Office 365 auditing reports


Several auditing reports are available on the
Reports page of the Office 365 admin center.

The following table lists the auditing reports that


you can generate from the Office 365 admin
center.
MCT USE ONLY. STUDENT USE PROHIBITED
12-14 Monitoring and troubleshooting Microsoft Office 365

Report Description

Mailbox access by non- This report returns a list of mailboxes that anyone other than the owners
owners of the mailboxes accessed. This report generates from an audit log that
logs information such as the person who accesses the mailbox, when
they accessed it, what actions they performed, and whether their actions
were successful or not.

Role group changes This report returns a list of all the changes made to Office 365 role
groups by administrators in your organization. This report generates
from an audit log that logs information about who made the change,
when they did it, and what the change was.

Mailbox content search This report returns a list of all the mailboxes that were put on hold or
and hold were removed from In-Place Hold or In-Place eDiscovery. It contains
additional information about who put the mailbox on hold and when
they did it.

Mailbox litigation holds This report returns a list of all changes made to per-mailbox litigation
holds. This report generates from an audit log that logs information
about who enabled or disabled litigation hold on a mailbox and when
they did it.

Enable mailbox audit logging


You have to enable mailbox audit logging for each mailbox on which you want to run a non-owner
mailbox access report. If mailbox audit logging is not enabled for a mailbox, you will not receive any
results when you run a report for it or when you export the mailbox audit log.
To enable mailbox audit logging for a single user’s mailbox, perform the following steps:

1. Open the Windows PowerShell command-line interface, and then connect to Exchange Online.

2. At the command prompt, type the following command, and then press Enter:

Set-Mailbox user@domainname.com -AuditEnabled $true

To enable mailbox audit logging for all users’ mailboxes, perform the following steps:

1. Open Windows PowerShell, and then connect to Exchange Online.

2. At the command prompt, type the following command, and then press Enter:

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}

3. At the command prompt, type the following command, and then press Enter:

$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

Note: For more information on how to connect to Exchange Online by using remote
Windows PowerShell and how to enable mailbox auditing in Office 365, refer to Enable mailbox
auditing in Office 365: http://aka.ms/kna8cb.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-15

Office 365 mail and protection reports


old
The Reports page of the Office 365 admin center
provides access to several mail and protection
reports.

Mail reports
Several mail-related reports are available under
the Mail section on the Reports page in the Office
365 admin center. The following table lists some
of these reports.

Report Description

Active and inactive This report shows the number of active and inactive mailboxes over a period.
mailboxes A mailbox is considered inactive if a user has not accessed it for more than 30
days.

New and deleted This report shows the number of active, new, and deleted mailboxes.
mailboxes

New and deleted This report shows the number of created and deleted groups.
groups

Mailbox usage This report shows the total number of mailboxes, inactive mailboxes,
mailboxes that have exceeded their storage quota, and mailboxes that are
currently using less than a quarter of their storage quota.

Types of mailbox This report shows the number of mailbox connections made over time, which
connections then group by connection type, such as Post Office Protocol version 3 (POP3),
Internet Message Access Protocol (IMAP), and Outlook on the web.

All of these reports display as charts, and they provide links to view each chart as a table instead. Some of
the reports have clickable links that display the information on a daily, weekly, monthly, or yearly basis.

Protection reports
Several protection-related reports are available under the Protection section on the Reports page in the
Office 365 admin center. The following table lists some of these reports.

Top senders and This report shows a list of top email users. You can view which users are:
recipients  Top mail senders.
 Top mail recipients.
 Top spam recipients.
 Top malware recipients.

Top malware for mail This report shows the number of malware detections in received mail before
the malware action applied. It also displays a list of top malware recipients,
showing each recipient’s email address and a count of received malware.
Malware detections This report shows the number of malware detections in sent mail before the
malware action applied.
MCT USE ONLY. STUDENT USE PROHIBITED
12-16 Monitoring and troubleshooting Microsoft Office 365

Spam detections This report shows the number of detected spam messages grouped by spam
filtering type, such as SMTP blocked, IP blocked, and Content filtered. It also
displays a list of top spam recipients, showing each recipient’s email address
and a count of received spam emails.
Sent and received This report shows received mail grouped by the type of traffic, such as Good
mail mail, Malware detections, Spam detections, Rule messages. Rule messages are
received and sent messages that match at least one transport rule or data loss
prevention (DLP) policy.

All of these reports display as charts, and they provide links to view each chart as a table instead.
Additionally, they all have clickable links to enable the chart to display the information over seven-day,
14-day, 30-day, or custom date periods. All dates and times are in Coordinated Universal Time (UTC).

Downloading mail protection reports


old
On the Reports page of the Office 365 admin center, under Download your reports, there is a Mail
protection reports (Excel) link that enables you to download mail protection reports for Office 365. The
link opens a webpage in the Microsoft Download Center, from where you can download the Microsoft
Office 365 Excel Plugin for Exchange Online Reporting. The download is packaged as an .msi file, and you
can download 32-bit and 64-bit versions.

The download installs a Microsoft Excel 2013 reporting workbook that provides a comprehensive view of
the email protection information that is also available on the Reports page of the Office 365 admin
center.

To use the mail protection reports workbook for Office 365, perform the following steps:

1. On the desktop, double-click the Mail Protection Reports for Office 365 shortcut.

2. On the Microsoft Office Customization Installer page, click Install.

3. Select one of the worksheet tabs in the workbook, and then click the Query button in the worksheet.

4. Enter your Office 365 credentials, and then click Login.


5. In the Query dialog box, select a time interval, and then click OK.

6. On the Progress page, when it completes, click OK.

The workbook contains summary graphs for various types of email message filtering and includes
information about messages that were identified as good mail, spam, or malware. It also displays graphs
for messages that were identified by a transport rule or a DLP policy.

You also can use data slicers in Excel 2013 to perform deeper data analysis. If you notice specific trends or
unusual activities in the data, you can get more detailed information from the report by running queries
on the other tabs in the workbook and viewing more detailed information about the messages
themselves.

Note: The Mail Protection Reports for Office 365 Excel Plugin currently only works with
Excel 2013 and not with Excel 2016.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-17

Managing Exchange Online reports by using Windows PowerShell


You can use several Windows PowerShell cmdlets
for reporting purposes in Exchange Online.

Auditing cmdlets

You can use the following Windows PowerShell


cmdlets to configure audit logging and to view
audit logs.

Cmdlet Purpose

Search-AdminAuditLog Search the contents of the administrator audit log.

Write-AdminAuditLog Add comments to the administrator audit log.

Get-AdminAuditLogConfig View how administrator audit logging is currently


configured.

New-AdminAuditLogSearch Search the contents of the administrator audit log and


send the results to the recipients that you specify.

Get-MailboxAuditBypassAssociation View the accounts that bypass mailbox audit logging.

Set-MailboxAuditBypassAssociation Specify accounts that bypass mailbox audit logging. For


example, you can specify service accounts that
frequently access mailboxes to reduce the noise in
mailbox audit logs.

Search-MailboxAuditLog Search the contents of the mailbox audit log.

New-MailboxAuditLogSearch Search the contents of the mailbox audit log and send
the results to the recipients that you specify.

Message tracking cmdlets


You can use the following Windows PowerShell cmdlets to track delivery information about messages that
any specific mailbox in your organization sends or receives.

Cmdlet Purpose

Get-MessageTrackingReport Return the data for a specific message tracking report. This cmdlet
requires you to specify the ID for the message tracking report that
you want to view. Therefore, you first need to use the Search-
MessageTrackingReport cmdlet to find the message tracking
report ID for a specific message. You then pass the message
tracking report ID from the output of the Search-
MessageTrackingReport cmdlet to the Get-
MessageTrackingReport cmdlet.
MCT USE ONLY. STUDENT USE PROHIBITED
12-18 Monitoring and troubleshooting Microsoft Office 365

Cmdlet Purpose

Search- Find the unique message tracking report based on provided


MessageTrackingReport search criteria. You can then pass this message tracking report ID
to the Get-MessageTrackingReport cmdlet to get the full
message tracking information.

General reporting cmdlets


You can use the following Windows PowerShell cmdlets for general reporting in Exchange Online.

Cmdlet Purpose

Get-FailedContentIndexDocuments View the list of documents in a mailbox that Exchange


Search could not index.

Get-LogonStatistics View information about open logon sessions to a specified


mailbox, such as username, logon time, and last access
time. A user must sign out to close a logon session;
therefore, multiple sessions might appear for users who
just close their browser.

Get-MailboxFolderStatistics View information about the folders in a specified mailbox,


including the number and size of items in the folder, the
folder name and ID, and other information.

Get-MailboxStatistics View information about a specified mailbox, such as the


size of the mailbox, the number of messages it contains,
and the last time that a user accessed it.

Get-RecipientStatisticsReport View information about the total number of recipients in


your organization, including the number of mailboxes,
active mailboxes, contacts, and distribution groups.

Additional Reading: To view a list of all Exchange Online Protection cmdlets, refer to:
http://aka.ms/i09sv9.

Office 365 service requests


Office 365 administrators can request technical
assistance from the Office 365 support team by
submitting a service request online or by phone.
Office 365 offers support service all of the time.

To open a new service request, perform the


following steps:

Note: To open a new service request, you


must sign in to Office 365 as an administrator.

1. In the Office 365 admin center, in the


navigation pane, click Support, and then click Service Requests.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-19

2. Here, you can see your current service requests and you can click the plus sign (+) above the list to
create new service request. When you click to create new service request, the Support Overview
page appears.

3. On the Support Overview page, select the topic for the service request. Find the common topics in
the Create a service request column. You can expand the list by clicking More at the end of the list.

4. Click the desired topic, for example, Mail.

Note: If you create a new service request about an issue that Microsoft is investigating
currently, you will see a corresponding note such as “We're investigating a problem that may
be related to your issue. Go to Service health to see if this is the same problem your users are
having. If so, you may not need to create a service request,” followed by the topic, for example,
“Exchange - In extended recovery - EX41924.” You then can decide if you still want to create a
new service request.

5. On the New service request page, under identify the issue, select the feature (for example, Mail
Flow), and the symptom (for example, I received a non-delivery report (NDR) for an email I sent).
Depending on the selections, the issue form expands and shows more text boxes. Fill out the text
boxes, and then click Next.

6. Click the Review suggestions links to view possible solutions for the specified problem. You should
read these before proceeding with the service request because the issue might be a common issue
that you can resolve without requesting additional support.

Note: If a service is unavailable, you should check the Service Health dashboard before
opening a new service request. If a service appears to be unavailable but there are no reports in
the Service Health dashboard, you should call the Office 365 support phone number for your
country or region.

7. On the Add details page, you then add further information to the service request, including a
summary, issue details, service availability, and the number of affected users. You can also attach
additional files to that service request. Include screenshots of any errors or other relevant documents
with the service request. Note that these files must be smaller than 5 megabytes (MB) each. Click
Next.

8. On the Confirm and submit page, check the email address and the phone number that the
Microsoft support team can use to contact you. Your data will already be filled out from your user
sign-in information. Correct the data if necessary. Click Submit request to submit the service request.

A reference number for the request is provided, and the new request will be listed in the service requests
list. Service requests pass directly to a support representative, who will respond with an email message.
The target initial response time for a new service request depends on both the severity level of the issue
and the Office 365 subscription type, as highlighted in the table below.

Microsoft assigns a severity level to a service request when it opens, based on the type of Office 365
subscription, an assessment of the issue type, and the customer impact. The three types of severity are:

 Severity A (Critical). This is assigned when one or more services are not accessible or are unusable.

 Severity B (High). This is assigned when the service is usable but in an impaired state.

 Severity C (Non-critical). This is assigned when the issue is important but does not currently have a
significant impact on the service or productivity.
MCT USE ONLY. STUDENT USE PROHIBITED
12-20 Monitoring and troubleshooting Microsoft Office 365

The following table shows the availability and response times for the three severity types, depending on
the Office 365 plans.

Office 365 for Enterprises and Office 365 Business and Education
Severity level
Government plans plans

Severity A (Critical) Available: 24 hours a day, seven Available: 24 hours a day, seven
days a week* days a week*
Response time: one hour Response time: one hour

Severity B (High) Available: 24 hours a day, seven Available: business hours


days a week* Response time: no commitment
Response time: next day

Severity C (Non-critical) Available: 24 hours a day, seven Available: business hours


days a week* Response time: no commitment
Response time: no commitment

* Office 365 support teams take calls and service requests 24 hours a day, seven days a week. This service
depends on the region and is available in most countries.

Elevated support provides additional support options and service level agreements (SLAs) over the
standard Office 365 support. Elevated support can include service update management, end-to-end
support for clients and services, reactive and advisory services from advanced engineers, incident
management, and on-site workshops that Microsoft Premier Support Services or Microsoft partners
provide.

Additional Reading: For more information, refer to Additional support options:


http://aka.ms/pfvct8.

After you submit a service request, any further actions that the support representatives require, such as
requests for additional information, display as “Action required” in the list of open requests on the Service
requests page. It is important to close the request when an issue is resolved or assistance is no longer
necessary.

Monitoring Office 365 with Operations Manager


You can use Operations Manager for basic
monitoring of Office 365 services, including
checking Internet connectivity and service
availability. The Operations Manager
management pack for Office 365 provides
monitoring functionality for all versions of
Operations Manager starting with System Center
2012 Operations Manager.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-21

You must import the Office 365 management pack for Operations Manager into System Center. After you
add an Office 365 subscription, the management pack offers monitoring for services such as:

 Subscription health

 Service status

 Active and resolved incidents


 Message Centre

 Alerts

Additional Reading: For more information on how to obtain and set up this management
pack, refer to System Center Management Pack for Office 365: http://aka.ms/it7q1b.

Check Your Knowledge


Question

A service in the Service Health dashboard can have which of following statuses?

Select the correct answer.

x Normal service

Service anomaly

x Extended recovery

x Investigating

Operations aborted

Check Your Knowledge


Question

How can you open a service request in Office 365?

Select the correct answer.

Via Skype for Business

Via email

x Via phone

x Via the Office 365 admin center

Via the Office 365 App launcher


MCT USE ONLY. STUDENT USE PROHIBITED
12-22 Monitoring and troubleshooting Microsoft Office 365

Lab: Monitoring and troubleshooting Office 365


Scenario
A. Datum Corporation’s Office 365 deployment is almost complete. As the team enters the final phase of
this project, you need to set up a suitable monitoring environment to track the status of Office 365 and to
ensure that the help desk and IT management can respond to any reported issues. Additionally, you need
to learn how to monitor and troubleshoot Office 365 issues so that you can train the support staff in these
areas.

Objectives
After completing this lab, you will be able to:

 Analyze mail flow.

 View Office 365 reports.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-CL1

User names: Adatum\Administrator on LON-DC1 and LON-DS1 and Adatum\Holly on LON-CL1

Password: Pa$$w0rd
In all of the tasks, where you see references to “Adatumyyxxxxx.onmicrosoft.com”, replace
“Adatumyyxxxxx” with your unique Office 365 name that displays in the online lab portal.

Where you see references to “Adatumyyxxxxx.hostdomain.com”, replace “Adatumyyxxxxx” with your


unique hostdomain.com name that displays in the online lab portal.

This lab requires the following virtual machines:

 LON-DC1:

o Sign in as Adatum\Administrator with the password Pa$$w0rd.

 LON-DS1:

o Sign in as Adatum\Administrator with the password Pa$$w0rd.


 LON-CL1:

o Sign in as Adatum\Holly by using the password Pa$$w0rd.

Exercise 1: Monitoring Office 365


Scenario
Some A. Datum users report that they cannot access their mailboxes through Outlook. You need to check
whether the issue is with client connectivity or with mail flow.

The main tasks for this exercise are as follows:

1. Send an email to a nonexistent domain.

2. Track mail delivery.

3. Send an email to a nonexistent user.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-23

4. Track mail delivery.

5. Analyze mail flow.

 Task 1: Send an email to a nonexistent domain


1. Sign in to the Office 365 admin portal as holly@Adatumyyxxxxxx.hostdomain.com by using the
password Pa$$w0rd.

2. Go to Outlook on the web, and then create an email to user@alt.none with any subject and body
text.

3. Send the email.

 Task 2: Track mail delivery


1. Review the failed delivery report with the reason “The domain name in the email address is incorrect”.

2. Copy the message header of the message.

3. Browse to testconnectivity.microsoft.com.

4. Click the Message Analyzer tab, paste the content, and then click Analyze headers.
5. Note the diagnostic information and the time taken for the message to be rejected.

 Task 3: Send an email to a nonexistent user


 Send an email from Holly to difflop4890@outlook.com.

 Task 4: Track mail delivery


1. Review the delivery failure with the “550 Requested action not taken: mailbox unavailable” reason.
2. In the Microsoft Remote Connectivity Analyzer, on the Message Analyzer tab, analyze the message
header, and then examine the results.

 Task 5: Analyze mail flow


1. Go to the new Office 365 admin center, access the Exchange admin center, click mail flow, and then
click message trace.

2. Add Holly as a sender.

3. Under Date range, select Past 24 hours.

4. Under Delivery status, select Failed, and then click Search. Note the two messages.

5. Note the differences between the message processing events: Receive, Submit, Spam Diagnostics, and
Fail for the nonexistent domain, and Submit, Receive, Spam Diagnostics, and Fail for the nonexistent
user.

6. Close the Message Trace window.

Results: After completing this exercise, you should have used the Message Header Analyzer to identify
why email failed to deliver.
MCT USE ONLY. STUDENT USE PROHIBITED
12-24 Monitoring and troubleshooting Microsoft Office 365

Exercise 2: Monitoring service health and analyzing reports


Scenario
You identified the reports that you need to provide to A. Datum’s management. Management is
particularly interested in the number of malware and spam items that are reaching the organization. You
need to familiarize yourself with the Office 365 reporting tools. Your next task is to produce reports on
the numbers of messages that Exchange Online Protection is intercepting.

The main tasks for this exercise are as follows:

1. View Office 365 service health.

2. View reports in the Office 365 admin center.

 Task 1: View Office 365 service health


1. Connect to the new Office 365 admin center.
2. On the menu, access Service Health, and then view the history of the past 30 days for the Exchange
Online service.

3. Click any yellow entry in the calendar to see further details.

 Task 2: View reports in the Office 365 admin center


1. Switch back to the previous Office 365 admin center.

2. In the Office 365 admin center, click the REPORTS link.

3. Review the following reports:

o Mailbox usage

o Send and received mail

o Malware detections

o Spam detections

4. Keep the virtual machines running for the next lab.

Results: After completing this exercise, you should have monitored the health of Office 365 services and
viewed reports in the Office 365 admin center.

Question: How would you view all the failed messages for a group of users?

Question: What is the first tool you will use to search for service incidents and failures?
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 12-25

Module Review and Takeaways


Best Practice
Many tools are available to help troubleshoot issues in Office 365. As a starting point, you can use the
Office 365 do-it-yourself troubleshooter for an initial diagnosis.

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip
Look for Autodiscover issues in the Microsoft
Outlook client connectivity issues Remote Connectivity Analyzer
Use the Microsoft Office 365 Support and
Unable to connect to the Skype for
Recovery Assistant tool
Business client
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
13-1

Module 13
Planning and configuring identity federation
Contents:
Module Overview 13-1

Lesson 1: Understanding identity federation 13-2

Lesson 2: Planning an AD FS deployment 13-11

Lesson 3: Deploying AD FS for identity federation with Office 365 13-26

Lesson 4: Planning and implementing hybrid solutions (Optional) 13-43 

Lab: Planning and configuring identity federation 13-48

Module Review and Takeaways 13-57

Module Overview
In this module, you will learn how to plan and configure identity federation. While there are multiple
identity models for Office 365, Active Directory Federation Services (AD FS) provides identity federation
between on-premises Active Directory Domain Services (AD DS) and Microsoft Azure Active Directory
(Azure AD). This module enables multiple features with the cloud provider, including single sign-on (SSO)
with Office 365.

Objectives
After completing this module, you should be able to:
 Describe how identity federation works, and how you can use AD FS to implement identity federation.

 Plan an AD FS deployment to support identity federation with Office 365.

 Deploy AD FS to enable SSO for Office 365.

 Describe hybrid solutions for Microsoft Exchange Server, Microsoft Skype for Business Server, and
Microsoft SharePoint Server.
MCT USE ONLY. STUDENT USE PROHIBITED
13-2 Planning and configuring identity federation

Lesson 1
Understanding identity federation
Before you begin designing your AD FS deployment, you must understand how identity federation works,
and the advantages this identity model provides you. You will learn the core components, the various
topologies, and how you can use AD FS to implement authentication, using federated identities, in
Office 365.

Lesson Objectives
After completing this lesson, you should be able to:

 Describe the concepts of claims-based authentication and federated trusts.

 Describe the underlying technologies – Security Assertion Markup Language (SAML) tokens, and
security token service.

 Describe AD FS, and how you can use it to implement identity federation.

 Describe how SSO works with Office 365 – web clients, Microsoft Outlook, and Skype for Business.

 Compare identity federation, directory synchronization, and password synchronization and explain
why an organization would choose one option over another.

Claims-based authentication
When you consider identities such as Integrated
Windows authentication, Kerberos authentication,
or NT Lan Manager (NTLM), you most likely think
about Microsoft Windows user accounts and
groups. When you consider identities in Active
Server Pages (ASP), such as the ASP.NET
membership and roles provider, you probably
think about user names, passwords, and roles.
When you consider what the different
authentication mechanisms have in common, you
can abstract the individual elements of identity
and access control into two parts: a single, general
notion of claims, and the concept of an issuer or an authority.
A claim is a statement that one subject makes about itself or another subject. For example, the statement
can be about a name, identity, key, group, privilege, or capability. Claims are issued by a provider, are
given one or more values, and then packaged in security tokens that are issued by an issuer, commonly
known as a security token service (STS). You can think of a security token as an envelope that contains
claims about a user.

Additional Reading: For a full list of definitions of terms associated with claims-based
identity, see Claims-based identity term definitions at http://aka.ms/wnc2ys.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-3

Thinking in terms of claims and issuers is a powerful abstraction that supports new ways of securing your
applications. Because claims involve an explicit trust relationship with an issuer, your application believes a
claim about the current user only if it trusts the entity that issued the claim. Trust is explicit in the claims-
based approach—not implicit as in other authentication and authorization approaches with which you
might be familiar. The following table shows the relationships between security tokens, claims, and issuers.

Security token Claims Issuer

Windows token (for example, a Username and groups AD DS


security identifier, or SID)

Username token Username Application

Certificate A certificate thumbprint, a Certification authorities (for


subject, or a distinguished example, the root authority, and
name. all authorities in the chain to
the root)

The claims-based approach to identity makes it easier for users to sign in using Kerberos authentication
where it makes sense. However, it is just as easy for them to use one or more (perhaps more Internet-
friendly) authentication techniques, without you having to recode, recompile, or even reconfigure your
applications. You can support almost any authentication technique. Some of the more popular
authentication techniques are Kerberos authentication, forms authentication, X.509 certificates, smart
cards, and other information-type cards.

Here are a few situations in which claims-based identity might be the right choice for you. You might
have web-facing applications that are used by people who do not have accounts in your Active Directory
domain. Another reason might be that your company has merged with another company and you are
having trouble authenticating across two AD DS forests that do not have a trust relationship. Perhaps you
want to share identities with another company that has non–.NET Framework applications or you need to
share identities between applications running on different platforms. Another situation might be an
application that needs to send email to the authenticating user or an email to their manager.

Claims-based identity allows you to factor out the authentication logic from individual applications.
Instead of the application determining who the user is, it receives claims that identify the user.

Federated trusts
At this point, you have learned about claims-
based identity where the issuer directly
authenticates the users to a claims-based
application. However, you can take this one step
further. You can expand your issuer’s capabilities
to accept a security token from another issuer,
instead of requiring the user to authenticate
directly. Your issuer would issue security tokens
and accept security tokens from other issuers that
it trusts. This enables you to federate identity with
other realms, which are separate security domains.
MCT USE ONLY. STUDENT USE PROHIBITED
13-4 Planning and configuring identity federation

Benefits of federated trusts


Maintaining an identity database for users can require a lot of support. Even something as simple as a
database containing usernames and passwords can be difficult to manage. Users might forget their
passwords on a regular basis, and your company’s security policies might not allow you to email forgotten
passwords to them. If maintaining an identity database for users inside your enterprise is difficult, imagine
the complexity of doing this for hundreds or even thousands of remote users.

Managing a role database for remote users is just as difficult. Imagine Alice, who works for a partner
company and uses your purchasing application. On the day that your information technology (IT) staff
provisioned her account, she worked in the purchasing department, so the IT staff assigned her the role of
Purchaser, which granted her permission to use the application. However, because she works for a
different company, how will your company be able to find out if she transfers to the Sales department? In
addition, what will happen if she quits employment with the partner company? In both cases, you would
want to know about her change of status, but it is unlikely that anyone in the human resources
department at her company will notify you. Any data that you store about a remote user will eventually
become outdated. Therefore, how can you safely expose an application for a partner business to use?

Another feature of claims-based identity is that you can decentralize it. Instead of having your issuer
authenticate remote users directly, you can set up a trust relationship with an issuer from a separate
company. This means that your issuer will trust their issuer to authenticate users in their realm. Therefore,
their employees would not require additional credentials to use your application. Instead, they would
continue using the same SSO mechanism they have always used in their company. In addition, your
application still works because it continues to receive the same security token it needs. Moreover, the
claims that you receive in your security token for these remote users might include their role with the
company. This is because they are not employees of your company, but your issuer is responsible for
determining the proper assignments based on their role.

Finally, your application does not need to change when a new organization becomes a partner. The ratio
of issuers to applications is a benefit of using claims—you reconfigure one issuer and many downstream
applications become accessible to many new users. Another benefit is that claims allow you to store data
about users logically. Data can be kept in the store that is authoritative rather than in a store that is more
convenient to use or easily accessible. This allows you to grant access to users from other organizations
without creating a user account in your environment. Once your company decides which realms should
be allowed access to your claims-based application, your IT staff can set up the proper trust relationships.

How federated identity works


Federating identity across realms is similar to the previous authentication techniques, with the addition of
an initial handshake in the partner’s realm. For example, the following process describes what happens
when a user from A. Datum accesses an application in the Contoso organization.

1. The user starts by authenticating to the A. Datum federation server.

2. The A. Datum federation server issues the user a security token.

3. The security token is then presented to the Contoso federation server. Since a federated trust is
configured between the two organizations, the Contoso federation server accepts the token in lieu of
authenticating the user directly.

4. The Contoso federation server then issues a security token to the user.

5. Finally, the user sends the security token to the Contoso application.

Note: Users are not actively aware of this process in most scenarios – the Internet browser
or smart client does this in the background on their behalf.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-5

Because of the federated trust, your application only accepts security tokens that are signed by the issuer
that it trusts. Remote users cannot receive access if they try to send a token from their local issuer directly
to your application.

Service providers
According to the Organization for the Advancement of Structured Information Standards (OASIS) (the
organization that created SAML), a service provider is defined as a role donned by a system entity where
the system entity provides services to principals or other system entities. In essence, a service provider is
an entity that provides web services. Examples of service providers include ASPs, Storage Service Providers,
and Internet service providers (ISPs).

Identity providers
According to the OASIS, an Identity Provider (IdP) is defined as a kind of provider that creates, maintains,
and manages identity information for principals and provides principal authentication to other service
providers within a federation, such as with web browser profiles. An IdP is sometimes called an identity
service provider or identity assertion provider. In essence, an IdP is an online service or website that
authenticates users on the Internet by means of security tokens, one of which is SAML 2.0.

Service provider vs. IdP


There is an overlap when it comes to defining service providers and IdPs. A service provider relies on a
trusted IdP for authentication and authorization. In SAML, the XML-standard for exchanging data—the
security domains that information is passed between—are a service provider and an IdP. SAML’s service
provider depends on receiving assertions from a SAML authority or asserting party, known as a SAML IdP.
In the Web services federation (WS-Federation) model, an IdP is an STS, and a federation is an association
comprising any number of service providers and IdP’s. Service providers depend on an IdP, or an STS, to
do the user authentication. Open Authorization (OAuth) is an important protocol for IdP services as most
major web services also are identity providers, mainly through the use of OAuth. These web services
include Google, Facebook, Yahoo, AOL, Microsoft, PayPal, MySpace, and Flickr, among many more.
Furthermore, all major email providers offer OAuth IdP services.
In simple terms, as it relates to Identity Management, an IdP can be described as a service provider for
storing identity profiles and offering incentives to other service providers with the aim of federating user
identities.

Note: IdPs also can provide services beyond those related to the storage of identity
profiles.

What is AD FS?
Active Directory Federation Services (AD FS)
provides the infrastructure that enables a user to
authenticate in one network and use a secure
service or application in another. With Office 365,
AD FS enables users to authenticate through their
on-premises AD DS, and then use an account in
Office 365 without requiring any further
authentication prompts. AD FS also provides SSO
for users accessing Office 365 or another service,
with the same account that they sign in to their
workstation. This requirement for matching on-
premises identities with remote service accounts is
MCT USE ONLY. STUDENT USE PROHIBITED
13-6 Planning and configuring identity federation

why an Office 365 SSO solution requires both AD FS and directory synchronization. When you implement
AD FS, all password management and password polices are maintained by your on-premises AD DS.

How AD FS works
In the WS-Federation model, a service provider (also known as a relying party), is a partner in a federation
that creates security tokens for users. The term arose because the application relies on an issuer to provide
information about identity. Further, an IdP (also known as a claims provider), is a partner in a federation
that consumes security tokens to provide access to applications. Upon deployment of AD FS, an implicit
claims provider trust is enabled for the Active Directory domain in which the AD FS server resides.
When a user initiates an authentication request through AD FS and when they are using an AD FS client—
for example, Microsoft Edge—, AD FS initially verifies the user credentials in AD DS. After successful
authentication by AD DS, the STS component of AD FS issues a security token that authorizes the user to
the application or service, such as Office 365. In this scenario, Office 365 implicitly trusts the token issuer,
or the Active Directory domain.

The security token contains claims about the user, such as user name, group membership, user principal
name (UPN), email address, manager details, and phone number. It is up to the consuming application,
such as Office 365, to decide how to use these claims, and to make appropriate authorization decisions;
the application does not make authentication decisions, as these are made by AD DS.
The trust between the parties is managed through certificates. While the certificates used for security
token signing and encryption can be self-signed by the AD FS server, typically HTTPS communications
between the issuer and the consuming application or service requires a public key infrastructure (PKI). A
primary example of this is AD FS as the issuer, and Office 365 as the consuming application or service.

Authentication
The primary AD FS authentication methods are:
 Forms authentication. This authentication method is for resources published to the outside of the
corporate network and accessible from clients over the Internet. While forms authentication is
enabled by default you also can enable certificate authentication—smart card authentication or user
client certificate authentication—that integrates with AD DS.

 Integrated Windows authentication. This authentication method is for resources that are published to
the inside of the corporate network and are accessible from intranet resources. While Integrated
Windows authentication is enabled by default, you also can enable forms authentication and/or
certificate authentication.

Note: Integrated Windows authentication is not supported on all browsers. During


authentication, AD FS detects the user agent on the user’s browser and determines if it supports
Integrated Windows authentication.
You can use the following Windows PowerShell command to specify alternate user agent strings
for browsers which supports Integrated Windows authentication:

Set-AdfsProperties –WIASupportedUserAgents

If the client’s user agent does not support Windows authentication, AD FS uses the default
authentication method of forms authentication.

You also can enable device authentication to provide multi-factor authentication (MFA). Device
authentication requires that a registered device is used before a user can access a resource. MFA requires
that you enable at least one additional authentication method.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-7

Additional Reading: For more information about using devices for MFA and SSO, see
Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor
Authentication Across Company Applications, at: http://aka.ms/cnmkt7.

Note: Office 365 has a separate MFA process for administrator accounts that is now
extended to user accounts. This authentication process requires users to acknowledge a phone
call, text message, or app notification after correctly entering their password. The MFA feature in
Office 365 is not the same as the MFA feature in AD FS.

Attribute stores
The AD FS attribute stores are the directories or databases used to store user accounts and associated
attribute values. AD FS supports the following directories or databases as attribute stores:

 AD DS in Windows Server 2003, or newer.

 Microsoft SQL Server 2005, or newer.

 Custom attribute stores, to enable AD FS to integrate with non-Microsoft platforms.

User experience
When a user authenticates through AD FS on the corporate intranet, the user will not be prompted for
their credentials on subsequent attempts, providing:

 Internal DNS can resolve the AD FS service name to the backend AD FS servers, or to the load-
balanced IP for the AD FS service.

 Any web proxy is configured to bypass the proxy for client requests to the URL for AD FS. You can use
a Group Policy Object (GPO) to add the URL for AD FS to the local intranet zone in Microsoft Internet
Explorer, or Microsoft Edge.

 Internet Explorer or Microsoft Edge is enabled for Integrated Windows authentication.

 A service principal name (SPN) is registered under the AD FS service account for the AD FS service.
This will enable Kerberos authentication.

 The default authentication method for the AD FS service is Integrated Windows authentication.

Note: Users can avoid a credentials prompt when the access a cloud service using the same
account that they use to sign in to the workstation.

When a user authenticates through AD FS over the Internet, you might prefer to secure the access to the
AD FS server. If so, you can deploy a proxy server in the perimeter network to intercept the authentication
request. The proxy server also uses forms authentication, which displays a webpage form for users to type
their credentials. This deployment option has a smaller security footprint since it only requires opening
the SSL port (443) to the Internet. By contrast, Integrated Windows authentication requires a range of
ports and services and should not be exposed to the Internet. As opposed to the user experience for users
on the corporate intranet, the user could be prompted each time they authenticate through AD FS over
the Internet.

Note: For more information about customizing the AD FS sign-in pages, refer to:
http://aka.ms/bis6uu.
MCT USE ONLY. STUDENT USE PROHIBITED
13-8 Planning and configuring identity federation

AD FS versions
Versions of AD FS since the initial release include:

 AD FS 1.0. AD FS 1.0 was originally released as a Windows component with Windows Server 2003 R2.

 AD FS 1.1. AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an
installable server role.

 AD FS 2.0. AD FS 2.0 was released as an installable download for Windows Server 2008 service pack 2
(SP2) or above.

 AD FS 2.1 AD FS 2.1 was released with Windows Server 2012 as an installable server role.
 AD FS 3.0. AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not
require a separate installation of Microsoft Internet Information Services (IIS), and it includes a new
AD FS proxy role called the Web Application Proxy.
 AD FS 3.1. AD FS 3.1 is an installable server role on Windows Server 2016. Similar to AD FS 3.0, there is
no requirement for a separate IIS install. AD FS includes the Web Application Proxy.

AD FS 1.x was limited in its standards support, including WS-Federation passive requestor profile
(browser), and SAML 1.0 tokens.

AD FS 2.0 extended standards support for WS-Federation. In addition, AD FS supports:

 WS-Federation Password Replication Policy (PRP).

 WS-Federation active requestor profile.

 SAML 1.1 and SAML 2.0 tokens.

 SAML 2.0 operational modes.


 IdP Lite/service provider lite/eGov 1.5.

AD FS 3.0 now:

 Supports any LDAP v3 directory.


 Provides support for an untrusted AD DS forest.

 Provides an upgrade path from AD FS 2.1.

 Provides access control policies, and expands support for OAuth.


 Includes support for OpenID Connect.

Note: The labs in this course use AD FS 3.0 on Windows Server 2012 R2.

Some of the new features in AD FS 3.0 on Windows Server 2012 R2 include:

 IIS dependency removed.


 Deployment option for a stand-alone federation server is now removed. While you still can deploy
one federation server, the only deployment option is for a federation server farm.

 Separate AD FS proxy role removed. The AD FS proxy server is replaced by the Web Application
Proxy, which is used to publish the AD FS federation server to the Internet. Web Application Proxy can
publish many other applications than just AD FS.

 AD FS extranet lockout. AD DS account lockout protection is available on the AD FS proxy.


 Access control based on network location to control user authentication to AD FS.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-9

How AD FS provides SSO for Office 365


The Azure AD service acts as a trusted token
signer for user claims to Office 365 services and
requires an STS infrastructure to provide SSO.
Azure AD currently supports the following STS
infrastructures:

 Active Directory Federation Services (AD FS)


 Shibboleth IdP

 SAML 2.0 IdP

 IdPs from other companies

Note: This course only covers using AD FS


as the STS.

How AD FS works with directory synchronization


AD FS provides SSO for Office 365 services, but only for users that have an account in both on-premises
AD DS and Office 365. The justification to require the account to exist in both directories is that the user is
always authenticating as an Office 365 account, even if SSO is not enabled.

As described earlier in the module, with SSO, authentication uses a security token from AD FS to access
Office 365 services rather than a user authenticating directly to Office 365. In the most common
environments, you create user accounts in your on-premises AD DS, and deploy directory synchronization
to synchronize the user accounts to Office 365. While policy settings are synchronized only from AD DS,
new features in the Microsoft Azure AD Connect directory synchronization tool synchronize user accounts
to both destinations. This allows you to create the user account in Office 365, and Azure AD Connect then
synchronizes it to your on-premises AD DS.

Note: It is important to understand that SSO with Office 365 is, in effect, a hybrid
environment. While most of the object attributes are the same, users have two separate accounts,
including an on-premises Active Directory account and an Azure AD account. Although you
assign Office 365 services to the Azure AD account, users do not authenticate to Office 365 with
their on-premises Active Directory account. Rather, the user’s on-premises Active Directory
account credentials provide them access, or authorize them, to the Azure AD Account in Office
365 through the claims within the security token.

Password synchronization in directory synchronization vs. AD FS


As discussed earlier in the module, directory synchronization supports password synchronization to Office
365. This ensures that a user's on-premises Active Directory account and Azure AD account have the same
password at all times; password resets are synchronized in near real time, unlike other attribute changes
that are subject to the default three-hour synchronization schedule. For this reason, some organizations
could decide not to deploy AD FS, but instead choose to deploy only directory synchronization. While this
scenario is supported, it only provides users with a Same Sign-On experience, rather than an SSO
experience.

One disadvantage to only deploying password synchronization in directory synchronization is that your
environment includes two separate password policies—on-premises and in the cloud—and password
updates require successful synchronization. However, one advantage to deploying password
synchronization within directory synchronization is that a major failure in your on-premises infrastructure
MCT USE ONLY. STUDENT USE PROHIBITED
13-10 Planning and configuring identity federation

can potentially have only a minimal impact to your Office 365 services. More information on deploying
AD FS with High Availability is provided later in this module.

Note: Password write-back, or password synchronization from Office 365 to your on-
premises AD DS is now available in Azure AD Connect. However, Azure AD Premium licensing is
required.

Discussion: Comparing federated identities and synchronized identities

Directory Services and SSO are key parts of integrating your on-premises environment and
online services. You are planning for the deployment of your company’s Office 365 tenant.
To ensure your users are able to use their credentials from your on-premises AD DS, you
need to evaluate which identity solution to deploy based on your business requirements.

The business requirements include:

 Passwords updated by users in on-premises AD DS should be available for use in


accessing Office 365 services within five minutes.

 Password complexity should comply with policies in on-premises AD DS.

 Password expiration should comply with policies in on-premises AD DS.


Question: After discussing these requirements with your engineering staff, which option for
authentication should your team consider for deployment?

 Password synchronization in Azure AD Connect


 Federated (SSO) authentication with AD FS

 Federated (SSO) with AD FS, and password synchronization in Azure AD Connect


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-11

Lesson 2
Planning an AD FS deployment
In this lesson, you will learn how to plan an AD FS deployment to support identity federation with
Office 365. AD FS is important in order for users to access Office 365 services. You will also learn how
to plan a highly available environment based on the size of your environment.

Lesson Objectives
After completing this lesson, you should be able to:

 Describe the AD FS server roles, including AD FS proxy or Web Application Proxy.

 Describe the planning considerations for deploying AD FS for Office 365.


 Plan for highly available deployment of AD FS that addresses all single points of failure.

 Describe the capacity planning of AD FS.

 Describe the requirements for deploying AD FS, including Domain Name System (DNS) records and
certificates.

 Describe the optional scenario of deploying SSO with Azure virtual machines.

AD FS server roles
Depending on the environment in your
organization, you must deploy certain AD FS
server roles to meet your business and security
requirements. You can use one or more server
roles to provide an AD FS federated identity
management solution in support of these
requirements.

Federation service
Beginning with Windows Server 2012, AD FS
includes a federation service role service. In
addition, AD FS can issue, manage, and validate
requests for security tokens and identity
management. The federation service can act as an identity provider by authenticating users to provide
security tokens to applications that trust AD FS. In addition, it also can act as a federation provider by
consuming tokens from other identity providers and then providing security tokens to applications that
trust AD FS.

Federation server farm


A federation server farm consists of two or more federation servers that run the federation service role
service, and that share the same AD FS configuration database and token-signing certificates. Although
the federation service role service is installed on each federation server in the farm, the servers work
together to act as one federation service instance. You should consider deploying a federation server farm
when you have a larger AD FS environment and you want to provide fault tolerance, load-balancing, or
scalability to your organization's federation service.
MCT USE ONLY. STUDENT USE PROHIBITED
13-12 Planning and configuring identity federation

Note: While not a requirement, federation servers in a federation server farm should be
located on the same network. You typically can use Network Load Balancing (NLB) or some other
form of clustering to allocate a single IP address for the multiple federation servers.

Federation proxy
When providing extranet access to applications and services that are secured by AD FS, you might choose
to deploy a federation proxy. A federation proxy is a computer that has been configured to act as an
intermediary proxy service between the clients on the Internet and your federation service that is located
behind your firewall on the corporate network. In order to allow remote access to the cloud service, such
as from a smartphone, home computer, or Internet kiosk, you should strongly consider deploying a
federation server proxy.

Note: Federation proxies cannot produce security tokens themselves; instead, they are used
to route or redirect tokens to clients, and if necessary, route or redirect the tokens back to the
federation server. For this reason, federation proxy servers are not required for providing remote
access to cloud services. However, they are strongly recommended.

The predecessor to Web Application Proxy was limited to brokering connections between external users
and the federation service. Now, Web Application Proxy provides reverse proxy functionality for web
applications inside a corporate network to external users. In addition, it pre-authenticates access to web
applications for the federation service, and functions as an AD FS proxy.

Database
AD FS uses a database to store configuration data—and in some cases transactional data—related to the
federation service. During deployment, you can choose to use either the built-in Windows Internal
Database (WID) or SQL Server. While most of the functions of the two database types are relatively
equivalent, one of the major differences is how they function in a federation server farm. When you
deploy a federation server farm using WID, the federation server farm replicates data between a primary
federation server and secondary federation servers.

Note: There are no feature differences between using WID or SQL Server that are required
for integration with Office 365. More information about determining which type of AD FS
configuration database to use is discussed later in this module.

Creating the first federation server in a farm also creates a new Federation Service. When you use WID for
the AD FS configuration database, the first federation server that you create in the farm is referred to as
the primary federation server. This means that this computer is configured with a read/write copy of the
AD FS configuration database. All other federation servers that you configure for this farm are referred to
as secondary federation servers because they must replicate any changes that are made on the primary
federation server to the read-only copies of the AD FS configuration database stored locally. Secondary
federation servers connect to and synchronize the data with the primary federation server in the farm by
polling it at regular intervals to verify if data has changed.

Note: The poll interval of the secondary federation servers is five minutes by default, but an
immediate synchronization can be forced at any time by using Windows PowerShell cmdlets.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-13

The secondary federation servers exist to provide fault tolerance for the primary federation server and to
load-balance access requests across network sites. If the primary federation server is offline, all secondary
federation servers continue to process requests as normal. However, no new changes can be made to the
AD FS database until the primary federation server is brought back online, or a secondary server is
promoted to the primary federation server role. You can manage assignment of the primary and
secondary federation server in the federation server farm when you use the Set-AdfsSyncProperties
Windows PowerShell cmdlet.

Note: When you deploy a federation server farm using WID, some features of AD FS might
not be available. To have access to the full feature set when you configure your server farm,
consider using SQL Server to store the AD FS configuration database instead.

When you deploy a federation server farm using SQL Server, the term primary federation server does not
apply because all of the federation servers can equally read and write to the AD FS configuration database
that uses the same clustered SQL Server instance. More information about how to deploy a federation
server farm when you use SQL Server is discussed later in this module.

Simplified deployment experience


Deploying AD FS in Windows Server 2012 R2 is simplified by the following enhancements:

 AD FS is no longer dependent on IIS. This offers enhanced performance and reduces the footprint of
services, especially when AD FS is installed on Active Directory domain controllers.

 Remote installation and configuration through Server Manager.

 UI support for installing AD FS with SQL Server.

 Group managed service account support. This enables AD FS to run with service accounts without
managing expiring service account passwords.

 SQL Server merges replication support when deploying AD FS across globally dispersed data centers.

Planning an AD FS deployment for Office 365


Within Federation services is a full-featured,
potentially complex set of technologies. To deploy
AD FS successfully, your planning should consider
the following:

 Planning for the kind of end-user devices and


browsers that are supported

 Selection of appropriate internal topologies


and NLB for federation server farms and
federation proxies

 Remediation of AD DS for non-supported


characters and invalid data
 Preparation of DNS host names records

 Purchase or issuing of certificates

 Configuration of firewalls for AD FS–related ports


 Planning for placement of AD FS servers and proxies
MCT USE ONLY. STUDENT USE PROHIBITED
13-14 Planning and configuring identity federation

 Selection of appropriate AD FS database technology

 Planning for AD FS high availability

 Capacity planning to determine required servers and server specifications

 Preparation for MFA

 Planning for access filtering using claims rules

These planning considerations are examined in detail throughout the remainder of this module.

When you start planning your AD FS environment for integration with Office 365, there are a number of
design decisions you need to consider before starting the deployment process. These design decisions
include:

 Remediation of AD DS

 Choice of the configuration database


 Use of federation proxies

 Configuration of Extended Protection for Authentication

 Virtualization of your AD FS infrastructure

 Server placement

Remediation of AD DS
Several user attributes must be examined in AD DS before implementing AD FS. For example, the UPN
must be set for every user, and must be known by each user if used as his or her sign-in name. UPNs used
for SSO can contain only letters, numbers, periods, dashes, and underscores. If there are invalid characters
in UPNs, these must be remediated before AD FS is enabled.
The UPN domain suffix must be either the domain to be configured for SSO, or a subdomain. If the Active
Directory domain name is not a public Internet domain (for example, it ends with a “.local” suffix), the
UPN must be changed to include either a publically registered domain, or a subdomain of an Internet
domain name.

If the domain suffix needs to be changed and directory synchronization has already been deployed, the
UPNs for users in Office 365 might not match the UPNs for the corresponding users in your on-premises
AD DS. To remediate these UPNs, you can reset the UPNs using the Windows PowerShell cmdlet Set-
MsolUserPrincipalName.

Use the following Set-MsolUserPrincipalName cmdlet that is available in the Windows Azure AD
Module for Windows PowerShell:

Set-MsolUserPrincipalName -UserPrincipalName user@Adatum.local -NewUserPrincipalName


user@Adatum.com

Configuration database
As discussed earlier in this module, when planning for federation services, you can choose to use either
the WID or SQL Server for hosting the Configuration database. For most AD FS deployments, we
recommend deploying a federation server farm with the WID deployment topology as the default choice,
as it is easier to deploy. In addition, it supports up to five federation servers in a farm, and up to 30
federation servers in a farm with few relying parties in federated trusts. WID also provides load balancing
and fault tolerance.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-15

While SQL Server is not subject to the same limitations of WID, it does require more setup and
management. If you choose to deploy the federation server farm with SQL Server deployment topology,
all federation servers in the farm read and write to the same SQL Server database instance. This
deployment topology is typically reserved for more advanced AD FS deployments that require one or
more of the following criteria:
 Support for more than 100 claims providers or more than 100 relying parties in a federated trust.

 Support for more federation servers in a farm than what is supported by WID. Federation servers in a
farm with WID has a limit of 30 federation servers if you have 100 or fewer relying parties in
federated trusts. If you have more than 100 relying parties, you are limited to five federation servers.

 Geographic load balancing to distribute the higher traffic across multiple data centers based on
location.
 High availability of the Configuration database.

 Additional performance enhancements, including the ability to scale out using more than five
federation servers in the same federation server farm.

 The need to use SAML/WS-Federation token replay detection to protect the integrity of
authentication requests by making sure that the same token is never used more than once. This helps
mitigate man-in-the-middle attacks.

 The need to use SAML artifact resolution to direct browser clients with an artifact to a SAML artifact
endpoint URL for resolution. This provides an alternate mechanism for passing tokens to client
applications

Note: If you deploy a federation server farm with SQL Server, you must install AD FS using
Windows PowerShell. However, you can migrate an AD FS configuration database from WID to
an instance of SQL Server.

Federation proxies
The role of federation server proxies is to redirect client authentication requests coming from outside your
corporate network to your federation server farm. You should plan on deploying federation proxies to
your AD FS environment if any of the following scenarios apply:
 Roaming work computers. These are users who are signed in to domain-joined computers with their
corporate credentials but who are not connected to the corporate network. For example, a roaming
work computer could be a work computer at a user’s home or at a hotel, which can access the cloud
service.

 Home or public computer. When a user’s computer is not joined to the corporate domain, the user
must sign in with their corporate credentials to access the cloud service.

 Smartphone. On a smartphone, the user must sign in with their corporate credentials to access a
cloud service such as Microsoft Exchange Online, by using Microsoft Exchange ActiveSync.

 Microsoft Outlook or other email clients. The user must sign in with their corporate credentials to
access their Office 365 email if they are using Outlook or an email client that is not part of the
Microsoft Office suite such as an Internet Message Access Protocol (IMAP) or POP email client.
MCT USE ONLY. STUDENT USE PROHIBITED
13-16 Planning and configuring identity federation

Extended Protection for Authentication


Certain browsers, such as Mozilla Firefox, Google Chrome, and Apple Safari do not support the Extended
Protection for Authentication capabilities that can be used across the Windows platform to protect
against man-in-the-middle attacks. To prevent this type of attack from occurring in your federation
service, AD FS requires that all federation traffic use a channel binding token to mitigate against this
threat, by default.

However, if your company supports browsers that do not support Extended Protection for Authentication,
you should consider disabling it in AD FS, thereby not requiring the channel binding token for all
federation communication. However, this could leave client credentials vulnerable to man-in-the-middle
attacks.

Virtualization
You might decide to host your federation service from a virtualized infrastructure. All of the AD FS server
roles, including the federation server and the federation proxy, are supported in virtual machines on
Microsoft Hyper-V. If you plan to use this technology to host more than one federation server or proxy,
you should consider hosting the virtual machines on separate host computers.

Server placement
The most critical component of an AD FS deployment is the federation server or server farm. Therefore,
planning your server placement strategy properly is important. The federation servers must be domain-
joined and should be deployed behind a firewall on the corporate network to prevent exposure to the
Internet. However, the federation proxy should not be domain-joined and should be deployed in the
perimeter network.

Planning a highly available AD FS deployment


The availability of your AD FS environment is
critical when services in Office 365 are enabled for
federated authentication. For example, if your
federation server is unavailable, all user
authentication requests will fail and users will not
be able to access Office 365 services. Similarly, if
your federation proxy is unavailable, external user
authentication requests will not be passed to your
federation server, and these users will not be able
to access Office 365 services. Therefore, it is
essential that preparation for AD FS deployment
include planning for high availability of your
AD FS federation servers and the AD FS federation proxy servers.

Note: AD FS availability only affects user authentication and does not affect Office 365
services. For example, if users are not able to access their email in Office 365, their mailbox in
Exchange Online will continue to receive email.

Federation server farm


With Windows Server 2012 and earlier, you can deploy the AD FS federation server as a stand-alone
server or in a federation server farm. However, we recommend that you always deploy more than one
server in a federation server farm. Even if the farm consists only of one federation server initially, this
deployment method provides you with the option of adding more federation servers later for load
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-17

balancing or fault tolerance. However, if the AD FS federation server is deployed as a stand-alone server,
then you will not be able to add additional servers later.

With Windows Server 2012 R2 and later, you can only deploy the AD FS federation server in a federation
server farm. While this deployment method provides you with the option of adding more federation
servers later, we recommend that you deploy more than one federation server in a farm for your
production environments.

NLB

You should use NLB or other forms of clustering to allocate a single IP address for multiple AD FS
federation servers. With this deployment option, failure of a single federation server should not affect the
federation services for users. Similarly, you also should use NLB to provide an AD FS proxy array in the
perimeter network to ensure that external clients are not impacted by failure of any AD FS proxy
computer.

Note: While not covered in this course, you also can deploy a hardware load balancer
instead of NLB to provide high availability to your federation servers and federation proxy
servers.

Configuration database
If you chose WID as your AD FS data storage, there is a copy of the Configuration database on each
server. However, if you chose SQL Server as your AD FS data storage, you need to plan for a high
availability SQL Server deployment. As opposed to WID, deploying an AD FS federation server farm with
SQL Server does not enable high availability of the configuration database, by default. For example, if the
SQL Server is unavailable, the AD FS federation server is unable to connect to the Configuration database,
and the AD FS service will not start. For this reason, you should consider deploying AD FS with a SQL
Server cluster or a SQL Server failover partner. While you can enable the SQL Server cluster at any time,
the SQL Server cluster failover partner can only be enabled during AD FS deployment or afterwards. This is
because you use AD FS to configure the failover partner.

Additional Reading: For more information on the high availability solutions of SQL Server
refer to: http://aka.ms/lsr6m4.

Capacity planning
Capacity planning for federation servers helps you
assess the hardware requirements for each
federation server and the number of federation
servers to deploy. Capacity planning also helps
you estimate and prepare for growth in the size of
the AD FS configuration database.

Capacity planning sizing spreadsheet


The AD FS Capacity Planning Sizing spreadsheet
includes calculator-like functionality that takes
expected usage data about users in your
organization, and returns a recommended optimal
number of federation servers for an AD FS
production environment.
MCT USE ONLY. STUDENT USE PROHIBITED
13-18 Planning and configuring identity federation

The AD FS Capacity Planning Sizing spreadsheet requires the following inputs:

 A value (40, 60, or 80 percent) that best represents the percentage of total users expected to send
authentication requests to AD FS during peak usage periods.

 A value (one minute, 15 minutes, or one hour) that best represents the length of time the peak usage
period is expected to last.

 The total number of users that will require SSO access to the target claims-aware application, based
on whether the users are:

o Signing in to AD DS from a computer on the corporate network.


o Signing in to AD DS remotely from a computer.

o From another organization or from a SAML 2.0 identity provider.

Additional Reading: For more information about The AD FS Capacity Planning Sizing
spreadsheet, or to download it, refer to: http://aka.ms/n0uyfb.

Estimation table
AD FS can scale to support tens of thousands of users, and allows you to add more federation servers to a
server farm as your company scales up. You can use the following table to help you estimate the
minimum number of AD FS federation servers and web application proxies or federation server proxies
that you will need to deploy. These estimations are based on the number of users who will require SSO
access—including remote access—to the cloud service.

Note: Unless otherwise noted, all of the federation servers should be deployed in a
federation server farm with a WID store for the Configuration database. While fewer federation
servers might be possible in some of the scenarios below, an additional federation server is
included to provide redundancy.

Minimum number
Number of users accessing
of AD FS servers to Recommendation and steps
Office 365 services
deploy

Fewer than 1,000 users 2 federation servers, With fewer users, consider deploying the
federation servers on two existing domain
2 proxies
controllers and then implement load balancing
using NLB. For the proxies, consider using two
existing web servers or proxy servers, and then
configure them both for the federation server
proxy role or the Web Application Proxy role.

1,000 – 15,000 users 2 federation servers, With medium–to-large organizations, consider


2 proxies deploying the federation servers on two
dedicated computers with NLB. Consider
deploying the proxies on two dedicated
computers with NLB.

15,000 – 60,000 users 3-5 federation For every increment of 15,000 users over 15,000,
server,; 2 proxies you should deploy an additional federation
server to the load-balanced farm, up to the
maximum of five servers that WID supports—or
more with a SQL Server database. For the
proxies, consider deploying additional nodes to
improve performance.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-19

Minimum number
Number of users accessing
of AD FS servers to Recommendation and steps
Office 365 services
deploy

More than 60,000 users 5+ federation With enterprises with over 60,000 users, you
servers, 3+ proxies should implement five or more federation
servers using SQL Server for the configuration
database. You also should deploy three or more
proxies using hardware load balancing instead
of NLB.

AD FS requirements
Prior to deploying AD FS, multiple requirements
must be in place. The following are the various
requirements that you must plan for when
deploying AD FS:

 Certificate
 Hardware

 Software

 AD DS
 Configuration database

 Browser

 Extranet

 Network

 Attribute store

 Application
 Authentication

 Workplace join

 Permissions

Certificate requirements
Certificates play the most critical role in securing communications between federation servers, Web
Application Proxy, claims-aware applications, and web clients. The requirements for certificates vary,
depending on whether you are deploying a federation server or a federation proxy computer. Within any
AD FS deployment, you are required to have the following four certificates:

Certificate type Requirements

SSL certificate. Standard SSL  The certificate must be a publicly trusted X509 v3 certificate.
certificate used for securing
 All clients that access AD FS must trust the certificate.
communications between
federation servers and  While we recommend that you use the same SSL certificate for the
clients. Web Application Proxy, it is required to be the same when supporting
Windows Integrated Authentication endpoints, through the Web
Application Proxy, with Extended Protection Authentication enabled.
MCT USE ONLY. STUDENT USE PROHIBITED
13-20 Planning and configuring identity federation

Certificate type Requirements


 The Subject name, or subject alternative name (SAN) on the certificate
should represent the federation service name.
 Wild card certificates are supported.

Service communication  While the SSL certificate is used as the service communication
certificate. Enables certificate, by default, you can enable another certificate.
Windows Communication
 If using the SSL certificate, you will need to enable the renewed SSL
Foundation (WCF) message
certificate for the service communication certificate upon expiration, as
security for securing
this is not automatic.
communications between
federation servers.  This certificate must be trusted by clients of AD FS that use WCF
message security, so you might consider using a publicly trusted
certificate.
 The certificate cannot use Cryptography Next Generation (CNG) keys.
 You can manage this certificate in the AD FS Management console or
through Windows PowerShell.

Token-signing certificate. A  By default, AD FS creates this self-signed certificate and renews it


standard X509 certificate automatically before it expires.
that is used for securely
 Although not required, you can use publicly-trusted certificates.
signing all tokens that the
However, AD FS does not renew them automatically.
federation server issues.
 The certificate cannot use CNG keys.
 You can manage this certificate in the AD FS Management console or
via Windows PowerShell.

Token-decryption and  By default, AD FS creates this self-signing certificate and renews it


encryption certificate. A automatically before expiration.
standard X509 certificate
 Although not required, you can use publicly trusted certificates.
that is used to either
However, AD FS does not renew them automatically.
decrypt or encrypt any
incoming tokens. It also is  The certificate cannot use CNG keys.
published in federation
metadata.  You can manage this certificate in the AD FS Management console, or
via Windows PowerShell.

Note: Certificates that are used for token signing and token decrypting and encrypting are
critical to the stability of the federation service. If you deploy your own token-signing & token-
decrypting and encrypting certificates, you should ensure that they are backed up and are
available independently during a recovery event.

Hardware requirements
The following minimum and recommended hardware requirements apply to the AD FS federation servers
that are deployed on Windows Server 2012 R2:

Hardware requirements Minimum requirements Recommended requirements

Central processing unit (CPU) 1.4 gigahertz (GHz) 64-bit Quad-core, 2 GHz
speed processor

Random access memory (RAM) 512 megabytes (MBs) 4 GB


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-21

Hardware requirements Minimum requirements Recommended requirements

Disk space 32 gigabytes (GBs) 100 GB

Software requirements
The following software requirements apply to AD FS federation servers that are deployed on Windows
Server 2012 R2:

 For extranet access, you must deploy the Web Application Proxy role service which is part of the
Windows Server 2012 R2 Remote Access server role. Previous versions of a federation server proxy are
not supported with AD FS on Windows Server 2012 R2.

 A federation server and the Web Application Proxy role service cannot be installed on the same
computer.

Active Directory requirements


Another critical component for AD FS is Active Directory requirements. Your planning should include
preparing your environment based on the Active Directory requirements. For AD FS to be supported, the
domain controllers in all of your user domains and in the domain that AD FS servers are joined to must be
running Windows Server 2008 or later and be at the domain functional level of Windows Server 2008 or
higher.

You can deploy AD FS with any standard service account. Alternatively, you might use a group managed
service account, but you are required to deploy at least one domain controller with Windows Server 2012
or higher. The AD FS service account must be trusted in every user domain that contains users who could
authenticate to the federation service. For Kerberos authentication to function properly between your
domain-joined clients and AD FS, the HOST/adfs_service_name must be registered as a SPN on the service
account. By default, AD FS will configure this automatically when deploying a new federation server farm
if it has sufficient permissions to perform this operation.

In single forest scenarios, all of the AD FS federation servers must be a joined to an Active Directory
domain, and all of the AD FS federation servers within a federation server farm must be joined to the
same Active Directory domain. In addition, the domain that the AD FS servers are joined to must trust
every user account domain that contains users who could authenticate to the federation service.

In multi-forest scenarios, the domain that the AD FS servers are joined to must trust every user account
domain or forest that contains users who could authenticate to the federation service. In addition, the
AD FS service account must be trusted in every user domain that contains users who could authenticate to
the federation service.

Configuration database requirements


AD FS requires a configuration database to store configuration data. This database can either be a
Microsoft SQL Server 2005 or newer database, or the WID included with Windows Server 2008, Windows
Server 2008 R2, and Windows Server 2012. For AD FS on Windows Server 2012 R2, you can use Microsoft
SQL Server 2008 or newer, including Microsoft SQL Server 2012 and Microsoft SQL Server 2014.

Browser requirements
If you perform authentication to AD FS from a browser or browser control, your browser must meet the
following requirements:

 JavaScript must be enabled.


 Cookies must be turned on.

 Server Name Indication (SNI) must be supported.


MCT USE ONLY. STUDENT USE PROHIBITED
13-22 Planning and configuring identity federation

 For user certificate & device certificate authentication, for example workplace join functionality, the
browser must support SSL client certificate authentication.

Several key browsers and platforms have undergone validation for rendering and for functionality. These
include Internet Explorer 10 or later, Firefox 21 or later, Safari 7.0 or later, and Chrome 27 or later.
Browsers and devices not referenced could still be supported if they meet the requirements listed above.

AD FS creates session-based and persistent cookies that must be stored on client computers to provide
sign-in, sign-out, SSO, and other functionality. For this reason, one of the browser requirements is that the
client browser must be configured to accept cookies. Cookies that are used for authentication are HTTPS
session-based cookies that are written for the originating server. If the client browser is not configured to
allow these cookies, AD FS might not function properly. Persistent cookies are used to preserve user
selection of the claims provider. You can disable them with a change in the configuration file for the
AD FS sign-in pages. Support for Transport Layer Security (TLS) over SSL (TLS/SSL) is required for security
reasons.

Extranet requirements
To provide extranet access to the AD FS service, you must deploy the Web Application Proxy role service
as the extranet-facing role that proxies authentication requests in a secure manner to the AD FS service.
This provides isolation of the AD FS service endpoints in addition to isolation of all security keys (such as
token-signing certificates) from requests that originate from the internet. In addition, features such as Soft
Extranet Account Lockout require the use of the Web Application Proxy.

Network requirements
Configuring the network properly is critical for the successful deployment of AD FS in your environment.
The firewall located between the Web Application Proxy and the federation server farm, and the firewall
between the clients and the Web Application Proxy must allow TCP port 443 for inbound traffic. In
addition, if client user certificate authentication is required, AD FS in Windows Server 2012 R2 requires
that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application
Proxy. However, this is not required on the firewall between the Web Application Proxy and the federation
servers.

All clients accessing the federation service within the corporate network must be able to resolve the AD FS
service name to the load-balanced IP of the federation server farm. All clients accessing the federation
service from the Internet must be able to resolve the AD FS service name to the load-balanced IP of the
Web Application Proxy servers. For extranet access to function properly, each Web Application Proxy
server in the perimeter network must be able to resolve the AD FS service name to the load-balanced IP
of the federation server farm. This requirement might need a DNS server in the perimeter network or a
HOSTS file on the Web Application Proxy servers. For Windows Integrated authentication to work either
inside or outside the network, for a subset of endpoints exposed through the Web Application Proxy, you
must use a host (A) resource record (not a canonical name (CNAME) record) to point to the load
balancers.

Attribute store requirements


AD FS requires at least one attribute store for use with authenticating users and extracting security claims
for those users. During deployment, AD FS creates an Active Directory attribute store automatically, by
default. Attribute store requirements depend on whether your organization is acting as the account
partner (hosting the federated users) or the resource partner (hosting the federated application).

Additional Reading: For more information on the complete list of attribute stores
supported by AD FS, go to: http://aka.ms/vgazki.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-23

Application requirements
AD FS supports claims-aware applications that use the following protocols:

 WS-Federation

 WS-Trust

 SAML 2.0 protocol using IdP Lite, SP Lite, and eGov 1.5 profiles

 OAuth 2.0 Authorization Code Grant profile

AD FS also supports authentication and authorization for any non-claims-aware applications that are
supported by the Web Application Proxy.

Authentication requirements
In most AD FS deployments, the primary authentication method for the relying party in a federated trust
is AD DS authentication. For intranet access, the following standard authentication mechanisms for AD DS
are supported:

 Windows Integrated Authentication using the Negotiate option, which include Kerberos & NTLM

 Forms Authentication using usernames and passwords

 Certificate authentication using certificates mapped to user accounts in AD DS

For extranet access, the following authentication mechanisms are supported:

 Forms authentication using usernames and passwords


 Certificate authentication using certificates that are mapped to user accounts in AD DS

 Windows Integrated Authentication using Negotiate (NTLM only) for WS-Trust endpoints that accept
Windows Integrated Authentication

If should consider the following if you enable certificate authentication:

 The most common scenario for certificate authentication is smart card authentication with PIN
protected certificates.

 The GUI for the user to enter their PIN is not provided by AD FS and is required to be part of the
client operating system that is displayed when using client TLS.

 The reader and cryptographic service provider (CSP) for the smart card must work on the computer
on which the browser is located.

 The smart card certificate must be trusted by a root certificate on all of the AD FS servers and Web
Application Proxy servers.

 The certificate must map to the user account in AD DS by either of the following methods:

o The certificate subject name corresponds to the LDAP distinguished name of a user account in
AD DS.

o The certificate SAN extension has the UPN of a user account in AD DS.

For seamless Windows Integrated Authentication using Kerberos authentication on the intranet:

 The service name must be part of the Trusted Sites or the Local intranet sites.

 The HOST/adfs_service_name SPN must be set on the service account that the AD FS farm runs on.
MCT USE ONLY. STUDENT USE PROHIBITED
13-24 Planning and configuring identity federation

AD FS also supports authentication using a provider model whereby you can build your own MFA adapter
that an administrator can register and use during sign in. Every MFA adapter must be built on top of
Microsoft .NET Framework 4.5. In addition, AD FS supports device authentication using certificates
provisioned by the Device Registration Service during the act of an end user workplace joining their
device.

Permissions requirements
For deployment and the initial configuration of AD FS, you must have domain administrator permissions
in the Active Directory domain, for example, the domain to which the federation server is joined.

Additional Reading: For more information about the AD FS requirements, refer to:
http://aka.ms/m2kpbf.

Configuring SSO with Windows Azure virtual machines


Deploying a federation service imposes significant
resource and management overhead on an
organization. This is particularly true for small to
medium-sized enterprises, where the move to
Office 365 is driven by a desire to move mission-
critical IT to the cloud. As a result, the requirement
to maintain on-premises AD FS infrastructure in
order to provide access to cloud resources can
seem retrograde. For this reason, the option to
migrate the federation service to the cloud as well
should be considered.

Virtual machines on Azure


Deploying all the Office 365 federation components on virtual machines on Azure provide you some
advantages over an on-premises deployment. These advantages include rapid implementation,
predictable costs, and no requirement for additional on-premises servers. Alternatively, you can host a
subset of the federation components in Azure while deploying some components on-premises.

Although additional options are possible, these are the three optimal deployment scenarios:
 All Office 365 SSO integration components deployed on-premises. This is the traditional approach. In
this scenario, you deploy directory synchronization and AD FS when you use on-premises servers.

 All Office 365 SSO integration components deployed in Azure. This is the new, cloud-only approach.
In this scenario, you deploy directory synchronization and AD FS in Azure. This eliminates the need to
deploy on-premises servers.

 Some Office 365 SSO integration components deployed in Azure for disaster recovery. This is the mix
of on-premises and cloud-deployed components. In this scenario, you deploy directory
synchronization and AD FS, primarily on-premises and add redundant components in Azure for
disaster recovery.

When planning to deploy these services to Windows Azure, you should consider:

 Active Directory domain controllers in Windows Azure. Since AD FS requires access to AD DS, you
need to deploy AD DS to Windows Azure when you install an Active Directory domain controller on a
Windows Azure virtual machine.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-25

 AD FS in Windows Azure. In the third scenario described above, you would deploy AD FS on-premises
and on a virtual machine on Azure for redundancy. In case of a disaster, the failover between the on-
premises infrastructure and the hosted infrastructure is a manual operation. The failover procedures
require changing DNS records for AD FS. Until the change is effective and DNS records are
propagated, clients are unable to access Office 365 services. As such, end users would still experience
a downtime during the failover.

 Directory synchronization services in Windows Azure. In the third scenario described above, you
would deploy directory synchronization on-premises and on a Windows Azure virtual machine for
redundancy. In case of a disaster, the failover between the on-premises infrastructure and the hosted
infrastructure is a manual operation. The failover procedures require the re-installation of the Azure
Active Directory Connect tool on a standby Azure virtual machine. Because directory synchronization
is required only for directory object changes, existing users can continue to access Office 365 services
with little to no disruption until the service is restored.

 VPN connection to Windows Azure. A VPN connection is required between your corporate network
and Windows Azure to support directory synchronization traffic.
MCT USE ONLY. STUDENT USE PROHIBITED
13-26 Planning and configuring identity federation

Lesson 3
Deploying AD FS for identity federation with Office 365
In this lesson, you will learn how to deploy AD FS for SSO with Office 365. Based on your planning, your
deployment may include multiple servers, with different server roles, in various logical networks. Your
deployment methodology might vary if you are implementing directory synchronization, if you are
adding a new domain to Office 365, or if you are converting an existing domain in Office 365.

Lesson Objectives
After completing this lesson, you should be able to:

 Install the AD FS server role.

 Install and configure Web Application Proxy.

 Upgrade to AD FS on Windows Server 2012 R2.

 Configure the AD FS server role for federation with Office 365.


 Describe how to use the Azure AD Connect tool to configure AD FS and Web Application Proxy.

 Convert the Office 365 tenant to federated authentication, including the implications.

 Manage the AD FS server, including the certificates, migration to another server, and troubleshooting.
 Verify a successful implementation of SSO.

Installing and configuring AD FS


Before deploying your federation service, you will
need to prepare the environment for the
installation of AD FS. This might include preparing
the configuration database, any required service
accounts and certificates, and preparing the DNS
host records for access from inside and outside
the corporate network.

SQL Server
If you plan to host the configuration database for
the AD FS federation server farm in Microsoft SQL
Server, you should deploy the SQL Server instance
prior to installing the first federation server. In
Windows Server 2012 R2, AD FS supports two options for high availability of your federation server farm
using SQL Server. You should consider one of these options when preparing for the configuration
database:

 SQL Server AlwaysOn Availability Groups

 SQL Server merge replication, in support for geographically distributed high availability

Additional Reading: For more information, refer to Federation Server Farm Using SQL
Server at: http://aka.ms/mok3lw.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-27

Service account
If possible, you should consider using a Group Managed Service Account (gMSA) for AD FS. During
deployment, the AD FS Installation Wizard creates and configures a gMSA automatically if you have
appropriate permissions to AD DS. Otherwise, you should create a gMSA in advance of the AD FS
federation server deployment.

If you are not able to use a gMSA, you should create a standard service account in AD DS and configure
for the password to never expire, prior to deploying the AD FS federation server. This service account
requires the following access rights on the AD FS federation server:
 Log on as a service

 Log on as a batch job

Certificate
While you can import the certificate during AD FS installation, you will need to request the appropriate
SSL certificate required for AD FS from a publicly-trust certification authority (CA) prior to deployment.
Upon receiving the certificate from the CA, install it in the Personal certificate store on the AD FS
federation server. If you are deploying a federation server farm, the Subject name (or common name
(CN)), on the SSL certificate must match the federation service name or be a wild card SSL certificate. This
certificate should be installed in the Personal certificate store on each of the federation servers in the
farm.

DNS
In addition to AD DS, one of the primary network services that are critical to the operation of AD FS is
DNS. With DNS record sets users and other service providers can locate your federation service over the
internet and on your corporate network.

When configuring DNS to support AD FS, you should consider the following:

 If you are deploying a federation server farm, you will need to create a DNS host record on your
internal DNS servers of the cluster DNS name for your NLB federation server farm.

 If you are deploying a standalone federation server, you will need to create a DNS host record on
your internal DNS servers of the DNS name for your federation server.

 If you are deploying a federation proxy array, you will need to create a DNS host record on your
perimeter DNS servers of the load-balanced DNS name for your AD FS proxy server or your Web
Application Proxy server array.

 If you are deploying a standalone federation proxy server, you will need to create a DNS host record
on your perimeter DNS servers of the DNS name for your AD FS proxy server or your Web Application
Proxy server.

 If you are not deploying a federation proxy, you will need to create a DNS host record on your
perimeter DNS servers of the cluster DNS name for your NLB federation server farm, or your
federation server, on your perimeter DNS servers.

Note: You should not use CNAME records for the federation service name.

Install AD FS
In Windows Server 2012 R2, AD FS 3.0 is installed from Server Manager as a role. The Server Manager
Configuration Wizard performs validation checks and automatically installs all the services required by
AD FS. The AD FS server role includes Windows PowerShell cmdlets that you can use to perform Windows
PowerShell–based deployment of AD FS servers and proxies.
MCT USE ONLY. STUDENT USE PROHIBITED
13-28 Planning and configuring identity federation

To install the AD FS server role, use the Server Manager Add Roles and Features Wizard, and select the
AD FS server role. The Add Roles and Features Wizard automatically selects the .NET Framework, and
AD FS Management Tools features. No other features are required.

Configure AD FS
When the AD FS role is installed, the Add Roles and Features Wizard provides you the option to start the
AD FS Configuration Wizard to configure the AD FS server. The steps for the AD FS Configuration Wizard
vary depending on whether you are creating the first federation server in a federation server farm or
adding a federation server to a federation server farm. You also can start the AD FS Configuration Wizard
from Server Manager, Tools menu, or from the Start screen.

Create the first federation server in a federation server farm


To create the first federation server in a federation server farm:

1. In the AD FS Configuration Wizard, select the option to Create the first federation server in a
federation server farm.

2. On the Connect to AD DS page, select the account that has domain administrator permissions to
AD DS. If the account that you use to install AD FS has the appropriate permissions, then leave the
default option and proceed. Otherwise, change it to the appropriate account. The account that you
select should not be the credentials of your service account.

3. On the Specify Service Properties page, select the corresponding certificate from the SSL certificate
list (or import the SSL certificate if you did not install it prior to installation), and then specify the
Federation Service Name of the federation server farm.

4. On the Specify Service Account page, specify the credentials of the appropriate service account for
AD FS.

5. On the Specify Configuration Database page, select the option either to create a database using
WID, or to specify the location, host name, and instance of an existing SQL Server database.

6. On the Review Options page, the wizard displays your selections, including your service account
actions.
o If you chose to use a WID database, the wizard notes that this is the primary server in the farm
and that the WID database is installed.

o If you chose to use an existing SQL Server database, the wizard will note that this will be the first
server in the server farm, and will provide the connection string details for connecting to SQL
Server to retrieve the configuration.

7. On the Pre-requisite Checks page, the wizard displays the results of the prerequisite check before
proceeding to the installation of AD FS.

Note: Alternatively, you can use the Windows PowerShell cmdlet Install-AdfsFarm to
deploy the first federation server in a federation server farm.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-29

Add a federation server to a federation server farm


To add additional servers to an AD FS server farm:

1. In the AD FS Configuration Wizard, select the Add a federation server to federation service farm
option.

2. On the Connect to AD DS page, select the account that has domain administrator permissions to
AD DS. If the account that you use to install AD FS has the appropriate permissions, then leave the
default option and proceed. Otherwise, change it to the appropriate account. The account that you
select should not be the credentials of your service account.

3. On the Specify Farm page, specify the name of the primary federation server in a farm using WID, or
specify the database host name and the instance name of an existing federation server farm using
SQL Server.

4. On the Specify SSL Certificate page, select the corresponding certificate from the SSL certificate list,
or import the SSL certificate if you did not install it prior to installation. As opposed to the other
installation option, you are not required to specify the federation service name of the federation
server farm. This is because the wizard is already aware of the federation service name based on
database information that you provided earlier.

5. On the Specify Service Account page, specify the credentials of the appropriate service account for
AD FS. The account you specify must be the same account as the one used on the primary federation
server in the farm.

6. On the Review Options page, the wizard displays your selections.


o If you chose to use a WID database, the wizard notes that this is the secondary server in the farm
and that the WID database is installed and replicated from the primary server in the farm.

o If you chose to use an existing SQL Server database, the wizard notes the connection string
details for connecting to SQL Server to retrieve the configuration.

7. On the Pre-requisite Checks page, the wizard displays the results of the prerequisite check before
proceeding to the installation of AD FS.

Note: Alternatively, you can use the Windows PowerShell cmdlet Add-AdfsFarmNode to
add a federation server to a federation server farm.

Update AD FS
To ensure your AD FS environment is reliable and stable, you should install the recommended updates for
AD FS. After installing and configuring your AD FS federation servers, you can use Microsoft Update to
check for available updates.

Additional Reading: For more information on all the available updates for AD FS, refer to:
http://aka.ms/r8x4zf.
MCT USE ONLY. STUDENT USE PROHIBITED
13-30 Planning and configuring identity federation

Installing and configuring AD FS proxy


After deploying the AD FS federation server farm,
you can begin implementing the AD FS proxy
server. In preparation for deploying your AD FS
proxy server, you will need to configure a few
items before installing the AD FS proxy server.

Note: You only can deploy the AD FS Proxy


on Windows Server 2012 or earlier Windows
Server operating systems. Alternatively, you need
to deploy the Web Application Proxy to proxy the
AD FS federation service on Windows Server 2012
R2, or later.

Certificates
The certificates that you use in the deployment should be obtained and installed into the Personal
certificate store on the AD FS Proxy computer. The CN on each certificate must match the AD FS service
name. When exporting certificates ready for use on the AD FS Proxy, it is important to ensure that the
private key is included in the export. Once imported to a local computer personal store, the certificate is
ready for binding in IIS as soon as IIS and the AD FS Proxy role are installed.

Load balancing
When you deploy two or more AD FS Proxy servers in an array, you will also need to configure them for
network load balancing. You can accomplish this with hardware, which is recommended for large
deployments, or with software, which is recommended for small to medium deployments. For software
load balancers, you can enable NLB for the AD FS Proxy array.

DNS
A DNS host records should also be configured on the DNS servers in the perimeter prior to installing
AD FS servers. Since the AD FS Proxy is typically placed in the perimeter network, it is recommended that
you:

 Configure the proxy to use external DNS servers for external name resolution.

 Add internal hostnames that the proxy needs to resolve, such as the internal AD FS farm, to the Hosts
file on the proxy.

Note: You should not use CNAME records for the AD FS proxy server name.

Install AD FS Proxy
In Windows Server 2012, AD FS proxies are installed from the Server Manager as a role, using the same
Server Manager Configuration wizard pages that were used to install AD FS servers. The configuration
wizard performs validation checks and automatically installs all the services required by the AD FS Proxy.
In a production environment, the AD FS proxy server should be placed in the perimeter network (also
known as screened subnet), not in the internal corporate LAN.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-31

To install the AD FS proxy role, use the Server Manager Add Roles and Features Wizard, and select the
Active Directory Federation Services server role. The Add Roles and Features Wizard automatically
selects the .NET Framework, IIS, and Windows Process Activation Service features. On the Select role
services page, clear the Federation Service check box, and select the Federation Service Proxy check
box.
IIS runs once the role is installed successfully. The next task is to assign the public certificate to the default
website on the AD FS server, in order to secure the traffic between the AD FS Proxy and client computers,
and between the AD FS Proxy and AD FS itself. In IIS Manager, edit site bindings, and in the SSL certificate
list, select the previously imported certificate for use.

Configure AD FS Proxy
When the AD FS Proxy role is installed, the AD FS Federation Services Proxy Configuration Wizard runs to
configure the AD FS Proxy server. You can run the AD FS Federation Services Proxy Configuration Wizard
from the Tools menu in Server Manager, or if you run FspConfigWizard.exe, which is located at
C:\Windows\ADFS\.

In the AD FS Federation Services Proxy Configuration Wizard, on the Specify Federation Service Name
page, verify that the correct federation service name is displayed. Click Test Connection to verify a
connection to the Federation Service, and enter credentials for the AD FS service account. These
credentials are necessary to establish a trust between this federation server proxy and the Federation
Service. By default, only the service account used by the Federation Service or a member of the local
BUILTIN\Administrators group can authorize a federation server proxy.

Update AD FS Proxy
To ensure your AD FS environment is reliable and stable, you should install the recommended updates for
AD FS Proxy server. After you install and configure your Web Application Proxy servers, you can use
Microsoft Update to check for available updates.

Note: For more information on all the available updates for AD FS, refer to:
http://aka.ms/pkvgbq.

Specifying a custom proxy forms sign-in page


The default sign-in page displays the federation service name, text boxes in which to enter the user name
and password, and text to describe user name format. This page can be customized. For example, you can
include a logo, change example and instruction text, change the page title, remove or change the
federation service name display, and add an "Authorized Use" disclaimer or other text at the bottom of
the page.

Additional Reading: For more information on customizing the proxy forms sign-in page,
see Customizing the AD FS forms based login page at: http://aka.ms/jyk1xa.

Non-Microsoft proxy
You might prefer to use another company’s proxy to publish the AD FS federation servers rather than
employ AD FS server proxies. If you plan to deploy a non-Microsoft proxy, it must be configured to do the
following:

 Send an HTTP header named x-ms-proxy. The value of this header should be the DNS name of the
proxy host.

 Send an HTTP header named x-ms-endpoint-absolute-path. The value of this header should be set to
the name of the proxy endpoint that receives the request.
MCT USE ONLY. STUDENT USE PROHIBITED
13-32 Planning and configuring identity federation

If these headers are not configured, an AD FS 2.0 federation server proxy must be deployed behind the
non-Microsoft proxy.

Note: For more information about using a non-Microsoft proxy as a replacement to an


AD FS 2.0 federation server proxy, refer to: http://aka.ms/htsrqu.

Installing and configuring Web Application Proxy for AD FS


In preparation for deploying your federation
service, you might need to prepare a few items
before you install Web Application Proxy.
However, you should not begin implementing the
Web Application Proxy until you have deployed
the AD FS federation server farm.

Note: You can deploy the Web Application


Proxy only on Windows Server 2012 R2 or later.
Alternatively, you need to deploy the AD FS proxy
in order to proxy the federation service on
Windows Server 2012 R2, or earlier.

Certificate

As you are not able to import the certificate during installation of Web Application Proxy, you need to
request the appropriate SSL certificate required for Web Application Proxy from a publicly-trust CA prior
to deployment. Upon receiving the certificate from the CA, you must install it in the Personal certificate
store on the Web Application Proxy server.
While we recommend that you use the same SSL certificate from the AD FS federation server farm for the
Web Application Proxy, it must be the same when supporting Windows Integrated Authentication
endpoints, through the Web Application Proxy, with Extended Protection Authentication enabled. If this
scenario applies to your AD FS environment, you should export the SSL certificate from one of the
federation servers in the farm, and then import it in the Personal certificate store on the Web Application
Proxy server.
With either scenario, if you deploy more than one Web Application Proxy server in support of your AD FS
environment, you need to import the appropriate SSL certificate to each of the additional Web
Application Proxy servers prior to installing Web Application Proxy. This applies to wildcard certificates as
well.

Load balancing
When you deploy two or more Web Application Proxy servers in an array, you will need to configure them
for NLB. You can accomplish this with hardware, which is recommended for large deployments, or with
software, which is recommended for small-to-medium deployments. For software load balancers, you can
enable NLB for the Web Application Proxy array.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-33

DNS
You should configure a DNS host record on the perimeter DNS servers prior to installing the Web
Application Proxy server. Because the Web Application Proxy server is typically placed in the perimeter
network, we recommend that you:

 Configure the Web Application Proxy server to use external DNS servers for external name resolution.

 Add an internal hostname that the Web Application Proxy server needs to resolve, such as the
internal AD FS farm, to the Hosts file on the Web Application Proxy server.

Note: You should not use CNAME records for the Web Application Proxy server name.

Install Web Application Proxy


In Windows Server 2012 R2, Web Application Proxy is installed from Server Manager as a role. The Server
Manager Configuration Wizard performs validation checks and automatically installs the service required
by Web Application Proxy. The Web Application Proxy server role service includes Windows PowerShell
cmdlets that you can use to perform Windows PowerShell–based deployment.

To install the Web Application Proxy server role service, use the Server Manager Add Roles and Features
Wizard, and select the Remote Access server role. On the Role services page, select the Web Application
Proxy role service. The Add Roles and Features Wizard automatically installs the required features,
including the Remote Access Management Console.

Note: Alternatively, you can use the Windows PowerShell cmdlet Install-WindowsFeature
Web-Application-Proxy to install the Web Application Proxy server role service.

Configure Web Application Proxy


After the Web Application Proxy role server service is installed, you need to launch the Remote Access
Management Console to configure Web Application Proxy for publishing AD FS. You can initiate the
Remote Access Management Console from the Tools menu in Server Manager, or from the Start screen.
The steps for configuring each Web Application Proxy server in your environment for AD FS are the same:

1. In the Remote Access Management console, select the option to run the Web Application Proxy
Configuration Wizard.

2. On the Federation Server page, specify the name of the federation service farm and use credentials
of an account with local administrator permissions on the AD FS federation servers.

3. On the AD FS Proxy Certificate page, select the appropriate SSL certificate to complete the
configuration.

Note: Alternatively, you can use the Windows PowerShell cmdlet Install-
WebApplicationProxy to configure Web Application Proxy for publishing AD FS.

Update Web Application Proxy


To ensure that your AD FS environment is reliable and stable, you should install the recommended
updates for Web Application Proxy. After installing and configuring your Web Application Proxy servers,
you can use Microsoft Update to check for available updates.

Note: For more information on all the available updates for AD FS, refer to:
http://aka.ms/n0uyfb.
MCT USE ONLY. STUDENT USE PROHIBITED
13-34 Planning and configuring identity federation

Configuring AD FS by using Azure AD Connect


SSO allows your users to access Microsoft cloud
services with their on-premises AD DS credentials.
When preparing your environment to support
SSO, you must deploy both an STS infrastructure
and Active Directory synchronization. In most
environments, these required tools are AD FS and
Azure AD Connect, respectively.

Prior to Azure AD Connect, directory


synchronization tools required that you deploy
these tools separately. Although the
recommended order of deployment is well
documented—for example, that AD FS should be
deployed prior to directory synchronization—organizations still ran into deployment issues because of
poor planning. Many of these issues and their corresponding resolutions are well documented as well.
However, with proper planning you can avoid many of the same mistakes when deploying SSO.

To mitigate some of the issues during deployment, Azure AD Connect employs strategic questions to
provide an easier deployment experience for synchronization and for sign-in. While you can choose to
deploy the tools separately, you also can use an optional part of Azure AD Connect to set up a hybrid
environment using an on-premises AD FS infrastructure. You then can use this part to address complex
deployments that include such things as domain-joined SSO, enforcement of Active Directory sign in
policy, and smart card or non-Microsoft MFA.

Configuring AD FS
The following list is of requirements that must be met before you can use Azure AD Connect to deploy
AD FS:

 A Windows Server 2012 R2 server for the federation server with remote management enabled.

 A Windows Server 2012 R2 server for the Web Application Proxy server with remote management
enabled.
 An SSL certificate for the federation service name that you intend to use (for example,
adfs.adatum.com).

You can use Azure AD Connect to deploy AD FS in the following scenarios:

 Create a new AD FS farm or use an existing AD FS farm. During deployment, you can specify an
existing AD FS farm or you can choose to create a new AD FS farm. If you choose to create a new
AD FS farm, you are required to provide the SSL certificate. If the SSL certificate is protected by a
password, you are prompted to provide the password.

 Deploy one or more AD FS federation servers. You can deploy one or more AD FS federation servers
by identifying the specific servers on which you want to install AD FS. The servers must be joined to
an Active Directory domain prior to performing this configuration. You can deploy additional AD FS
federation servers when you rerun Azure AD Connect, based on your capacity planning needs.

 Deploy one or more Web Application Proxy servers. You can deploy one or more Web Application
Proxy servers when you identify the specific servers on which you want to install the Web Application
Proxy. Since the Web Application Proxy is deployed in your perimeter network, the server running
Azure AD Connect requires remote access to the server. You can deploy additional Web Application
Proxy servers when you rerun Azure AD Connect, based on your capacity planning needs. If you
choose to deploy Web Application Proxy servers, you are required to provide the credentials of a
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-35

local admin on the AD FS federation server for the Web Application Proxy to request a certificate
from the AD FS federation server.

 Configure the AD FS service account. You can configure the domain service account that is required
by the AD FS federation service to authenticate users and look up user information in AD DS. You can
use this feature to configure the two types of service accounts supported by AD FS:

o gMSA. This type of service account allows AD FS to use a single service account without needing
to update the account password periodically. The gMSA requires a Windows Server 2012 domain
controller in the Active Directory domain to which the AD FS servers are joined. If you are logged
in as a domain administrator Azure AD Connect will automatically create the gMSA.

o Domain User Account. Based on your company’s security policies, this type of service account
might require you to periodically update the password. This option is limited only to selecting an
existing domain user account scenario. Azure AD Connect does not create the domain user
account if the account does not exist in AD DS.

 Configure the federated Azure AD domain. This configuration is used to set up the federation
relationship between your AD FS environment and Azure AD. It configures AD FS to issue security
tokens to Azure AD, and configures Azure AD to trust the tokens from AD FS federation service. While
this option limits you to configuring a single domain the first time you install Azure AD Connect, you
can configure additional domains at any time when you rerun the Azure AD Connect installation
wizard.

Configuring AD FS for federation with Office 365


After deploying the AD FS federation servers and
the AD FS proxy servers or Web Application Proxy
servers, you must complete the following
additional tasks to complete the AD FS federation
configuration:
 Set up DNS records for the AD FS federation
service name (for example, adfs.adatum.com)
on both the intranet and the extranet. For the
intranet DNS record, ensure that you use host
(A) resource records and not CNAME records.
This is required for Windows Integrated
Authentication to work properly from your
domain-joined computers.

 If you are deploying more than one AD FS server or Web Application Proxy server, ensure that you
have configured your load balancer and that the DNS records for the AD FS federation service name
point to the load balancer.

 For Windows Integrated Authentication to work properly for clients using Internet Explorer on your
intranet, ensure that the AD FS federation service name is added to the intranet zone in Internet
Explorer for each client. You can manage this via Group Policy and deployed to all your domain-
joined computers.
MCT USE ONLY. STUDENT USE PROHIBITED
13-36 Planning and configuring identity federation

Configure authentication mechanisms


When enabling the global authentication policy for AD FS, you can define the following options:

 Enable device authentication with Device Registration Service.

 Mandate the use of more secure authentication methods.

 Set MFA requirements.

MFA
You can specify an authentication policy at a global scope that is applicable to all applications and
services that are secured by AD FS. You also can set authentication policies for specific applications and
services (relying party trusts) that are secured by AD FS. If either the global authentication policy or the
relying party trust authentication policy requires MFA, MFA is triggered when the user tries to
authenticate to the relying party trust.
To configure MFA in AD FS you must:

 Specify the settings or conditions under which MFA is required:

o You can require MFA for specific users and groups in the Active Directory domain to which your
federation server is joined.

o You can require MFA for either registered (workplace joined) or unregistered (not workplace
joined) devices.
o You can require MFA when the access request for the protected resources comes from either the
extranet or the intranet.

 Select an additional authentication method:


o For extranet resources, Forms Authentication is selected by default. In addition, you also can
enable certificate authentication.

o For intranet resources, Windows Integration Authentication is selected by default. In addition,


you also can enable forms authentication, or certificate authentication, or both.

Enable Device Registration Service for Workplace Join


You can enable the Device Registration Service on your AD FS federation servers after installing and
configuring them. As discussed earlier in the module, part of the Device Registration Service enables
Workplace Join, which provides users’ supported devices with an onboarding mechanism for SSO and
conditional access to on-premises company resources.

To support Workplace Join, you must enable the Device Registration Service with the following Windows
PowerShell cmdlets:

# Run the following from one of the AD FS servers:


Enable-AdfsDeviceRegistration –PrepareActiveDirectory
# When prompted, use the gMSA credentials in the format domain\gMSA$
# Run the following on each node in the AD FS farm:
Enable-AdfsDeviceRegistration
# You should receive a message that device registration was successfully enabled
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-37

Configure conditional access control


Before enabling your users for SSO, you might need to assess if all the users should have access to Office
365 in every scenario. Access control in AD FS is implemented with issuance authorization claim rules that
are used to issue a permit or deny claims which will determine whether a user or a group of users are
allowed to access Office 365 services. Authorization rules can only be set on relying party trusts, and the
default template options include:

 Permit All Users. When you use the Permit All Users rule template, all users will have access to the
relying party. However, you can use additional authorization rules to further restrict access.
 Permit access to users with this incoming claim. When you use the Permit or Deny Users Based on an
Incoming Claim rule template to create a rule and set the condition to permit, you can permit specific
user’s access to the relying party based on the type and value of an incoming claim. For example, you
can use this rule template to create a rule that will permit only users that have a group claim with a
value of Domain Users.

 Deny access to users with this incoming claim. When you use the Permit or Deny Users Based on an
Incoming Claim rule template to create a rule and set the condition to deny, you can deny user’s
access to the relying party based on the type and value of an incoming claim. For example, you can
use this rule template to create a rule that will deny all users that have a group claim with a value of
Domain Admins.

Note: If one rule permits a user to access the relying party, and another rule denies the user
access the relying party, the deny access overrides the permit access and the user is denied access
to the relying party.

Just a few of the scenarios where you might configure conditional access control include:

 Block all extranet client access to Office 365.

 Block all extranet client access to Office 365, except for devices accessing Exchange Online for
Exchange ActiveSync.

 Block all extranet client access to Office 365, except for members of specific Active Directory groups.

 Permit access to Office 365, but only if the access request is coming from a workplace-joined device
that is registered to the user.

 Permit access to Office 365, but only if the user’s identity was validated with MFA.

 Permit access to Office 365, but only if the access request is coming from a workplace-joined device
that is registered to a user whose identity has been validated with MFA.

Note: For more information about limiting access to Office 365 services based on the
location of the client, refer to: http://aka.ms/gs1054.

Best practices
Consider the following best practices when installing and managing AD FS proxies:

 AD FS Proxy should not be domain joined, as this would negate one of the key benefits of the AD FS
Proxy in providing a security separation between your on-premises AD DS and external clients.

 AD FS Proxy should be placed in the perimeter network and not in an internal LAN, to help ensure
the integrity of the security separation between internal AD DS and external clients.
MCT USE ONLY. STUDENT USE PROHIBITED
13-38 Planning and configuring identity federation

 Use the AD FS Capacity Planning Sizing spreadsheet to ensure that your AD FS Proxies are able to
support the number of external clients that require authentication against the corporate AD DS.

 Design a high availability AD FS infrastructure that includes highly available proxies, to ensure that
external clients are always able to authenticate against the corporate AD DS.

 Verify that required ports are open on the firewall.

 Do not mix AD FS Proxy and other roles on the same server, to help ensure the availability and
security of AD FS.

 Develop test cases for all browsers, and for internal and external clients, to ensure that all users can
use SSO from all supported devices.

 Ensure that all hotfixes and the .NET Framework version are up to date.

 Ensure that certificates are configured correctly, and are exported and backed up to include the
private key.

Comparing federated identities and synchronized identities


To enable SSO with Office 365, you need to
download and install the Microsoft Azure Active
Directory Module for Windows PowerShell. Once
installed, you will use Windows PowerShell to
configure your Office 365 domain for federated
authentication.

Install Azure AD Module for Windows


PowerShell
The Azure AD Module for Windows PowerShell is
a download that helps you manage your
organization’s data in Azure AD. This module
installs a set of cmdlets to Windows PowerShell;
you run those cmdlets to set up SSO access to Azure AD, and in turn to all of the cloud services to which
you are subscribed.

Additional Reading: For more information on how to download and install the cmdlets for
Azure AD Module for Windows PowerShell, refer to: http://aka.ms/lq99g4.

Deploy a trust between Azure AD and AD FS


Each domain that you want to federate must either be added as a federated domain, or converted from a
domain with standard authentication to federated authentication (also known as SSO domain). Adding or
converting a federated domain creates a trust between your federation service and your Office 365
tenant.

Note: Setting up the trust is a one-time operation, per domain. If your environment
includes a subdomain (for example, corp.adatum.com) in addition to a top-level domain (for
example, adatum.com), then you should add the top-level domain in your cloud service before
you add any subdomains. When the top-level domain is enabled for SSO, all subdomains are
automatically enabled as well.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-39

When you convert an existing domain to a federated domain, every licensed user in Office 365 becomes a
federated user. This means your users will specify their existing on-premises AD DS credentials to access
their cloud services in Office 365. You should use one of the following procedures to configure your
federated trust with Office 365, depending on whether you need to add a new SSO domain or convert an
existing domain with standard authentication to federated authentication.
When adding a new domain as a federated domain, you should use the Windows PowerShell cmdlet
New-MsolFederatedDomain to enable support for SSO. You should issue all of the following cmdlets in
the Microsoft Azure Active Directory Module for Windows PowerShell as follows:

$cred=Get-Credential # Use your cloud service administrator account credentials.


Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer <ADFSprimaryServer> # Step unnecessary if ran from primary
AD FS server
New-MsolFederatedDomain –DomainName <domainToAdd>
# Use the information provided by the results of the New-MsolFederatedDomain cmdlet
# to create the required DNS record – this verifies that you own the domain.
# Note that this may take up to 15 minutes to propagate, depending on your registrar.
# It can take up to 72 hours for changes to propagate through the system
New-MsolFederatedDomain –DomainName <domainToAdd> # Same cmdlet will finalize the
process

When converting an existing domain from a domain with standard authentication to federated
authentication, you use the Windows PowerShell cmdlet Convert-MsolDomainToFederated to enable
support for SSO. You should issue all of the following cmdlets in the Microsoft Azure Active Directory
Module for Windows PowerShell as follows:

$cred=Get-Credential # Use your cloud service administrator account credentials.


Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer <ADFSprimaryServer> # Step unnecessary if ran from primary
AD FS server
Convert-MsolDomainToFederated –DomainName <domainToConvert>
# To verify that the conversion was successful, use the following
# to compare the settings on the AD FS server and in Azure AD:
Get-MsolFederationProperty –DomainName <domainToConvert>
# If the settings do not match, use the following to sync the settings:
Update-MsolFederatedDomain –DomainName <domainToConvert>

Note: If you need to support multiple top-level domains, you must use the
SupportMultipleDomain switch with the federated domain cmdlets. This includes
the New-MsolFederatedDomain cmdlet when adding a SSO domain, in addition to the
Convert-MsolDomainToFederated and Update-MsolFederatedDomain cmdlets when
converting to a SSO domain.
MCT USE ONLY. STUDENT USE PROHIBITED
13-40 Planning and configuring identity federation

Managing an AD FS deployment
Although AD FS is deployed to support SSO
without much administrative overhead, after you
deploy AD FS there are many management tasks
that you might need to perform periodically.
While there are others tasks, here are a few of the
most common tasks.

Manage the certificate life cycle


In order to prevent issues from certificate
expiration, the self-signed, self-generated
certificates, that AD FS generates, support
automatic roll over which renews AD FS
certificates once a year without manual
intervention. This AD FS process, called automatic certificate rollover, generates two new token-signing
certificates every year. If Office 365 is not updated with the new token-signing certificate, no user can sign
into and use Office 365 as these certificates sign all assertions from the federation server. If an internal PKI
is used to issue the token-signing certificate, AD FS does not provide automatic certificate rollover, and
therefore you must manually renew certificates and update them in your Office 365 tenant.

You can use the AD FS Management console to view certificate expiration dates for the service
communications, token-decrypting, and token-signing certificates. In the console tree, expand Service,
and then click Certificates. You also can use Azure AD Module for Windows PowerShell to view certificate
details, when you use the Windows PowerShell cmdlet Get-ADFSCertificate.
If you prefer to use automatic certificate rollover for managing the life cycles of your certificates, you will
need to enable the feature in AD FS and install the Microsoft Office 365 Federation Metadata Update
Automation Installation Tool. This feature is enabled in AD FS with the Set-ADFSProperties Windows
PowerShell cmdlet. After installing the tool, you can use the Update-MsolFederatedDomain Windows
PowerShell cmdlet to automatically update the Office 365 service when the AD FS token-signing
certificate renews on an annual basis. This tool should be run as a daily scheduled task on the AD FS
server; otherwise, token-signing certificate renewal on the AD FS server must be monitored manually. The
update tool script scheduled task should only be run on one AD FS server in a federation server farm.

Additional Reading: To learn more about and download the Microsoft Office 365
Federation Metadata Update Automation Installation Tool, go to: http://aka.ms/i1hw8d.

Change the primary/secondary AD FS federation server


If you use WID as the AD FS data store, you can change the primary and secondary federation servers if
you use Azure AD Module for Windows PowerShell. This method allows you to change the database role
setting for the AD FS server, and then change the role.

For example, if you wanted to change the primary federation server AdfsServer1 to the secondary
federation server AdfsServer2 you would use the following procedure:

1. Identify the secondary federation server (AdfsServer2) that will become the primary federation server.

2. From the secondary federation server (AdfsServer2), at the Azure AD Module for Windows PowerShell
prompt, type the following command, and then press Enter:

Set-AdfsSyncProperties -Role PrimaryComputer


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-41

3. From the primary federation server (AdfsServer1), at the Azure AD Module for Windows PowerShell
prompt, type the following command, and then press Enter:

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName AdfsServer2

The primary federation server becomes a secondary federation server with a read-only WID database, and
the secondary federation server becomes the primary federation server with a read/write WID database
from which other secondary federation servers retrieve their database copies.

Note: Switching AD FS federation server roles does not apply if SQL Server is used as the
AD FS configuration database store. This is because all AD FS federation servers have read/write
access to the SQL Server database.

Verifying SSO
After deploying SSO, you should verify that it is
working properly. Because SSO uses multiple
layers of services, systems and applications to
provide users with an SSO experience, you might
need to leverage various tools and methods to
validate the SSO functionality, and then diagnose
issues with more tools and methods, if required.

Deploy to pilot users first


Before you deploy SSO in your production
environment, you should consider using a pilot
group to validate SSO. While performing a staged
rollout of SSO is not possible because all users are
enabled for federation simultaneously, you can deploy SSO to a pilot group of production users from your
production Active Directory domain.
Pilot users should test various sign-in scenarios thoroughly to validate that SSO and the AD FS
deployment are properly deployed and ready for the remaining users in your production environment.
Some of these validations include pilots users accessing cloud services from browsers in addition to rich
client applications—for example, Microsoft Office 2016—in the following environments:

 From a domain-joined computer.

 From a non-domain-joined computer inside the corporate network.


 From a roaming domain-joined computer outside the corporate network.

 From the different operating systems that you use in your company.

 From a home computer.

 From an Internet kiosk (browser only).

 From a smartphone, for example a smartphone that uses Exchange ActiveSync.

Additional Reading: More information on how to pilot SSO in a production environment


is available at: http://aka.ms/exjg1q.
MCT USE ONLY. STUDENT USE PROHIBITED
13-42 Planning and configuring identity federation

Verify with Microsoft Remote Connectivity Analyzer


The Microsoft Remote Connectivity Analyzer is a cloud-based, web service tool that enables you to run
connectivity diagnostics from servers in the cloud for testing common issues with Exchange, Lync and
Office 365.

Additional Reading: For more information about the access to the Microsoft RCA tool,
refer to: http://aka.ms/bz5gll.

Upon accessing the website, select the Office 365 tab, select Microsoft Single Sign-On, and then click
Next. Follow the screen prompts to perform the test. The analyzer validates your ability to sign in to the
cloud service with your on-premises AD DS credentials, and validates some basic AD FS configuration.

Verify with Microsoft Connectivity Analyzer tool


The Microsoft Connectivity Analyzer tool is a companion to the Microsoft Remote Connectivity Analyzer
website. This tool provides you with the ability to run connectivity diagnostics from your local computer
for five common connectivity symptoms. This allows you to run some of the same connectivity diagnostics
within your corporate network. After you run the tool and save the results, you might be familiar with the
HTML report due to the similarity with results from the RCA website.

You can access the Microsoft Connectivity Analyzer tool from the Microsoft Remote Connectivity Analyzer
website. Upon accessing the website, select the Client tab. The tool is available under the More Tools
section. One of the test scenarios of the tool is I can’t log on with Office Outlook. This test is equivalent
to the Microsoft Remote Connectivity Analyzer test for “Outlook Anywhere (RPC over HTTP),” and
includes an option to run the SSO test that is available on the Parameters page.

Verify federation service


Because SSO has a core dependency on AD FS, you might need to verify the Federation Service on the
AD FS server if you are experiencing issues with SSO in your environment. To verify that the federation
server is operational, use Event Viewer, and check for events with ID 100 in Applications and Services
Logs\AD FS\Admin. This event indicates that the federation server was able to communicate successfully
with the Federation Service.

In addition, you might need to verify access to the Federation Service on the AD FS server from another
computer. Using an Internet browser from a separate computer, try to navigate to the federation
metadata website. For example, if your federation service name is fs.adatum.com, try to navigate to
https://fs.adatum.com/federationmetadata/2007-06/federationmetadata.xml.

Note: If you have not imported the root CA certificate to this computer’s trusted root
certificates store you could receive a certificate error. If you click Continue to this web site (not
recommended), you should see the AD FS metadata.

Using an Internet browser from a separate computer, try to navigate to the IdP-initiated sign-in
page. For example, if your federation service name is fs.adatum.com, try to navigate to
http://fs.adatum.com/adfs/ls/idpinitiatedsignon.htm. This should resolve the AD FS sign-in page.

Note: If you have not imported the root CA certificate to this computer’s trusted root
certificates store, you could get a certificate error. If you click Continue to this web site (not
recommended), you should be able to sign in with domain\administrator credentials with no
errors.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-43

Lab: Planning and configuring identity federation


Scenario
Directory synchronization is working well, and it has resolved the issue of managing user accounts in two
locations. However, the security group at A. Datum is concerned that users will be able to log on directly
to Office 365, which reduces their options for monitoring user logons. To ensure that all users will
authenticate using the on-premises AD DS domain, you have decided to implement AD FS.

Objectives
After completing this lab, you should be able to:

 Install and configure AD FS and Web Application Proxy.

 Configure SSO with Office 365.

 Verify that SSO is working.

Lab Setup
Estimated Time: 75 minutes

Virtual machines: 20347A-LON-DC1, 20347A-LON-DS1, 20347A-LON-WAP1, and 20347A-LON-CL1

User name: Adatum/Administrator, Adatum/Holly

Password: Pa$$w0rd

In all tasks, where you see references to Adatumyyxxxxx.onmicrosoft.com, replace Adatumyyxxxxx


with your unique Office 365 domain name provided to you by your instructor.
Where you see references to Adatumyyxxxxx.hostdomain.com, replace the Adatumyyxxxxx and
hostdomain with your unique UPN name provided to you by your instructor.

This lab requires the following virtual machines:


 LON-DC1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-DS1

o Sign in as Adatum\Administrator using the password Pa$$w0rd

 LON-WAP1

o Sign in as LON-WAP1\Administrator using the password Pa$$w0rd

 LON-CL1

o Sign in as Adatum\Holly using the password Pa$$w0rd


MCT USE ONLY. STUDENT USE PROHIBITED
13-44 Planning and configuring identity federation

Exercise 1: Deploying Active Directory Federation Services (AD FS) and


Web Application Proxy
Scenario
A. Datum Corporation has decided to deploy AD FS and Web Application Proxy to provide SSO for Office
365. You will start the implementation by installing and configuring the AD FS and Web Application Proxy
roles.

The main tasks for this exercise are as follows:

1. Add DNS records required for AD FS.

2. Install and configure the AD FS server role.

3. Install the Web Application Proxy server role service.

4. Configure the Web Application Proxy server.

5. Verify that the AD FS server is working.

 Task 1: Add DNS records required for AD FS


1. On LON-DS1, open a Windows PowerShell, and run IPConfig. Record the server IP address.

2. On LON-DC1, open the DNS Manager.

3. In the Adatumyyxxxxx.hostdomain.com zone, create a host record with a blank name using the
external IP address provided to you by the hosting partner.

4. Create another host record with a blank name using the IP address for LON-DS1 that you recorded in
Step 1.

 Task 2: Install and configure the AD FS server role


1. Sign in to the LON-DS1 virtual machine as ADATUM\Administrator with a password of Pa$$w0rd.

2. Run the following command to create the Key Distribution Services root key to generate group
Managed Service Account passwords for the account that will be used later in this lab.

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

3. Use Server Manager to access the Add Roles and Features Wizard for installing the Active Directory
Federation Services server role.

4. After installing, in the Active Directory Federation Services Configuration Wizard, configure the
following settings:

o For the SSL Certificate, use the wild card certificate provided by the hosting provider.

o For the Federation Service Name, type adatumyyxxxxx.hostdomain.com, replacing


adatumyyxxxxx with your unique Adatum domain name.

o For the Federation Service Display Name, type Adatum Corporation.

o Create a group managed service account named svc-ADFS

o Use the Windows Internal Database as the configuration database.

5. Finish the configuration.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-45

 Task 3: Install the Web Application Proxy server role service


1. Sign in to the LON-WAP1 virtual machine as LON-WAP1\Administrator with a password of
Pa$$w0rd.

2. Use Server Manager to access the Add Roles and Features Wizard for installing the Web
Application Proxy role service from the Remote Access server role.

 Task 4: Configure the Web Application Proxy server


1. On LON-WAP1, use Remote Access Management to open the Web Application Proxy Configuration
Wizard.

2. In the Web Application Proxy Configuration Wizard, on the Welcome page, click Next.

3. On the Federation Server page, use the following settings:

o Federation service name: adatumyyxxxxx.hostdomain.com, replacing adatumyyxxxxx with your


unique Adatum domain name.

o User name: Adatum\Administrator


o Password: Pa$$w0rd

4. Use the wildcard certificate provided by the hosting partner.

 Task 5: Verify that the AD FS server is working


1. Switch to the LON-DS1 virtual machine.
2. Verify that Event ID 100 displays in Event Viewer.

3. Switch to the LON-DC1 virtual machine.

4. In Internet Explorer, open the following URL, replacing adatumyyxxxxx with your unique Adatum
domain name, to verify that the federation service is available:

https://Adatumyyxxxxx.hostdomain.com/adfs/fs/federationserverservice.asmx

Note: The expected output is a display of XML with the service description document. If
this page displays, then IIS on the federation server is operational and serving pages successfully.

Results: After completing this exercise, you should have deployed the AD FS server in a federation server
farm, and deployed the Web Application Proxy server to support AD FS.
MCT USE ONLY. STUDENT USE PROHIBITED
13-46 Planning and configuring identity federation

Exercise 2: Configuring federation with Microsoft Office 365


Scenario
You need to complete the implementation of SSO by configuring federation between your on-premises
Active Directory domain and Office 365.

The main task for this exercise is as follows:

 Switch the Office 365 tenant to federated mode.

 Task 1: Switch the Office 365 tenant to federated mode


1. On LON-DS1, connect to https://portal.office.com and sign in as
holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd. Connect to the new Office
365 admin center if necessary.

2. Change Holly’s user name to use Adatumyyxxxxx.onmicrosoft.com rather than


Adatumyyxxxxx.hostdomain.com. Holly cannot change the Adatumyyxxxxx.hostdomain.com to a
federated domain if she is logged in using an account from this domain.

3. Execute the following cmdlets in Windows PowerShell.

Set-ExecutionPolicy Unrestricted -force


Import-Module MSOnline
$msolcred = Get-Credential
Connect-MsolService -Credential $msolcred
Get-MsolDomain
Convert-MsolDomainToFederated -DomainName Adatumyyxxxxx.hostdomain.com
Get-MsolFederationProperty -DomainName Adatumyyxxxxx.hostdomain.com

Results: After completing this exercise, you should have enabled a federation trust between your on-
premises Active Directory domain and Office 365 through your AD FS federation server, and you should
have converted your domain for federated authentication in Office 365.

Exercise 3: Verifying single sign-on (SSO)


Scenario
You need to verify that identity federation is properly configured by verifying that SSO authentication is
successful for internal and external users.

The main tasks for this exercise are as follows:

1. Verify SSO for internal users.

2. Verify SSO for external users.

 Task 1: Verify SSO for internal users


1. On LON-CL1, open Microsoft Edge and connect to https://portal.office.com.

2. Type brad@adyyxxxxx.hostdomain.com, and verify that you are redirected to the Adatum sign in
page.

3. Sign in as Brad and verify that you can connect to Office 365.

4. Close Microsoft Edge.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-47

 Task 2: Verify SSO for external users


1. Open a Web browser on your local computer and navigate to https://login.microsoftonline.com.

2. Sign in with the following credentials:

o User name: Francisco@Adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

3. Verify that you are redirected to the Adatum Corporation sign-in page.

4. Review the Office 365 page for Francisco Chaves, and then close the Web browser window.

Results: After completing this exercise, you should have verified SSO authentication to Office 365 for a
user on your corporate network and for a user on your host computer that is connected to the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED
13-48 Planning and configuring identity federation

Lesson 4
Planning and implementing hybrid solutions (Optional)
After deploying your federation service to support Office 365 services, you can begin configuring your on-
premises services to integrate with Office 365. Many of the on-premises consumer service offerings can be
configured for a hybrid deployment, including Exchange Server, Skype for Business Server, and SharePoint
Server.

Lesson Objectives
After completing this lesson, you should be able to:

 Describe the hybrid solution for Exchange Server, and explain how to configure it.

 Describe the hybrid solution for Skype for Business Server, and explain how to configure it.

 Describe the hybrid solution for SharePoint Server, and explain how to configure it.

Overview of Exchange Server hybrid deployment


To provide the smoothest migration to the Office
365 environment, or to keep a mix of on-premises
mail users and Office 365 mail users for an
extended period of time, you can configure an
Exchange Server hybrid deployment. A hybrid
deployment provides a unified email experience
for the organization, enabling users with
mailboxes in the on-premises Exchange Server
environment and users with Exchange Online
mailboxes to find each other in the global address
list, and to send, receive, and reply to email
regardless of which system is hosting their
mailbox.

A hybrid deployment provides you with the ability to extend the administrative control that you have
currently with your existing on-premises Microsoft Exchange organization to the cloud. A hybrid
deployment provides the same look and feel of a single Exchange Server organization, but between an
on-premises Exchange Server 2013 organization and Exchange Online in Microsoft Office 365. In addition,
a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online
organization.

A hybrid deployment provides the following advantages:

Although not a requirement for hybrid deployments, we strongly recommend that you plan for SSO in
your on-premises organization to make the account authentication experience familiar for users in a
hybrid deployment. In addition to users not having to sign in multiple times and having to remember
additional passwords when accessing the Office 365 organization, SSO offers the following benefits:

 Exchange Online Archiving. When you deploy SSO in Exchange 2013 organizations, on-premises
Outlook users are prompted for their credentials when accessing archived content in the Exchange
Online organization for the first time. However, users can temporarily avoid future credential
prompting when they choose Save Password, in which case they are prompted for credentials again
only when their on-premises account password changes. If SSO is not deployed in Exchange 2013
organizations and Exchange Online Archiving is enabled, the on-premises UPN must match their
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-49

Exchange Online account, and users will always be prompted for their on-premises credentials when
accessing their archive.

 Policy control. You can control account policies through AD DS, which gives you the ability to
manage password policies, workstation restrictions, lockout controls, and more, without having to
perform additional tasks in the Office 365 organization.

 Access control. You can restrict access to Office 365 so that the services can be accessed through the
corporate environment, through online servers, or both.

 Reduced support calls. Forgotten passwords are a common source of support calls in all companies. If
users have fewer passwords to remember, they are less likely to forget them.

 Security. User identities and information are protected because all the servers and services used in
SSO are administered and controlled within the on-premises organization.

 Support for strong authentication. You can use strong authentication (also called two-factor
authentication) with Office 365. However, if you do use strong authentication, you users also must use
SSO. There are also some restrictions on the use of strong authentication.

Configuring Exchange Server hybrid deployment


A key tool to assist you when planning for an
Exchange Server hybrid deployment is the
Microsoft Exchange Server Deployment Assistant.
This web-based tool asks you questions about
your current environment and then generates a
customized step-by-step list with any
requirements. The Exchange Server Deployment
Assistant also guides you through the process of
on-premises upgrades and new installations,
along with cloud-only deployments of Exchange
Online and Office 365. The tool provides support
for four scenarios: Exchange Server 2016,
Exchange Server 2013, Exchange Server 2010, and cloud-only.

Exchange Server 2016 scenarios


The following deployment scenarios will be available for Exchange Server 2016:

 On-premises deployments include:


o New installation of Exchange Server 2016

o Upgrade from Exchange Server 2010 to Exchange Server 2016

o Upgrade from Exchange Server 2013 to Exchange Server 2016

o Upgrade from mixed Exchange Server 2010 and Exchange Server 2013 to Exchange Server 2016

Exchange Server 2013 scenarios

The following deployment scenarios are available for Exchange Server 2013:

 On-premises deployments include:

o New installation of Exchange Server 2013

o Upgrade from Exchange Server 2010 to Exchange Server 2013


MCT USE ONLY. STUDENT USE PROHIBITED
13-50 Planning and configuring identity federation

o Upgrade from Exchange Server 2007 to Exchange Server 2013

o Upgrade from mixed Exchange Server 2007 and Exchange Server 2010 to Exchange Server 2013

 Hybrid deployments (on-premises plus Office 365) include:

o Exchange Server 2013 on-premises with Exchange Online

o Exchange Server 2010 on-premises with Exchange Online

o Exchange Server 2007 on-premises with Exchange Online

Exchange Server 2010 scenarios


The following deployment scenarios are available for Exchange Server 2010:

 On-premises deployments include:

o New installation of Exchange Server 2010

o Upgrade from Exchange Server 2007 to Exchange Server 2010

o Upgrade from Exchange Server 2003 to Exchange Server 2010

o Upgrade from mixed Exchange Server 2003 and Exchange Server 2007 to Exchange Server 2010

 Hybrid deployments (on-premises plus Office 365) include:

o Exchange Server 2010 on-premises with Exchange Online

o Exchange Server 2007 on-premises with Exchange Online

o Exchange Server 2003 on-premises with Exchange Online


Cloud-only scenarios

The following scenarios are available for migrating email to Exchange Online and Office 365:

 Exchange migrations:
o Cutover

o Staged

o IMAP
 Non-Microsoft migration

o IMAP

Exchange Server in a hybrid configuration has differing levels of compatibility with the various Office 365
tenant versions. This difference leads to specific requirements for the gateway server that provides the
connection to Exchange Online. The following table summarizes these requirements for the Exchange
Server hybrid version 15 (formerly Wave 15) tenant.

Exchange Server 2010 hybrid Exchange Server 2013 hybrid


On-premises
tenant tenant

Exchange Server 2013 (CU1) Not applicable Supported

Exchange Server 2010 SP3 Supported Supported***

Exchange Server 2010 SP2 Not Supported* Not supported

Exchange Server 2010 SP1 Not Supported* Not supported

Exchange Server 2007 SP3 RU10 Supported** Supported***


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-51

Exchange Server 2010 hybrid Exchange Server 2013 hybrid


On-premises
tenant tenant

Exchange Server 2007 SP3 Not Supported Not supported

Exchange Server 2003 SP2 Supported** Not supported

* Tenant upgrade notification provided in the Exchange Management Console

** Requires at least one on-premises Exchange Server 2010 service pack 3 (SP3) server

*** Requires at least one on-premises Exchange Server 2013 cumulative update 1 (CU1) or later

Overview of Skype for Business hybrid


With Skype for Business hybrid deployments,
some of your Skype for Business users can be
registered on-premises, and other users in Skype
for Business Online, yet both sharing the same
domain. This can make it easier to provide Skype
for Business services to users of your organization
in different geographic locations, or to users that
are remote. You can use Skype for Business hybrid
configurations as a migration path to Office 365.
You can configure Skype for Business Server
deployments with both Exchange Server 2010 and
Exchange Server 2013, as well as SharePoint
Server on-premises and online.

Integration with Exchange Server


The following table lists the features supported in a hybrid deployment when integrated with Exchange
Server.

Exchange Server on-premises Exchange Online

Skype for  Instant message (IM) and  IM/presence in Outlook


Business on- presence in Outlook  Schedule and join online
premises meeting through Outlook
 Schedule and join online
meetings through Outlook  IM/presence in Outlook Web
App
 IM/presence in Outlook Web
 Schedule and join online
App meeting from Outlook Web
 Schedule and join online App
meetings through Outlook  IM/Presence in mobile clients
Web App  Join online meetings in
 IM/Presence in mobile clients mobile clients
 Publish status based on
 Join online meetings in mobile Outlook calendar free/busy
clients information
 Publish status based on  Contact List (via unified
Outlook calendar free/busy contacts store).
information  High-resolution contact
photos in Skype for Business
 Contact list (via unified 2015 client, and Skype for
contacts store) Business Web App.
MCT USE ONLY. STUDENT USE PROHIBITED
13-52 Planning and configuring identity federation

Exchange Server on-premises Exchange Online


 High-resolution contact  Meeting delegation
photos in Skype for Business
 Missed Conversations history
2015 client and Skype for
and call logs are written to
Business Web App.
user’s exchange mailbox
 Meeting delegation
 Archiving Content (IM and
 Missed Conversations history Meeting) in Exchange.
and call logs are written to
 Search archived content.
user’s exchange mailbox.
 Voicemail
 Archiving content (IM and
Meeting) in Exchange Server.
 Search archived content
 Voicemail

Skype for  IM/presence in Outlook  IM/presence in Outlook


Business Online
 Schedule and join online  Schedule and join online
meetings through Outlook meetings through Outlook
 IM/Presence in mobile clients  IM/Presence in Outlook Web
App
 Missed Conversations history
and call logs are written to  Schedule and join online
user’s Exchange mailbox meetings from Outlook Web
App
 High-resolution contact photo
in Lync 2013 client.  IM/presence in mobile clients
 Join online meetings in mobile  Join online meetings in
clients mobile clients
 Publish status based on  Publish status based on
Outlook calendar free/busy Outlook calendar free/busy
information information
 Meeting delegation  Missed Conversations history
and call logs are written to
user’s exchange mailbox
 Contact list (via unified
contacts store)
 High-resolution contact
photos in Lync 2013, Skype
for Business client, and Lync
Web App
 Meeting delegation
 Archiving content (IM and
Meeting) in Exchange
 Search archived content
 Voicemail
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-53

Integration with SharePoint Server


The following table lists the features supported in a hybrid deployment when integrated with SharePoint
Server.

SharePoint on-premises SharePoint Online

Skype for  Skills search  Presence in SharePoint


Business Server Online
 Presence in SharePoint Server
on-premises

Skype for  Presence in SharePoint Server  Presence in SharePoint


Business Online Online

Configuring Skype for Business hybrid deployment


To implement a hybrid Skype for Business
deployment, you must complete the following
prerequisite steps:

1. Create a tenant account for Office 365 and


enable Skype for Business Online. The first
step in enabling a hybrid Skype for Business
deployment is to create a tenant account in
Office 365. Ensure that your subscription
provides the Skype for Business features that
you require.
2. Add your on-premises domain to the Office
365 tenant and verify ownership. When you
set up Office 365, the default Skype for Business Online Session Initiation Protocol (SIP) address and
Azure AD UPN suffix will be in this format: mydomain.onmicrosoft.com. You can use this domain
name when you enable users for Skype for Business. However, this might be confusing for users and
external contacts because this is not the normal domain name that is used by internal users. To avoid
this, you can add your on-premises domain to the Office 365 subscription so that you can use the
same domain name when you enable online users and on-premises users.

3. Configure DNS resource records. All Skype for Business clients must connect to the on-premises
Skype for Business Server environment to determine whether a user is located in an on-premises pool
or in the cloud. This means that you must configure the following DNS resource records to reference
your on-premises deployment:

o Lyncdiscover.adatum.com

o _sip._tls.adatum.com

o _sipfederationtls._tcp.adatum.com
4. Deploy an Edge Server and enable federation. You must implement external access to your on-
premises Skype for Business deployment, and configure federation with external Skype for Business
organizations. You also must enable federation with external Skype for Business organizations on
your Skype for Business Online tenant.

5. Verify that the blocked and allowed domains for federation are identical in both the on-premises
environment and the online environment.
MCT USE ONLY. STUDENT USE PROHIBITED
13-54 Planning and configuring identity federation

When you configure a Skype for Business hybrid deployment, you enable coexistence between your on-
premises deployment of Skype for Business Server and Skype for Business Online. The coexistence
includes the following features that you should consider:

 Directory synchronization. For the two Skype for Business environments to share the same SIP
domains, both environments need to be aware of all users and the home Front End pool for all users.
To enable this, you must configure directory synchronization so that user information synchronizes
from on-premises AD DS to Azure AD.

 User authentication. Depending on where users are located, they need to authenticate in the on-
premises Skype for Business Server environment or to the Skype for Business Online environment. To
simplify the user experience, you can configure SSO so that users’ domain credentials are used when
connecting to the Skype for Business Online environment as well. Deploying SSO requires you to
deploy some type of federation server in the on-premises environment.

 Skype for Business Edge Server deployment. You must configure a Skype for Business Edge Server
deployment before you enable hybrid mode. All communication that relates to Skype for Business
traverses an Edge Server deployment.

 Federation. A hybrid deployment uses federation to enable communication between the two Skype
for Business environments. You must enable an on-premises Skype for Business environment to allow
federation.

 Client connectivity. In a hybrid deployment, client computers and mobile devices will always connect
first to the on-premises Skype for Business environment, and then they will redirect to Skype for
Business Online, if the users are located on Skype for Business Online. To enable client connectivity, all
DNS resource records that clients use must point to the on-premises deployment.

Overview of SharePoint Server hybrid deployment


With a SharePoint Server hybrid deployment,
productivity services in SharePoint Online are
integrated with on-premises SharePoint Server to
provide unified functionality and access to data.
For enterprises that want to gradually move their
existing on-premises SharePoint Server services to
the cloud, SharePoint Server 2013 hybrid provides
a staged migration path by extending SharePoint
Server workloads to SharePoint Online.

A SharePoint Server hybrid environment enables


trusted communications between SharePoint
Online and SharePoint Server 2013. When you
have established this trust framework, you can configure integrated functionality between services and
features such as Search, Microsoft Business Connectivity Services (BCS), and Duet Enterprise Online.

Cloud services such as SharePoint Online in Office 365 can be an attractive alternative to on-premises
SharePoint business solutions. However, for a variety of reasons, you might want or need to deploy
specific solutions in the cloud while maintaining your on-premises SharePoint Server 2013 farm. For
example, many enterprises must keep certain data and information systems on-premises or within their
geopolitical boundaries to satisfy compliance regulations or legal policies. Some enterprises might plan to
move their existing SharePoint Server 2013 content and services to the cloud gradually, using a staged
migration in which SharePoint Server 2013 workloads are moved to SharePoint Online one at a time.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-55

SharePoint hybrid topologies


Microsoft supports three hybrid topologies for hybrid SharePoint solutions. The term hybrid topology
refers to the direction in which trusted connections can be established in a hybrid environment. Each
hybrid solution depends on a secure communications channel and a specific trust relationship between
SharePoint Server 2013 and SharePoint Online. For each solution, the hybrid infrastructure must be
configured with the components and supporting technologies that support the requirements of the
connection.

 One-way inbound. This option enables SharePoint Online to request data from a SharePoint Server
2013 web application. In order for inbound data connections to occur, a web application in
SharePoint Server 2013 must be published to the Internet with an Internet-routable URL.

 One-way outbound. This option supports only trusted connections from SharePoint Server 2013 to a
SharePoint Online web application. Because web applications in SharePoint Online are configured
already with an Internet-routable URL, SharePoint Server 2013 can connect directly through an
existing corporate firewall or forward proxy like any other request to an Internet server.

 Two-way. This option enables SharePoint Online to make authenticated connections to the on-
premises SharePoint Server 2013 farm and lets the on-premises SharePoint Server 2013 farm make
authenticated connections to SharePoint Online.

Configuring SharePoint Server deployment


At the architectural level, a SharePoint Server
hybrid environment is created by configuring a
mutual trust relationship and common identity
management provider between a SharePoint
Online tenant and a SharePoint Server 2013 farm.
This architecture supports trusted service
connections between the on-premises and cloud
SharePoint farms, which can exchange data and
content when requested by an authorized user.
Depending on the topology and services that are
configured, content in one environment can be
exposed and manipulated in the other
environment through SharePoint apps, lists and libraries, web parts, and Search applications.

SharePoint hybrid security


The security architecture of a SharePoint Server hybrid environment is built on multiple layers of trust and
service integration. The following list describes the trust relationships that you will configure during
deployment, and the solutions and functionality supported by SharePoint hybrid environments.

 Identity Management. Identity management in a hybrid environment is provided by Azure AD


Connect and either SSO or password synchronization through directory synchronization.

 Server-to-server authentication. When you set up server-to-server authentication for hybrid


environments, you create a trust relationship between your on-premises SharePoint Server farm and
your SharePoint Online tenant. This trust relationship enables trusted communications and data
exchange between SharePoint Server 2013 and SharePoint Online is built on the Open Authorization
2.0 (OAuth 2.0) web authorization protocol, shared STS certificates, and Azure AD.

 Service Integration. Productivity service integration between SharePoint Server 2013 and SharePoint
Online services such as Search, Business Connectivity Services (BCS), and Duet Enterprise Online is
dependent on new features and integration support included in SharePoint Server 2013.
MCT USE ONLY. STUDENT USE PROHIBITED
13-56 Planning and configuring identity federation

Service integration options


Hybrid functionality in SharePoint Server and SharePoint Online in Office 365 provides several different
options to extend your on-premises investment to the cloud by integrating services such as:

 Search.

o With outbound hybrid search, users will be able to see search results from Office 365 for
enterprises when they perform a search in SharePoint Server.

o With inbound hybrid search, users will be able to see search results from SharePoint Server 2013
when they perform a search in Office 365 for enterprises.

 Sites. With hybrid sites features, you can integrate parts of your site navigation between SharePoint
Server and Office 365 for enterprises.

 OneDrive for Business. With hybrid OneDrive for Business, users will be redirected to OneDrive for
Business in Office 365 when they click the OneDrive link in SharePoint Server.

 Business Connectivity Services (BCS). With hybrid BCS, you can leverage your existing BCS solutions to
allow connections to your SharePoint Server data sources from SharePoint Online.
 Duet Enterprise Online. With Duet Enterprise Online, users can view and change information that is
stored in third-party workflow applications from within SharePoint sites.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 13-57

Module Review and Takeaways


Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip

If the gMSA option is disabled during


configuration of AD FS, you might see an
error message, such as “Group Managed
Service Accounts are not available because
the KDS Root Key has not been set.”

Users are unable to authenticate with SSO


after subsequent directory
synchronizations.

SPN for the service account is not created.

Uses experience issues connecting to


Microsoft Dynamics CRM data internally
after enabling SSO.

Review Question
Question: As you might have experienced, when a user authenticates to AD FS for accessing
online services, they are required to authenticate the first time. On subsequent attempts to
the same online services, they are not required to authenticate because the client will present
the same token again – up to the lifetime of the token.

While all clients (internal/external) will eventually have to request a new token, your
organization’s security policies require that external users request a new token at least once
every 5 minutes and internal users request a new token at least once every 10 minutes.

What settings or policies should you use to enforce this?

Real-world Issues and Scenarios


You might need to clear saved credentials during troubleshooting. From the client computer, use
Credential Manager, available from the Control Panel, to locate and remove the saved credentials.
MCT USE ONLY. STUDENT USE PROHIBITED
13-58 Planning and configuring identity federation

Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-1

Module 1: Planning and provisioning Office 365


Lab: Provisioning Office 365
Exercise 1: Configuring an Office 365 tenant
 Task 1: Create the tenant account
1. On LON-CL1, logged on as Adatum\Holly, on the taskbar, click Microsoft Edge.

2. In the Address bar, type https://products.office.com/en-us/business


/office-365-enterprise-e3-business-software and press Enter.

3. Click Free trial.

4. For Step 1, in the Welcome, let’s get to know you page, complete the following fields. Regardless of
your location, use the following information:

o Country: United Kingdom

o First name: Holly


o Last name: Dickson

o Business email address: (use your new Microsoft account that you created for this course)

o Business phone number: Your mobile phone number, including international code for your current
country

o Company name: A. Datum

o Organization size: 51-150 people


5. Click Next.

6. For Step 2, on the Create your user ID page, you have to create a unique domain for the Company
name to use in the course. Use the Adatumyyxxxxx name provided in the lab interface. For the rest of
the fields, use the following information:

o User name: Holly

o Company name: Adatumyyxxxxx (where yyxxxxx is your unique Adatum number)

o Password: Pa$$w0rd

o Confirm password: Pa$$w0rd

7. Click Next.
8. For Step 3, you have to confirm your identity using your mobile phone. Under Text me from the drop-
down box, select the code for the country that you are now in.

9. In the Phone number box, enter your correct mobile phone number.

10. Ensure that the Text me option is selected, and then click Text me.

11. When you receive the confirmation text on your mobile phone, enter the code provided in the Enter
your verification code box.

12. Click Create my account.

13. Wait until the Office 365 tenant is provisioned, and then click You’re ready to go….

14. Click the Admin tile to go to the Office 365 admin center. If a confirm your current password page
appears, click re-enter my password, and type Pa$$w0rd.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Planning and provisioning Office 365

15. On the don’t lose access to your account! page, beside Authentication Phone is set to, verify that
your phone number is listed, and then click Verify.

16. Select your country, verify that your phone number is listed, and then click text me.

17. After receiving the text, enter the verification string, and click verify. If verify is not available, press
Enter.

18. On the don’t lose access to your account! page, beside Authentication Email is not configured,
click Set it up now.

19. Enter the Microsoft account email address that you configured for this course, and click email me.
20. Access your Microsoft account email to retrieve the verification code.

21. Enter the verification code, and then click verify. If verify is not available, press Enter, and then click
finish.
22. If a Manage Office 365 on the go page appears, close the page.

Note: If you are connected to the previous Office 365 admin center when you connect to
Office 365, click the banner at the top of the page to connect to the new admin center.

 Task 2: Verify Office 365 service health


1. Click Health on the left-hand menu, then click Service health to display the Service health dashboard.

2. In the left pane, view the status of the Office 365 services. If any services are showing a status other
than health, click the service.

3. Review any service interruption records or additional information in the status page.

Note: During Microsoft testing, on rare occasions Office 365 did not create the trial tenant
properly; as a result, the tenant did not have all the services available to it. If this happens to you,
you should create a new trial tenant using a different business email (Microsoft account).

4. Close Microsoft Edge.

5. If prompted, click Close all tabs.

Results: After completing this exercise, you should have successfully provisioned the Office 365 tenant
account for A. Datum Corporation.

Exercise 2: Configuring a custom domain


 Task 1: Add the custom domain
1. In LON-CL1, start Microsoft Edge and then browse to login.microsoftonline.com.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com with the password Pa$$w0rd.

3. Click Admin.

4. In the left-hand menu, point to Settings and then click Domains.

5. Click Add domain.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L1-3

6. In the New Domain window, in the text box, enter your domain name in the form of
Adatumyyxxxxx.hostdomain.com.

7. Click Next.

8. On the Verify domain page, click TXT record.

9. Write down the TXT record shown in the TXT value column. This entry will be similar to
MS=msXXXXXXXX. Record this value below:

MS=_______________________

10. Switch to LON-DC1.

11. On the toolbar, click Server Manager.

12. Click Tools, and then click DNS.

13. Expand LON-DC1, and click Forward Lookup Zones.


14. Right-click Forward Lookup Zones and click New Zone.

15. On the New Zone Wizard page, click Next.

16. On the Zone Type page, verify that Primary zone is selected. Clear the Store the zone in Active
Directory check box, and click Next.

17. On the Zone Name page, type Adatumyyxxxxx.hostdomain.com, and then click Next.

18. On the Zone File page, click Next.


19. On the Dynamic Update page, click Next, and then click Finish.

20. Expand Forward Lookup Zones, click and then right-click Adatumyyxxxxx.hostdomain.com, and
then click Other New Records.
21. Under Select a resource record type, scroll down to Text (TXT), and then click Create Record.

22. In the New Resource Record box, leave the Record name field blank.

23. In the Text field, enter MS=msXXXXXXXX that you recorded in step 9.

24. Click OK to create the record.

25. In the Resource Record type dialog box, click Done.

26. Switch back to LON-CL1 and in the Office 365 Admin center, click Verify.

 Task 2: Complete the custom domain setup


1. On the Set up your online services page, accept the default setting of I’ll manage my own DNS
records, and then click Next.

2. On the Update DNS settings page, review the DNS records that you should add to the domain, select
the Skip this step check box, and click Skip.

3. Click Finish. The domain shows a warning icon because you did not verify the DNS records. You can
ignore this warning for now.

Results: After completing this exercise, you should have:

 Added a custom domain.

 Verified domain ownership.


MCT USE ONLY. STUDENT USE PROHIBITED
L1-4 Planning and provisioning Office 365

Exercise 3: Exploring the Office 365 administrator interfaces


 Task 1: Explore the Office 365 admin center
1. On LON-CL1, in the Admin center, click Home.

2. On the left navigation menu, scroll down to explore all available items. Expand items such as Users,
Groups, Settings, and so on.

3. On the left navigation menu, expand Users, and then click Active users.

4. Review the users list.

5. On the left navigation menu, expand Health, and then click Message center, and then in the right
pane, review the messages.

6. Do not close the browser window.

 Task 2: Explore the Exchange admin center


1. On the left navigation menu, expand Admin centers, and then click Exchange.
2. A new tab will open displaying Exchange admin center.

3. On the left navigation menu, click each of the items, and review the results displayed on the right pane.

 Task 3: Explore the Skype for Business admin center


1. Click the portal.office.com tab.
2. On the left navigation menu, under Admin centers, click Skype for Business.

3. A new tab will open displaying Skype for Business admin center.

4. On the left navigation menu, click each of the items, and review the results displayed on the right pane.

 Task 4: Explore the SharePoint admin center


1. Click the portal.office.com tab.

2. On the left navigation menu, click Admin centers, and then click SharePoint.

3. A new tab will open displaying SharePoint admin center.

4. On the left navigation menu, click each of the items, and review the results displayed on the right pane.

5. Close Microsoft Edge.

Results: After completing this exercise, you should have provided a high-level overview of administrative
portals of Office 365.

 To prepare for the next module


Keep the virtual machines running for the lab in the next module.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-5

Module 2: Managing Office 365 users and groups


Lab A: Managing Office 365 users and
passwords
Exercise 1: Managing Office 365 users and licenses by using the Office 365
admin center
 Task 1: Create Office 365 users
1. On LON-CL1, verify that you signed in as Adatum\Holly.

2. Open Microsoft Edge, and then browse to https://portal.office.com/.

3. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com, where yyxxxxx is your unique Adatum number,


with the password Pa$$w0rd.

4. On the Microsoft Office 365 portal, click Admin.

5. On the menu on the left side, expand Users, and then click Active Users.
6. Click the Add a user icon.

7. On the New User page, in the First name text box, type Lindsey.

8. In the Last name text box, type Gates.


9. In the Display name text box, type the user’s first and last names if the default name does not appear;
in this case, in the First name text box, type Lindsey, and then in the Last name text box, type Gates.

10. In the User name text box, type Lindsey.


11. Verify that Adatumyyxxxxx.hostdomain.com is listed in the text box after the at sign (@), where
yyxxxxx is your unique Adatum number, and then click Save.

12. On the User was added page, note the temporary password here: _________________
13. Click Close.

14. Repeat steps 6 to 13 to create the following users (for the User name, use the First name):

o Christie Thomas

o Amy Santiago

o Sallie McIntosh

o Francisco Chaves

15. Note their temporary passwords here:

o Christie Thomas _____________

o Amy Santiago _______________

o Sallie McIntosh ______________

o Francisco Chaves ____________


MCT USE ONLY. STUDENT USE PROHIBITED
L2-6 Managing Office 365 users and groups

 Task 2: Edit Office 365 users


1. In the Office 365 admin center, in the Active Users list, click the Francisco Chaves user object.

2. On the right side, beside Display name, click Edit.

3. On the Edit contact information page, expand Contact information, and in the Department text
box, type Accounts, click Save, and then click Close.

4. On the right side menu, in the Sign in status section, click Edit. Select Blocked, click Save, and then
click Close. Close the page.

5. In the Active Users list, under Display name, click Francisco Chaves.

6. On the right side, beside Display name, click Edit.

7. Verify that the Department box displays Accounts, and then close the page.

8. Verify that Sign-in status is set to Blocked, and then close the page.

9. In the Active Users list, click the Lindsey Gates user object.
10. On the right side menu, click Delete user.

11. In the Delete user dialog box, click Yes, and then click Close.

12. In the left navigation pane, under Users, click Deleted Users.

13. Verify that Lindsey Gates is in this list.

14. In the Deleted Users list, select the Lindsey Gates check box.

15. On the toolbar, click Restore, and then on the Restore page, click Restore.
16. Note the new temporary password, and then click Close.

17. On the left navigation pane, under Users, click Active Users.

18. Verify that Lindsey Gates is in this list.

19. Close Microsoft Edge.

 Task 3: Verify user settings


1. On LON-CL1, open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

2. Sign in as Lindsey@Adatumyyxxxxx.hostdomain.com with the temporary password that you noted


in the previous task.

3. If you are prompted to change your password, on the Update your password page, in the Old
password text box, type Lindsey’s temporary password.

4. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click Update
password and sign in.

5. If prompted, enter your new password again, and then click Sign in.

6. Verify that you can access the Office 365 portal home page.

7. If you did not get prompted to change your password when you signed in, click the Settings icon in
the top-right corner, and click Office 365 Settings.
8. On the Settings page, click Change my password.

9. In the Old password text box, type Lindsey’s temporary password.

10. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click
Submit.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L2-7

11. Close Microsoft Edge.

12. Open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

13. Sign in as Francisco@Adatumyyxxxxx.hostdomain.com with the temporary password that you


noted in the previous task.

14. On the Update password page, in the Old password text box, type the temporary password.
15. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click Update
password and sign in.

16. Verify that you cannot sign in.

17. Close Microsoft Edge.

18. Open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

19. Sign in as holly@Adatumyyxxxxx.onmicrosoft.com with the password Pa$$w0rd.


20. On the Office 365 portal, click Admin.

21. On the left menu, expand Users, and then click Active Users.

22. In the Active Users list, click Francisco Chaves.

23. On the right side, in the Sign-in status section, click Edit.

24. On the Sign in status page, select Allowed, click Save, and then click Close.

25. Close Microsoft Edge.


26. Open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

27. Sign in as Francisco@Adatumyyxxxxx.hostdomain.com with the temporary password that you


noted in the previous task.
28. On the Update password page, in the Old password text box, type the temporary password.

29. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click Update
password and sign in.
30. On the Sign in again page, type Pa$$w0rd as the password and click Sign in.

31. Verify that you can access the Office 365 portal.

32. Close Microsoft Edge.

Results: After completing this exercise, you should have created and managed user accounts and licenses
according to business needs.

Exercise 2: Managing Office 365 password policies


 Task 1: Configure the Office 365 password policy
1. Open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com with the password Pa$$w0rd.

3. On the Office 365 portal, click Admin.

4. On the left side menu, click Settings, and then click Security.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-8 Managing Office 365 users and groups

5. Click Edit. In the Days before passwords expire text box, type 14.

Note: This setting does not correspond with a real-world scenario. Use it as a sample
scenario to verify the policy applied in the next exercise task.

6. In the Days before a user is notified about expiration box, leave the default value of 14, and then
click Save.

7. Verify that the “Password policy has been updated” message appears at the top of the page and then
click Close.

 Task 2: Validate the password policy


1. In the Office 365 admin center, on the top-right menu, click Holly, and then click Sign out.

2. On the Office 365 page, click Use another account.

3. Sign in as Lindsey@Adatumyyxxxxx.hostdomain.com, where yyxxxxx is your unique Adatum


number, with the password Pa$$w0rd.
4. On the upper-right side of the window, verify that the notification appears with the following
information: “Time to change your password. Your password will expire in 13 days.”

Note: You have now verified that your password policy is applied. In a real-world scenario,
after you verify that the password policy is applied, you would need to increase the number of
days before the password expires, according to your organizational policy.

5. Close Microsoft Edge.

Results: After completing this exercise, you should have configured and validated an Office 365 password
policy.

 Task: To prepare for the next lab


Keep the virtual machines running for the next lab in this module.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L2-9

Lab B: Managing Office 365 groups and


administration
Exercise 1: Managing Office 365 groups
 Task 1: Create Office 365 security groups
1. On LON-CL1, open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com, where yyxxxxx is your unique Adatum number,


with the password Pa$$w0rd.

3. In the Office 365 admin center, click Admin.

4. On the left side menu, expand Groups, click Groups, and then click the Add a group icon.

5. On the New Group page, in the Type drop-down box, click Security group, and in the Name text
box, type Sales.

6. In the Description text box, type Sales department users, click Add and then click Close.

7. Select the Sales check box, on the toolbar, expand the More menu, and then click Edit members.

8. On the Edit members page, in the search box, type Lindsey, wait until Lindsey Gates’s user object
appears, and then click Add.

9. In the same search text box, type Christie Thomas and then click Add.

10. Click Save, and then click Close.

11. Click Add a group.

12. On the New Group page, in the Type drop-down box, click Security group, and in the Name text
box, type Accounts.

13. In the Description text box, type Accounts Department users, click Add, and then click Close.

14. In the Members section, click Edit.


15. In the search box, type Francisco Chaves, and then click Add. In the search box, type Sallie McIntosh,
and then click Add.

16. Click Save, and then click Close twice.

 Task 2: Manage security groups


1. In the Office 365 admin center, verify that you can see the following groups:

o Sales

o Accounts
2. In the groups list, click the Sales group.

3. In the Members section, click Edit.

4. In the search box, type Amy Santiago, click Add, click Save, and then click Close.

5. Ensure that Amy Santiago is now listed under the Display name list.
MCT USE ONLY. STUDENT USE PROHIBITED
L2-10 Managing Office 365 users and groups

6. Click Delete group.

7. On the Delete page, click Delete, and then click Close.

8. On the left side menu, click Users, and then click Active Users.

9. Confirm that Amy Santiago’s account still exists in the list of users.

Results: After completing this exercise, you should have created and managed security groups.

Exercise 2: Managing Office 365 users and groups by using Windows


PowerShell
 Task 1: Install Microsoft Azure Active Directory module for Windows PowerShell
1. On LON-CL1, open Microsoft Edge, and browse to http://aka.ms/t01i1o.

2. Under Microsoft Online Services Sign-In Assistant for IT Professionals RTW, click Download.
3. Select the en\msoidcl_64.msi check box, and then click Next.

4. When the download finishes, click Run.

5. In the Microsoft Online Services Sign-in Assistant Setup Wizard, on the License Terms page, click
I accept the terms in the License Agreement and Privacy Statement, and then click Install.

6. In the User Account Control dialog box, click Yes.

7. On the Completed the Microsoft Online Services Sign-in Assistant Setup Wizard page, click
Finish.

8. In Microsoft Edge, browse to http://aka.ms/siqtee.

9. After AdministrationConfig-en.msi finishes downloading, click Run.

10. In the Microsoft Azure Active Directory Module for Windows PowerShell Setup Wizard, on the
Welcome page, click Next.

11. On the License Terms page, click I accept the terms in the License Terms, and click Next.

12. On the Install Location page, click Next.

13. On the Ready to Install page, click Install.

14. In the User Account Control dialog box, click Yes.


15. On the Completing the Microsoft Azure Active Directory Module for Windows PowerShell Setup
page, click Finish.

 Task 2: Create new users and assign licenses by using Windows PowerShell
1. On LON-CL1, on the desktop, right-click the Windows Azure Active Directory Module for Windows
PowerShell shortcut, and then click Run as administrator.

2. If a User Account Control dialog box appears, click Yes.

3. At the command prompt, type the following command, and then press Enter:

Connect-msolservice

4. In the Enter Credentials dialog box, sign in as Holly@Adatumyyxxxxx.onmicrosoft.com, where


yyxxxxx is your unique Adatum number, with the password Pa$$w0rd.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L2-11

5. At the command prompt, type the following command, and then press Enter; yyxxxxx is your unique
Adatum number:

New-MsolUser –UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com –DisplayName


“Catherine Richard” –FirstName “Catherine” –LastName “Richard” –Password ‘Pa$$w0rd’
–ForceChangePassword $false –UsageLocation “CH”

6. At the command prompt, type the following command, and then press Enter; yyxxxxx is your unique
Adatum number:

New-MsolUser –UserPrincipalName tameka@Adatumyyxxxxx.hostdomain.com –DisplayName


“Tameka Reed” –FirstName “Tameka” –LastName “Reed” –Password ‘Pa$$w0rd’
–ForceChangePassword $false –UsageLocation “CH”

7. To determine which users are unlicensed, at the command prompt, type the following command, and
then press Enter:

Get-MsolUser -UnlicensedUsersOnly

8. To license Catherine Richard, at the command prompt, type the following command, and then press
Enter; replace Adatumyyxxxxx in the –AddLicenses attribute with the onmicrosoft.com domain
name provided by the hosting provider:

Set-MsolUserLicense -UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com


–AddLicenses “Adatumyyxxxxx:ENTERPRISEPACK”

9. To license Tameka Reed, at the command prompt, type the following command, and then press Enter;
replace Adatumyyxxxxx in the –AddLicenses attribute with the onmicrosoft.com domain name
provided by the hosting provider:

Set-MsolUserLicense -UserPrincipalName Tameka@Adatumyyxxxxx.hostdomain.com


–AddLicenses “Adatumyyxxxxx:ENTERPRISEPACK”

10. To prevent a user from signing in, at the command prompt, type the following command, and then
press Enter; yyxxxxx is your unique Adatum number:

Set-MsolUser -UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com


-blockcredential $true

11. To delete a user, at the command prompt, type the following command, and then press Enter; yyxxxxx
is your unique Adatum number:

Remove-MsolUser –UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com –Force

12. To view the Deleted Users list, at the command prompt, type the following command, and then press
Enter:

Get-MsolUser –ReturnDeletedUsers

13. Verify that Catherine Richard is in the Deleted Users list. Note that it specifies that she is still licensed.

14. To restore a deleted user, at the command prompt, type the following command, and then press Enter;
yyxxxxx is your unique Adatum number:

Restore-MsolUser –UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com


MCT USE ONLY. STUDENT USE PROHIBITED
L2-12 Managing Office 365 users and groups

15. To view the Deleted Users list, at the command prompt, type the following command, and then press
Enter:

Get-MsolUser –ReturnDeletedUsers

16. Verify that Catherine Richard is no longer in the Deleted Users list.

17. To view the Active Users list, at the command prompt, type the following command, and then press
Enter:

Get-MsolUser

18. Verify that Catherine Richard is in the Active Users list.

19. To allow a user to sign in, at the command prompt, type the following command, and then press Enter;
yyxxxxx is your unique Adatum number:

Set-MsolUser -UserPrincipalName Catherine@Adatumyyxxxxx.hostdomain.com


-blockcredential $false

 Task 3: Modify existing users by using Windows PowerShell


1. On LON-CL1, on the taskbar, click File Explorer.

2. Navigate to C:\labfiles, right-click O365users.csv, point to Open with, and then click Notepad.
3. In Notepad, click Edit, and then click Replace.

4. In the Find what text box, type Adatumyyxxxxx.hostdomain.com.

5. In the Replace with text box, type your unique public domain name value, click Replace All.
6. In the Find what text box, type Adatumyyxxxxx:ENTERPRISEPACK.

7. In the Replace with text box, type your unique Adatumyyxxxxx value followed by :ENTERPRISEPACK,
and then click Replace All.

Note: Adatumyyxxxx in this step must be the onmicrosoft.com domain name.

8. Close O365users.csv, and then in the Notepad message box, click Save.

9. To bulk import several users from a comma-separated value (CSV) file, copy and paste this code into
the Administrator: Windows Azure Active Directory Module for Windows PowerShell window on LON-
CL1, and then press Enter:

Import-Csv -Path C:\labfiles\O365Users.csv | ForEach-Object { New-MsolUser


-UserPrincipalName $_."UPN" -AlternateEmailAddresses $_."AltEmail" -FirstName
$_."FirstName" -LastName $_."LastName" -DisplayName $_."DisplayName" -BlockCredential
$False -ForceChangePassword $False -LicenseAssignment $_."LicenseAssignment"
-Password $_."Password" -PasswordNeverExpires $True -Title $_."Title" -Department
$_."Department" -Office $_."Office" -PhoneNumber $_."PhoneNumber" -MobilePhone
$_."MobilePhone" -Fax $_."Fax" -StreetAddress $_."StreetAddress" -City $_."City"
-State $_."State" -PostalCode $_."PostalCode" -Country $_."Country" -UsageLocation
$_."UsageLocation" }

10. To view the Active Users list, at the command prompt, type the following command, and then press
Enter:

Get-MsolUser
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L2-13

11. Switch back to Microsoft Edge, click Admin.

12. On the Home page, click Users.

13. Review the active users that you just imported.

14. On the Admin center menu, click Exchange.

15. Under recipients, click mailboxes and review the mailboxes and associated email addresses that were
created.

 Task 4: Configure groups and group membership by using Windows PowerShell


1. To create a Marketing group, at the command prompt, type the following command, and then press
Enter:

New-MsolGroup –DisplayName “Marketing” –Description “Marketing department users”

2. To configure a variable for the group, at the command prompt, type the following command, and then
press Enter:

$MktGrp = Get-MsolGroup | Where-Object {$_.DisplayName -eq "Marketing"}

3. To configure a variable for the first user account, at the command prompt, type the following
command, and then press Enter:

$Catherine = Get-MsolUser | Where-Object {$_.DisplayName -eq "Catherine Richard"}

4. To configure a variable for the second user account, at the command prompt, type the following
command, and then press Enter:

$Tameka = Get-MsolUser | Where-Object {$_.DisplayName -eq "Tameka Reed"}

5. To add Catherine Richard to the Marketing group, at the command prompt, type the following
command, and then press Enter:

Add-MsolGroupMember -GroupObjectId $MktGrp.ObjectId -GroupMemberType "User" -


GroupMemberObjectId $Catherine.ObjectId

6. To add Tameka Reed to the Marketing group, at the command prompt, type the following command,
and then press Enter:

Add-MsolGroupMember -GroupObjectId $MktGrp.ObjectId -GroupMemberType "User"


-GroupMemberObjectId $Tameka.ObjectId

7. To verify the members of the Marketing group, at the command prompt, type the following command,
and then press Enter:

Get-MsolGroupMember -GroupObjectId $MktGrp.ObjectId


MCT USE ONLY. STUDENT USE PROHIBITED
L2-14 Managing Office 365 users and groups

 Task 5: Configure user passwords by using Windows PowerShell


1. At the command prompt, type the following command, and then press Enter; yyxxxxx is your unique
Adatum number:

Set-MsolPasswordPolicy -DomainName “Adatumyyxxxxx.onmicrosoft.com” –ValidityPeriod


“90” -NotificationDays “14”

2. At the command prompt, type the following command, and then press Enter; yyxxxxx is your unique
Adatum number:

Set-MsolUserPassword –UserPrincipalName “Tameka@adatumyyxxxxx.hostdomain.com”


–NewPassword ‘Pa$$w0rd123’

3. At the command prompt, type the following command, and then press Enter:

Get-MsolUser | Set-MsolUser –PasswordNeverExpires $false

Results: After completing this exercise, you should have created new users, assigned licenses, modified
existing users, and configured groups and user passwords by using the Windows PowerShell command-line
interface.

Exercise 3: Configuring delegated administrators


 Task 1: Assign delegated administrators in the Office 365 admin center
1. On LON-CL1, open Microsoft Edge, and then browse to https://login.microsoftonline.com/.

2. Sign in as Holly@Adatumyyxxxxx.onmicrosoft.com, where yyxxxxx is your unique Adatum number,


with the password Pa$$w0rd.

3. In the Office 365 admin center, click Admin.

4. On the left-hand side, click USERS, click Active Users, and then double-click Francisco Chaves.

5. On the Francisco Chaves page, in the Roles section, click Edit.

6. Under Edit user role, click Customized administrator, select Billing administrator from the list, in
the Alternate email address text box, type user@alt.none, click Save, and then click Close.
7. In the list view, double-click Tameka Reed.

8. On the Tameka Reed page, in the Roles section, click Edit.

9. Under Edit user role, click Customized administrator, and then select Password administrator from
the list.

10. In the Alternative email address text box, type user@alt.none, click Save, and then click Close.

11. In the list view, double-click Christie Thomas.

12. On the Christie Thomas page, in the Roles section, click Edit.

13. Under Assign role, click Customized administrator, and then select User management
administrator from the list.

14. In the Alternative email address text box, type user@alt.none, click Save, and then click Close.

15. Close Microsoft Edge.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L2-15

 Task 2: Manage delegated administration with Windows PowerShell


1. In the Windows PowerShell window, at the command prompt, type the following command, and then
press Enter:

Add-MsolRoleMember –RoleName “Service Support Administrator” –RoleMemberEmailAddress


“Sallie@Adatumyyxxxxx.hostdomain.com”

2. At the command prompt, type the following command, and then press Enter:

Add-MsolRoleMember –RoleName “Company Administrator” –RoleMemberEmailAddress


“Nona@Adatumyyxxxxx.hostdomain.com”

3. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole –RoleName “Service Support Administrator”

4. At the command prompt, type the following command, and then press Enter:

Get-MsolRoleMember –RoleObjectId $role.ObjectId

5. Verify that Sallie McIntosh is in the list of users who have the Service Support Administrator role.
6. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole –RoleName “Billing Administrator”

7. At the command prompt, type the following command, and then press Enter:

Get-MsolRoleMember –RoleObjectId $role.ObjectId

8. Verify that Francisco Chaves is in the list of users who have the billing administrator role.
9. At the command prompt, type the following command, and then press Enter:

$role = Get-MsolRole –RoleName “Company Administrator”

10. At the command prompt, type the following command, and then press Enter:

Get-MsolRoleMember –RoleObjectId $role.ObjectId

11. Verify that Nona Snider is in the list of users who have the Company Administrator role. You should
also see Holly Dickson in the list.

12. At the command prompt, type the following command, and then press Enter:

Exit

 Task 3: Verify delegated administration


1. On the Office 365 page, sign out if needed and then sign in as
Tameka@Adatumyyxxxxx.hostdomain.com, where yyxxxxx is your unique Adatum number, with
the password Pa$$w0rd123.

2. On the Update your password page, in the Old password text box, type Pa$$w0rd123.

3. In the New password and Confirm new password text boxes, type Pa$$w0rd, and then click Update
password and sign in.

4. In the Office 365 portal, click Admin.


MCT USE ONLY. STUDENT USE PROHIBITED
L2-16 Managing Office 365 users and groups

5. If prompted, sign in again as Tameka@Adatumyyxxxxx.hostdomain.com using the password


Pa$$w0rd.

6. On the don’t lose access to your account! page, click cancel.

7. If you are connected to the previous admin center, click the banner at the top of the page to connect
to the new admin center.

8. On the Home page, click Users.

9. Double-click Jessica Jennings. Note that you cannot perform any administrative tasks.

10. Click Reset passwords.

11. On the Reset passwords page, click Reset.

12. Write down the temporary password here for future reference, and then click Close:
______________________________

13. On the user account menu in the upper-right corner, click Tameka Reed, then click Sign out.

14. On the Office 365 page, sign in as Christie@Adatumyyxxxxx.hostdomain.com, where yyxxxxx is


your unique Adatum number, with the temporary password that you recorded in Lab A, Exercise 1.

15. Change Christie’s password to Pa$$w0rd.

16. In the Office 365 portal, click Admin.

17. If prompted, sign in again as Christie@Adatumyyxxxxx.hostdomain.com using the password


Pa$$w0rd.

18. On the don’t lose access to your account! page, click cancel.

19. If you are connected to the previous admin center, click the banner at the top of the page to connect
to the new admin center.

20. In the Office 365 admin center, on the Home page, click Users, and then double-click Jessica
Jennings.

21. On the Jessica Jennings page, in the Contact information section, click Edit.

22. In the Office Phone text box, type 555-1234, click Save, and then click Close.

23. In the Sign-in status section, click Edit, click Blocked, click Save, and then click Close.

24. In the Office 365 admin center, click Add a user.

25. In the First name text box, type Chris.

26. In the Last name text box, type Breland.

27. In the User name text box, type Chris, click Save, and then click Close.

28. In the Active Users list, click Chris Breland.

29. On the right side, click Delete user.


30. In the Message box, click Yes, and then click Close.

31. Close Microsoft Edge.

Results: After completing this exercise, you should have assigned delegated administrators in the Office
365 admin center, managed delegated administration with Windows PowerShell, and verified delegated
administration.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-17

Module 3: Configuring client connectivity to


Microsoft Office 365
Lab: Configuring client connectivity
to Office 365
Exercise 1: Configuring DNS records for Office 365 clients
 Task 1: Review the recommended DNS records in the Office 365 admin center
1. On LON-CL1, open Microsoft Edge.

2. Connect to http://login.microsoftonline.com, and then sign in as


holly@adatumyyxxxxx.onmicrosoft.com.com, replacing yyxxxxx with your unique Adatum number,
and with the password Pa$$w0rd.

3. In the Office 365 portal, click Admin.

4. In the Office 365 admin center, in the menu to the left, go to Settings, click Domains, and then review
the domain names assigned to the Adatum tenant.
5. In the Domains window, click Adatumyyxxxxx.hostdomain.com.

6. On the DNS errors page, review the records that need to be configured for your domain.

7. Leave the Microsoft Edge window open.

 Task 2: Configure the DNS records for external clients

Configure DNS settings for Exchange Online


1. On LON-DC1, open Server Manager.

2. In Server Manager, click the Tools menu, and then click DNS.
3. In DNS Manager, expand LON-DC1, and then expand Forward Lookup Zones.

4. Click, and then right-click adatumyyxxxxx.hostdomain.com, and then click New Alias (CNAME).

5. In the Alias name text box, type autodiscover as the alias name.
6. In the Fully qualified domain name (FQDN) for target host text box, type
autodiscover.outlook.com.

7. Click OK.

8. Right-click adatumyyxxxxx.hostdomain.com, and then click New Mail Exchanger (MX).

9. In the Mail Exchanger (MX) dialog box, in the Fully qualified domain name (FQDN) of mail server
text box, type adatumyyxxxxx-hostdomain-com.mail.protection.outlook.com.
10. Click OK.

Configure DNS settings for Skype for Business Online


1. On LON-DC1, right-click the adatumyyxxxxx.hostdomain.com zone, and then select Other New
Records.

2. In the Resource Record Type dialog box, scroll down the list, click Service Location, and then click
Create Record.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-18 Configuring client connectivity to Microsoft Office 365

3. On the Service Location (SRV) tab, enter the following information, and then click OK:

o Service: _sip

o Protocol: _tls

o Priority: 100

o Weight: 1

o Port number: 443

o Host offering this service: sipdir.online.lync.com

o Time to live: 1 hour (default)


4. In the Resource Record Type dialog box, click Create Record.

5. On the Service Location (SRV) tab, enter the following information, and then click OK:

o Service: _sipfederationtls

o Protocol: _tcp

o Priority: 100

o Weight: 1
o Port number: 5061

o Host offering this service: sipfed.online.lync.com

o Time to live: 1 hour (default)


6. In the Resource Record Type dialog box, scroll back up the list, click Alias (CNAME), and then click
Create Record.

7. On the Alias (CNAME) tab, enter the following information, and then click OK:

o Alias name: sip

o Fully qualified domain name: sip.adatumyyxxxxx.hostdomain.com

o Fully qualified domain name (FQDN) for target host: sipdir.online.lync.com


o Time to live: 1 hour (default)

8. In the Resource Record Type dialog box, click Create Record.

9. On the Alias (CNAME) tab, enter the following information, and then click OK:

o Alias name: lyncdiscover

o Fully qualified domain name: lyncdiscover.adatumyyxxxxx.hostdomain.com

o Fully qualified domain name (FQDN) for target host: webdir.online.lync.com


o Time to live: 1 hour (default)

10. In the Resource Record Type dialog box, click Done.

11. Switch back to LON-CL1, and then in the Office 365 admin console, click Check DNS.
12. You should now see that most records are not listed anymore (you should see msoid,
enterpriseregistration, enterpriseenrollment and SPF records). Close the page.

13. In the top bar, click the Office 365 apps icon.

14. Click Mail.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L3-19

15. On the Outlook page, select your time zone and click Save.

16. On LON-CL2, verify that you are signed in as Francisco.

17. Open Microsoft Edge, and then connect to https://login.microsoftonline.com.

18. Sign in as Francisco@adatumyyxxxxx.hostdomain.com by using the password Pa$$w0rd.

19. In the Office 365 portal, click Mail.

20. On the Outlook page, select your time zone and click Save.

21. In the upper-left corner, click the New button.

22. In the To text box, type Holly Dickson.


23. When the name resolves, note her instant message (IM) status. It might take a couple of minutes for
her status to update.

24. Click Holly Dickson in the To text box.


25. In the pop-up dialog box, click the IM icon on the right.

26. In the IM pop-up window, type a message, and then press Enter.

27. On LON-CL1, click the IM dialog box.

28. Reply to the IM. Note that you now can send IMs between the two users.

29. Close both the IM windows, and then close the Microsoft Edge windows on both virtual machines.

Results: After completing this exercise, you should have reviewed the recommended DNS records in the
Office 365 admin center, configured the DNS records for external clients, and configured the DNS records
for internal clients.

Exercise 2: Running the Office 365 connectivity analyzer tools


 Task 1: Run the Microsoft Connectivity Analyzer tool
1. On LON-CL1, open Microsoft Edge.

2. In the address bar, type https://testconnectivity.microsoft.com/.

3. On the Microsoft Remote Connectivity Analyzer page, click the Office 365 tab.

4. On the Office 365 tab, click Office 365 Exchange Domain Name Server (DNS) Connectivity Test,
and then click Next.
5. Under Domain Name, type adatumyyxxxxx.hostdomain.com.

6. Under Verification, type the characters that you can see in the verification field, and then click Verify.

Note: The verification code is not case-sensitive.

7. Click Perform Test.

Note: If you receive a message about having performed too many tests in 60 seconds, wait
for a minute and then repeat the test.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-20 Configuring client connectivity to Microsoft Office 365

8. When you see Connectivity Test Successful, under Test Details, expand Test Steps, and then review
the checks that were made against the Exchange Online domain.

9. Click Start Over.

10. On the Office 365 tab, click Office 365 Lync Domain Name Server (DNS) Connectivity Test, and
then click Next.

11. In the Sign-in address text box, type Francisco@adatumyyxxxxx.hostdomain.com, and then click
Perform Test.

Note: If you receive a message about having performed too many tests in 60 seconds, wait
for a minute and then repeat the test.

12. When you see Connectivity Test Successful, under Test Details, expand Test Steps, and then review
the checks that were made against the Skype for Business Online domain.

13. Click Start Over.

14. Under Microsoft Office Outlook Connectivity Tests, click Outlook Connectivity, and then click
Next.
15. On the Outlook Connectivity page, in the Email Address and Microsoft Account text boxes, type
Francisco@adatumyyxxxxx.hostdomain.com.

16. In the Password and Confirm password text boxes, type Pa$$w0rd.
17. Select Use Autodiscover to detect server settings.

18. Select I understand that I must use the credentials of a working account from my Exchange
domain to be able to test connectivity to it remotely. I also acknowledge that I am responsible
for the management and security of this account.

19. Click Perform Test.

20. When you see Connectivity Test Successful with Warnings, under Test Details, expand Test Steps,
and then review the checks that were made against Outlook Anywhere. Note in particular the
message that contains information about the Autodiscover steps that fail.

21. Under Run Test Again at the top-right corner of the window, note that you can copy this test to the
clipboard, or save it as an XML or HTML file.

 Task 2: Run the Office 365 Client Performance Analyzer


1. In the Microsoft Connectivity Analyzer window, on the Client tab, in the Microsoft Office 365 Client
Performance Analyzer section, click Microsoft Office 365 Client Performance Analyzer.

2. In the Office 365 Client Performance Analyzer window, under Download and install Office 365 Client
Performance Analyzer, click here.

3. Wait for the download to finish, and then click Run.

4. In the User Account Control dialog box, click Yes.

5. In the Microsoft Office 365 Client Performance Analyzer window, click Accept, and then click Run
Exchange Analyzer.

6. In the pop-up window, type Francisco@adatumyyxxxxx.hostdomain.com, clear the Allow OCPA to


run in the background collecting diagnostics every few hours for you check box, and then click
OK.

7. Wait until Office 365 Client Performance Analyzer generates the results.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L3-21

8. Review the results, and then click Show Trace Route Details.

9. Review the details, and then close the window.

Results: After completing this exercise, you should have:

 Run the Microsoft Connectivity Analyzer tool.

 Run the Office 365 Client Performance Analyzer tool.

Exercise 3: Connecting Office 2016 clients


 Task 1: Verify that Outlook 2016 can connect to Office 365
1. On LON-CL1, start Outlook 2016.
2. On the Welcome to Outlook 2016 page, click Next.

3. On the Add an Email Account page, click Next.

4. On the Auto Account Setup page, type the following information, and then click Next:
o Your Name: Holly Dickson

o E-mail Address: Holly@adatumyyxxxxx.onmicrosoft.com

o Password: Pa$$w0rd

o Retype Password: Pa$$w0rd

5. In the Windows Security dialog box, type Pa$$w0rd as the password, select Remember my
credentials, and then click OK.
6. Verify that you are connected to Exchange Online, and then click Finish.

7. In the First things first dialog box, click Ask me later, and then click Accept.

8. On LON-CL2, repeat steps 1 through 7, the following information:

o Your Name: Francisco Chaves

o E-mail Address: Francisco@adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

o Retype Password: Pa$$w0rd

 Task 2: Verify that Skype for Business can connect to Office 365
1. On LON-CL1, start Skype for Business.

2. Close the Welcome - Skype for Business dialog box.


3. On the Skype for Business sign in page, type Holly@adatumyyxxxxx.onmicrosoft.com as the
Sign-in address, and then click Sign in.

4. On the second Sign in page, type Pa$$w0rd as the password, select Save my password, and click
Sign In.

5. Click Yes. In the Help Make Skype for Business Better! dialog box, click No. Verify that you are
connected to Skype for Business Online.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-22 Configuring client connectivity to Microsoft Office 365

6. On LON-CL2, repeat steps 1 through 5, the following information:

o Sign-in address: Francisco@adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

7. Keep the virtual machines running for the next module.

Results: After completing this exercise, you should have verified that Outlook 2016 can connect to
Office 365, verified that Skype for Business can connect to Office 365, and verified OneDrive for Business
connectivity to Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-23

Module 4: Planning and configuring directory


synchronization
Lab: Configuring directory synchronization
Exercise 1: Preparing for directory synchronization
 Task 1: Configure UPN
1. Sign in to the LON-DC1 virtual machine as ADATUM\Administrator with a password of Pa$$word.

2. On the Start screen, click Administrative Tools, and then double-click Active Directory Domains
and Trusts.

3. In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts,
and then click Properties.

4. Select the UPN Suffixes tab, in the Alternative UPN suffixes: box, type
Adatumyyxxxxx.hostdomain.com, and then click Add.
5. Click OK.

6. On the Start screen, right-click Windows PowerShell, and then click Run as administrator.

7. At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-ADUser –Filter * -Properties SamAccountName | foreach { Set-ADUser $_


-UserPrincipalName ($_.SamAccountName + “@Adatumyyxxxxx.hostdomain.com” )}

 Task 2: Prepare problem user accounts


1. On the LON-DC1, in the Windows PowerShell prompt, type the following command, and then press
Enter:

CD C:\labfiles\

2. At the Windows PowerShell prompt, type the following command, and then press Enter:

Set-ExecutionPolicy Unrestricted

3. To confirm the execution policy change, press Enter.

4. At the Windows PowerShell prompt, type the following command, and then press Enter:

.\CreateProblemUsers.ps1

Note: Wait until the script has completed before proceeding to the next step.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-24 Planning and configuring directory synchronization

5. This Windows PowerShell script will make the following changes in AD DS:

o Amr Zaki. Add the "@" character to the beginning of "adatum" for the UserPrincipalName
attribute.

o Brad Sutton. Replace the existing string with "brad@adatum.com" for the emailAddress attribute.

o Don Funk. Replace the existing string with “brad@adatum.com” for the emailAddress attribute.
o Holly Dickson. Replace the existing string with “holly@adatum.com” for the emailAddress
attribute.

o Kelly Rollins. Replace the existing string with “ “ for the emailAddress attribute.

 Task 3: Run the IdFix tool and fix identified issues


1. On LON-CL1, open Microsoft Edge and connect to https://www.microsoft.com
/en-us/download/details.aspx?id=36832.

2. On the IdFix DirSync Error Remediation Tool page, click Download.

3. Wait for the download to complete, and then click Open.

4. In the File Explorer windows, browse to the Downloads folder, right-click IdFix.zip, and then click
Extract All....
5. In the Extract Compressed (Zipped) Folders dialog box, in the destination box, type C:\Deployment
Tools\IdFix, and then click Extract.

6. In File Explorer, in the C:\Deployment Tools\IdFix folder, right-click IdFix, and then click Run as
administrator.

7. In the User Account Control dialog box, click Yes.

8. In the IdFix Privacy Statement message box, click OK.

9. Click Query. You should see a number of errors.

10. Click the ERROR column to sort the character errors to the top of the list.

Note: Ignore topleveldomain errors, which cannot be fixed by the IdFix tool.

11. In the Amr Zaki row, in the ACTION column, select EDIT.

12. In the Holly Dickson row, in the ACTION column, select EDIT.

13. In the Kelly Rollin row, in the ACTION column, select EDIT.

14. On the toolbar, click Apply.

15. In the Apply Pending dialog box, click Yes; note the COMPLETE status in the ACTION column
indicating successful writes.

16. Switch to File Explorer, and in the C:\Deployment Tools\IdFix folder, double-click Verbose <date>
<time>.txt to view the updated transactions in the transaction log.

17. Switch back to the IdFix tool.

18. On the toolbar, click Query.

19. Click in the UPDATE column to locate the Don Funk error, and replace the string with
don@adatum.com, and then in the ACTION column, select EDIT.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-25

20. Click in the UPDATE column to locate the Kelly Rollin error, and replace the string with
kelly@adatum.com, and then in the ACTION column, select EDIT.

21. On the toolbar, click Apply.

22. In the Apply Pending box, click Yes.

23. On the toolbar, click Query and verify that no more errors are reported.

Note: Where there are format and duplicate errors for distinguished names, the UPDATE
column either contains the same string as the VALUE column, or the UPDATE column entry is
blank; in either case, this means that IdFix cannot suggest a remediation for the error. You can
either fix these errors outside IdFix, or manually remediate them within IdFix. You can also export
the results and use Windows PowerShell to remediate a large number of errors.

 Task 4: Configure the Office 365 tenant for directory synchronization


1. On LON-CL1, on the desktop, double-click Windows Azure Active Directory Module for Windows
PowerShell.

2. At the Windows PowerShell prompt, type the following command, and press Enter after each:

$msolcred = Get-Credential

3. In the Windows PowerShell Credential dialog box, enter


Holly@Adatumyyxxxxx.onmicrosoft.com in the User name box, enter Pa$$w0rd in the Password
box, and then click OK.

4. At the Windows PowerShell prompt, type the following command, and then press Enter:

Connect-MsolService -Credential $msolcred

5. At the Windows PowerShell prompt, type the following command, and then press Enter:

Set-MsolDirSyncEnabled -EnableDirSync $true -Force

Note: The -Force switch disables the confirmation dialog box.

Although you might have to wait up to 24 hours for activation to complete, you should be able to
continue.

6. At the Windows PowerShell prompt, type the following command, and then press Enter:

(Get-MsolCompanyInformation).DirectorySynchronizationEnabled

The output returns True if sync is enabled.

Note: It might take a few minutes to return True. Rerun the command until you see True
showing.

7. Switch to Microsoft Edge, and in the address box, type https://login.microsoftonline.com, and then
press Enter.

8. On the Sign-in page, in the Name box, select holly@Adatumyyxxxxx.OnMicrosoft.com. In the


Password box, type Pa$$w0rd, and then click Sign in.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-26 Planning and configuring directory synchronization

9. Navigate to the Office 365 admin center.

10. In the Office 365 admin center, click Switch back to the old admin center go to previous Office365
admin center.

11. In the left navigation pane of previous Office365 admin center, click USERS, and then click Active
users.

12. To the right of Active Directory synchronization, verify that there is a Manage link (if activation was
not yet completed this link would say “Set up”). If there is no Manage, click Set up, and verify that,
under Activate Active Directory synchronization, the Active Directory Synchronization is
activated notice appears.

13. Click Admin on the toolbar, and then click the banner at the top of the windows to go back to the new
admin center.

Results: After completing this exercise, you will have resolved issues in AD DS identified by the IdFix tool
and you will have enabled Active Directory synchronization in Office 365.

Exercise 2: Configuring directory synchronization


 Task 1: Download and install Azure AD Connect
1. Sign in to LON-DS1 as ADATUM\Administrator with a password of Pa$$word. If the Networks pane
appears, click Yes.

2. Click Start, and then click Internet Explorer.

3. If a Windows Internet Explorer 10 dialog box appears, select Use recommended security and
compatibility settings, and then click OK.
4. In the Address box, type https://portal.microsoftonline.com, and then press Enter.

5. On the Sign in page, in the Name box, type holly@Adatumyyxxxxx.OnMicrosoft.com.

6. In the Password box, type Pa$$w0rd, and then click Sign in.
7. Navigate to the Office 365 admin center. If you are connected to the previous Admin center, click the
banner at the top of the window to connect to the new Admin center.

8. In the left side menu, click Users, and then click Active Users.

Note: If you see the Active Directory synchronization is being activated warning, you can
ignore it at this time, but you will not be able to run directory synchronization later in this exercise.
You must wait until directory synchronization is activated. However, you can complete the
following steps, even if you do see the warning message.

9. Click Holly Dickson.

10. On the Holly Dickson page, click Edit in the Email addresses section.

11. Next to Email address, select adatumyyxxxxx.hostdomain.com from the drop-down list box, and
then click Save.

12. Click Close.

13. Close Internet Explorer.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-27

14. Open Internet Explorer.

15. If a Windows Internet Explorer 10 dialog box appears, select Use recommended security and
compatibility settings, and then click OK.

16. In the Address box, type https://portal.microsoftonline.com, and then press Enter.

17. Sign in as holly@Adatumyyxxxxx.hostdomain.com, using the password Pa$$w0rd.


18. Navigate to the Office 365 admin center, click Switch back to the old admin center.

19. In the previous Office365 admin center, in the left side menu, click USERS, and then click Active Users.

20. To the right of Active Directory synchronization, click Manage (or if Active Directory
synchronization has not yet completed, click Set up).

21. Under the Directory Sync client version, click Upgrade.

Note: You will automatically be redirected to the Microsoft Azure Active Directory Connect
download page.

22. Click the Tools icon in the top-right corner, and click Internet Options.

23. On the Security tab, click Custom level.


24. In the Security Settings – Internet Zone dialog box, under File download, click Enable, and then
click OK.

25. Click Yes, and then click OK.

26. On the Microsoft Azure Active Directory Connect download page in Internet Explorer, click
Download.

27. In the Internet Explorer notification bar, click Save as, browse to C:\Labfiles, and then click Save. If the
LabFiles folder does not exist, create it.

28. When the download has completed, in the Internet Explorer notification bar, click Open folder.

29. In File Explorer, right-click AzureADConnect.msi, and then click Install.


30. In the Microsoft Azure Active Directory Connect wizard, on the Welcome page, click I agree to the
license terms and privacy notice, and then click Continue.

31. On the Express Settings page, click Customize.

32. Leave the Microsoft Azure Active Directory Connect wizard open for the next task.

 Task 2: Run the Azure AD Connect tool with custom settings


1. On the Install required components page, leave all the check boxes cleared, and click Install.

2. On the User Sign-in page, click Password Synchronization, and click Next.
3. On the Connect to Azure AD page, enter the following credentials, and then click Next:

o User name: holly@Adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

4. On the Connect your directories page, enter the following credentials, click Add Directory, and then
click Next:

o User name: ADATUM\Administrator

o Password: Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
L4-28 Planning and configuring directory synchronization

5. On the Domain and OU filtering page, click Sync selected domains and OUs, expand Adatum.com,
clear all check boxes for the child containers except for the IT check box, and then click Next.

6. On the Uniquely identifying your users page, click Next.

7. On the Filter users and devices page, verify that Synchronize all users and devices is selected, and
then click Next.

8. On the Optional Features page, leave the default options, and then click Next.

9. On the Ready to configure page, review the features that will be installed. Ensure that Start the
synchronization process as soon as the initial configuration completes is not selected, and then
click Install.

Note: The installation process will take approximately 10 minutes to complete.

10. Once the installation completes, on the Configuration complete page, click Exit.

11. On the Start screen, sign out of LON-DS1, and then sign back in as Adatum\Administrator with the
password Pa$$w0rd.

Note: Because Adatum\administrator was used to install Azure AD Connect, it will be


automatically added to the ADSyncAdmins group, and you need to sign out for the Kerberos
token to be updated. Otherwise, if you use a different user account to install Azure AD Connect,
you will need to manually add the Azure AD Connect admin to the local ADSyncAdmins group on
LON-DS1.

 Task 3: Configure synchronization service filtering for organizational units


1. On LON-DS1, click Start, open the all apps list (arrow icon), and then click Synchronization Service.
2. In Synchronization Service Manager, click the Connectors tab.

3. On the Connectors tab, double-click Adatum.com.

4. In the Properties dialog box, click Configure Directory Partitions.


5. Click Containers.

6. In the Credentials dialog box, enter the following credentials, and then click OK:

o User name: Administrator

o Password: Pa$$w0rd

o Domain: Adatum.com

Note: Although this account is not the one used for directory synchronization, you use the
account credentials temporarily to access AD DS for configuring filtering.

7. In the Select Containers dialog box, select the Research check box, verify that IT is selected, and then
click OK.
8. Click OK to close the Properties dialog box.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-29

 Task 4: Configure synchronization service filtering for object attributes


1. On LON-DS1, open the Start screen, and then click Synchronization Rules Editor.

2. In Synchronization Rules Editor, in Rule Types, click Inbound, and then click Add new rule.

3. In the Create inbound synchronization rule dialog box, in the Name box, type In from AD – User
DoNotSyncFilter.

4. For Connected System, select Adatum.com.


5. For Connected System Object Type, select user.

6. For Metaverse Object Type, select person.

7. For Link Type, select Join.

8. For Precedence, type 50.

9. Click Next.

10. In the Create inbound synchronization rule dialog box, on the Scoping filter tab, click Add Group,
and then click Add Clause.

11. In Add scoping filters:

o For Attribute, select msDS-cloudExtensionAttribute15.

o For Operator, select EQUAL.

o For Value, type NoSync.

12. Click Next.

13. On the Add join rules, click Next.

14. On the Add transformations page, click Add transformation:

o For FlowType, select Constant.


o For Target Attribute, select cloudFiltered.

15. In the Source text box, type True.

16. To save the rule, click Add, and then close Synchronization Rules Editor window.
17. Open Windows PowerShell from the taskbar. In Windows PowerShell, type the following command,
and then press Enter. The initial synchronization can take several minutes to complete. Leave the
Windows PowerShell window open.

Start-ADSyncSyncCycle –PolicyType Initial

 Task 5: Verify that synchronization was successful


1. Ensure that you are signed in to the LON-DS1 as ADATUM\Administrator with a password of
Pa$$word.

2. Open Internet Explorer, and browse to http://aka.ms/siqtee.

3. After AdministrationConfig-en.msi finishes downloading, click Run.

4. In the Microsoft Azure Active Directory Module for Windows PowerShell Setup Wizard, on the
Welcome page, click Next.
5. On the License Terms page, click I accept the terms in the License Terms, and click Next.

6. On the Install Location page, click Next.


MCT USE ONLY. STUDENT USE PROHIBITED
L4-30 Planning and configuring directory synchronization

7. On the Ready to Install page, click Install.

8. On the Completing the Microsoft Azure Active Directory Module for Windows PowerShell Setup
page, click Finish.

9. On the Start screen, click the down arrow, and click Synchronization Service.

10. In Synchronization Service Manager on LON-DS1, click Operations.


11. In the Connector Operations list, click the line at the top of the list, and then review the Start Time,
End Time, and the Status.

12. Verify the connector has a Start Time and End Time that aligns with the last time synchronization was
initiated in the previous task.

13. On the taskbar, right-click Windows PowerShell, and then select Run as Administrator.

14. At the Windows PowerShell prompt, type the following commands, and press Enter after each:

Import-Module MSOnline
Connect-MsolService

15. In the Enter Credentials dialog box, enter the following credentials, and then click OK:
o User name: holly@Adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

16. At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolCompanyInformation | fl LastDirSyncTime

17. Verify the LastDirSyncTime aligns with the last time synchronization was initiated in the previous task.

18. On the Start screen, open Internet Explorer, and then type
https://portal.office.com/admin/default.aspx in the address bar.
19. On the Sign-in page, sign in by using the following credentials:

o User name: holly@Adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

20. In the Office 365 admin center, switch back to the old Office365 admin center by clicking Switch
back to the old admin center.

21. In the previous admin center, in the left navigation pane, click USERS, and then click Active Users.

22. Verify that the Last synced less than an hour ago message appears.

23. In the Active users list, note that your on-premises accounts from the selected OUs now have a status
of Synced with Active Directory.

Results: After completing this exercise, you will have installed Azure AD Connect with customized settings.
Upon completion of the installation, you will start directory synchronization to Office 365 and have verified
that synchronization was successful.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-31

Exercise 3: Managing Active Directory users and groups


 Task 1: Create a new user and group account
1. On LON-DC1, in Server Manager, click Administrative Tools, and then click Active Directory Users
and Computers.

2. In the console tree, expand Adatum.com, right-click Research, click New, and then click User.

3. In the First name box, type Perry.

4. In the Last name box, type Brill.

5. In the User logon name box, type Perry, select your lab domain UPN (not Adatum.com), and then
click Next.

6. In the Password and Confirm password boxes, type Pa$$w0rd, clear the User must change
password at next logon check box, select the Password never expires check box, click Next, and
then click Finish.

7. In the Research OU user list, double-click the Perry Brill user.

8. In the Properties dialog box, in the E-mail box, type Perry@Adatumyyxxxxx.hostdomain.com, and
then click OK.

9. In the console tree, right-click the Research OU, click New, and then click Group.

10. In the New Object – Group window, in the Group name: box, type Project Team, click Universal, click
Distribution, and then click OK.

11. In the Research OU, double-click the Project Team group.

12. In the Properties dialog box, in the E-mail box, type


projectteam@Adatumyyxxxxx.hostdomain.com.

13. On the Members tab, click Add.

14. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select, type the following names, and then click Check Names:

o Chris Sells

o Lukas Keller

o Sabine Royant

15. Click OK twice.

 Task 2: Move a user out of the scope of synchronization


1. On LON-DS1, at the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolUser -Search Josh

2. Verify that the user Josh Bailey is listed in Office 365.

3. On LON-DC1, in Active Directory Users and Computers, move Josh Bailey from the Research OU to the
Sales OU, by right-clicking Josh Bailey in the Research OU user list, and then clicking Move and
selecting Sales OU. Click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-32 Planning and configuring directory synchronization

 Task 3: Move a user into the scope of synchronization


1. On LON-DC1, ensure that Active Directory Users and Computers is open.

2. In the console tree, if needed, expand Adatum.com, and then click Marketing.

3. Right-click David So, and click Move.

4. In the Move dialog box, expand Adatum.com, click Research, and then click OK.

 Task 4: Change group membership


1. In the console tree of Active Directory Users and Computers, click Research.

2. In the right pane, double-click Research.

3. In the Research Properties dialog box, click the Members tab.

4. Select the following three users and click Remove. In the confirmation dialog box, click Yes.

o Allie Bellew

o Anil Elison

o Aziz Hassouneh

5. Click OK.

 Task 5: Force synchronization


1. On LON-DS1, from the taskbar, right-click the Windows PowerShell shortcut, and then click Run as
administrator.

Note: If a User Account Control dialog box appears, click Yes.

2. At the Windows PowerShell prompt, type the following, and then press Enter:

Start-ADSyncSyncCycle –PolicyType Delta

Note: The Delta switch is used here so that only the updates are synchronized.

3. Wait until synchronization has completed before proceeding to the next task.

 Task 6: Validate the results of directory synchronization


1. To verify the new user you created, on LON-CL1, open the Office 365 Admin Center in Microsoft Edge
by typing https://portal.office.com/admin/default.aspx in the address bar.

2. Sign in using the following credentials:

o User name: holly@Adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd
3. If you are connected to the previous Office 365 admin center, click that banner at the top of the page
to connect to the new Office 365 admin center.

4. In the Office 365 Admin Center, in the left navigation, click Users, and then click Active Users.

5. In the Active Users list, verify that Perry Brill has a status of Synced with Active Directory.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L4-33

Note: You might need to wait up to 10 minutes before the account appears. Refresh the list
until you see Perry Brill’s account.

6. In the Active Users list, click the Perry Brill.

7. Under the Product licenses section, click Edit.

8. On the Product licenses page, in the Location drop-down menu, select United States, and then click
the icon next to Office 365 Enterprise E3.

9. Click Assign, and then click Close.

10. Repeat steps 5-8 to assign an Office365 license for user David So.

11. To verify the new group you created, in Office 365 admin center, in the left navigation, click Groups
and then click Groups.

12. In the Groups list, verify that the Project Team appears.

Note: You might need to wait up to 10 minutes before the group appears. Refresh the list
until you see the object.

13. In the Groups list, select the Project Team group.

Note: In the right pane, notice that Edit Members is unavailable. This is because group
membership is maintained by Active Directory. To view the membership, you need to use
Windows PowerShell.

14. On LON-DS1, in Windows PowerShell, type the following command, and then press Enter:

Get-MsolGroup

15. Verify that you see Research and Project Team groups. Copy the ObjectID value for these two groups.

16. To verify the group you updated membership in AD DS, type the following command at the Windows
PowerShell prompt, and then press Enter:

Get-MsolGroupMember –GroupObjectId <ObjectID for Research group>

17. Verify the membership of the group does not contain the users removed in AD DS. The users who were
removed from the group are:
o Allie Bellew

o Anil Elison

o Aziz Hassouneh

18. To verify the user you moved out of the scope of synchronization, Josh Bailey, type the following
command at the Windows PowerShell prompt, and then press Enter:

Get-MsolUser –Search Josh


MCT USE ONLY. STUDENT USE PROHIBITED
L4-34 Planning and configuring directory synchronization

19. At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolAccountSku

Note: The number of ConsumedUnits is now less than before.

20. Leave the virtual machines running for the next lab.

Results: After completing this exercise, you will have identified how managing user and group accounts
has changed with directory synchronization.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-35

Module 5: Planning and deploying Office 365 ProPlus


Lab: Managing Office 365 ProPlus
installations
Exercise 1: Preparing an Office 365 ProPlus managed installation
 Task 1: Download the Office 365 deployment tool
1. On LON-CL1, on the taskbar, click File Explorer.

2. In File Explorer, click Local Disk (C:) in the left navigation pane.

3. In File Explorer, click the Home tab, and then click New Folder.

4. Type Office16, and then press Enter.

5. In File Explorer, right-click Office16, click Share with, and then click Specific people.
6. In the File Sharing dialog box, click the drop-down list box, select Everyone from the list, click Add,
and then click Share.

7. In the File Sharing dialog box, click Done.

8. From the taskbar, open the Microsoft Edge browser.

9. In the address bar, type https://portal.microsoftonline.com, and then press Enter.

10. Sign in as holly@Adatumyyxxxxx.hostdomain.com, with the password Pa$$w0rd.


11. On the Office 365 home page, click Admin. Click Switch back to the old admin center to switch to
the previous Office365 admin center.

12. In the Office 365 admin center, in the left panel, click SERVICE SETTINGS, and then click User
software.

13. Under the Manually deploy user software area, click Learn how to download and deploy
software.

14. On the How admins can download Office 365 user software to deploy to users page, click
Manage user software in Office 365.

15. In the Manually download and install the Office apps by using the Office Deployment Tool
section, click the Office Deployment Tool (Office 2016 version) link to open the Office Deployment
Tool download page.

16. On the download page, expand Details, System Requirements, and Install Instructions.

17. Read and familiarize yourself with each section. You can mark this page as a favorite to refer to later.

18. Click Download and notice the information bar at the bottom of the browser.

19. Once the download is completed, click Run.


20. In the User Account Control dialog box, click Yes.

21. Accept the license agreement and click Continue.

22. Browse to the Office16 folder on This PC’s C: drive.


23. Click OK. You should see that the files were extracted successfully. Click OK.

24. Navigate to the Office16 folder with File Explorer. You should see two files in the newly created Office
Deployment Tool folder named configuration and setup.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-36 Planning and deploying Office 365 ProPlus

 Task 2: Modify an Office 365 ProPlus installation


1. In this step, you will back up the Office 16 configuration.xml file and then open it so that you can edit
it in the next step. To do this, perform the following steps:

a. In File Explorer, double-click C:\Office16.

b. Right-click configuration.xml, and click Copy. Right-click again and click Paste.

c. Right-click the configuration.xml file, click Open with, and then click Notepad.
2. In Notepad, edit the first Add line after <Configuration> to read
<Add SourcePath=”\\LON-CL1\Office16\” OfficeClientEdition=”32” Branch=”Current”>.

3. In Notepad, remove all the remaining comment codes (lines that start with <!-- and end with -->).

4. Comment out Microsoft Visio with the <!-- --> code to make the download quicker, by replacing this
code:

</Product>
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>

with this code:

</Product>
<!--
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>
-->

5. Save the file as AdatumConfiguration.xml.


6. Switch to File Explorer (you should still be in the Office16 folder), press Shift, right-click any white
space below the file list, and then click Open command window here.

7. At the command prompt, type the following command, and then press Enter:

Setup /?

8. Note the Office Deployment Tool command-line options.

9. At the command prompt, type the following command, and then press Enter:

setup.exe /download \\LON-CL1\Office16\AdatumConfiguration.xml

10. In the User Account Control window, click Yes.

11. The download will take several minutes to complete.

12. Switch to File Explorer, and verify that the download has started in the Office16 folder. You can
continue with the next task and leave the download in the background.

Results: After completing this exercise, you will have downloaded a copy of Microsoft Office 365 ProPlus
for managed deployment to a shared folder. You will also have downloaded and installed the Office
Deployment Tool.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L5-37

Exercise 2: Managing user-driven Office 365 ProPlus installations


 Task 1: Manage user rights to install Office 365 ProPlus
1. On LON-CL1, if required, sign in to Office365 admin center as
holly@Adatumyyxxxxx.hostdomain.com with the password of Pa$$w0rd.

2. Connect to the new Office 365 admin center.

3. On the Office 365 home page, click Admin.

4. In the Office 365 admin center, click Users.

5. Select Brad Sutton, and then next to Product licenses, click Edit.
6. Under Set user location, select United Kingdom, and then enable Office 365 Enterprise E3.

7. Set the Office 365 ProPlus option to Off, click Assign, and then click Close.

8. In the Office 365 admin center, under Active users, click Maira Wenzel.
9. Beside Product licenses, click Edit.

10. Under Location, select United Kingdom, and then enable Office 365 Enterprise E3.

11. Verify that Maira has permission to use all features.

12. Click Assign, and then click Close.

13. Repeat steps 8 through 12 for Roman Miler.

14. In the Office 365 admin center, on the Settings menu, click Apps.
15. Click Software download settings.

16. In the Software for PC section, under 2016 version, turn off all options.

17. In the 2013 version section, turn off all options. Click Save, and then Close.

18. On the Admin page, click Holly Dickson’s profile photo icon in the top-right of the screen, and then
click Sign Out.

19. On the Sign in page, at https://portal.microsoftonline.com, sign in as


brad@Adatumyyxxxxx.hostdomain.com, using the password Pa$$w0rd.

20. On the Default Landing page, click the small Gear icon in the top-right corner, and then click the
Office 365 settings option.

21. On the Office 365 settings page, click Software.

Note: Because this user is not licensed for Office 365 ProPlus, Office 2016 is not available for
download.

22. Close and reopen Microsoft Edge and connect to https://portal.office.com.

23. On the Sign in page, in the Name box, type roman@Adatumyyxxxxx.hostdomain.com.

24. In the Password box, type Pa$$w0rd, and then click Sign in.

25. On the default landing page, click the small Gear icon in the top-right corner, and then click Office 365
settings.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-38 Planning and deploying Office 365 ProPlus

26. On the Office 365 settings page, click Install software.

Note: This user has a license, but Skype for Business and Office are not available for
download.

27. Click Phone & tablet. Verify that Phone and tablet apps are available.

28. Close Microsoft Edge.


29. Open Microsoft Edge.

30. In the address bar, type https://portal.office.com, and then press Enter.

31. Sign in as holly@Adatumyyxxxxx.hostdomain.com.

32. Click Admin on the Office 365 home page.

33. In the Office 365 admin center, on the Settings menu, click Apps.

34. Click Software download settings.


35. Next to the 2016 version, set the value to On. Verify that Office and Skype for Business are both set to
on, and click Save.

36. Click Close.

37. In Microsoft Edge, on the User Software page, click Holly Dickson’s profile photo icon, and then click
Sign out.

Note: Instead of signing out your admin user every time, you can click the Microsoft Edge
browser ellipse menu (…) at the top right of the browser and open a New InPrivate window. This
will allow you to have two sessions at a time open.

38. Switch to LON-CL3. Verify that you are logged in as Roman.


39. Open Microsoft Edge.

40. In the address bar, type https://portal.office.com, and then press Enter.

41. On the Sign in page, in the Name box, type roman@Adatumyyxxxxx.hostdomain.com.

42. In the Password box, type Pa$$w0rd, and then click Sign in.

43. On the Office 365 home page, click the small Gear icon in the top-right corner, and then click Office
365 settings.

44. On the Settings page, click Software.

Note: This user has a license, and Office 2016 is available for download.

45. Verify that Office and Skype for Business desktop software are available to install.

46. Do not install, but notice that this user can now install the 32-bit version of Office 365 ProPlus and
select which language he wants to install. He must click Advanced to turn on the 64-bit version option.

47. Note also that Phone and tablet apps are available from the left menu.

48. Leave this page open and continue to the next lab to perform the user-driven installation.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L5-39

 Task 2: Install Office 365 ProPlus from the Office 365 portal
1. On LON-CL3, open Microsoft Edge and sign into the Office 365 portal at portal.office.com, with the
username roman@Adatumyyyxxxxx.hostdomain.com, click Office365 Settings in the upper-right
corner, and then click Software.

2. In the Language section, select the language to install from the drop-down menu.

3. Leave 32-bit (recommended) selected.

4. Click Install.

5. In the Microsoft Edge notification bar, click Run.

6. If the User Account Control dialog box appears, type Adatum\Holly in the user name box, type
Pa$$w0rd in the Password box, and then click Yes.

7. On the taskbar, click the Office icon, and note the status of the download.

Note: It will take several minutes to complete, but applications are now available.

8. Click Close when the wizard finishes.

9. Go to the Start screen.

10. On the Start screen, click Word 2016. On the first things first window click Accept.

11. In the top-right corner, if no one is signed in, sign in as Roman@adatumyyxxxxx.hostdomain.com


with the password Pa$$w0rd, by clicking the link Sign in to get the most out of office.
12. Once signed in, your subscription license is activated. At the top right, under Roman Miler, click
Switch account.

13. Click SIGN OUT, and then click Sign out next to Roman’s name.

14. Click Yes in the Remove Account dialog box.

15. At the top right, click Sign in to get the most out of Office.

16. On the Sign in page, in the E-mail address box, type holly@Adatumyyxxxxx.hostdomain.com, and
then click Next.

17. On the Sign in page, in the Password box, type Pa$$w0rd, and then click Sign in.

18. Click Blank document.

19. Type some text.

20. Click File, then click Save.

21. Click Sites – A. Datum and click A. Datum in the right pane.
22. Double-click the Documents folder, and then save the file with the name Meeting Agenda.

23. Click Save. You might see a streaming features message.

24. Close Word.

25. Switch back to Roman Miler’s Office 365 session in Microsoft Edge.

26. In the top-right corner, click the Settings icon, and then click Office 365 settings.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-40 Planning and deploying Office 365 ProPlus

27. On the Office 365 settings page, click Software.

Note that you now have a new section at the top of the page where you can manage Office 365
installs.

28. Click Tools & Add-ins.

 Task 3: Manage office licenses


1. On LON-CL3, sign out of Roman’s account on the Office 365 page.

2. Sign back in as Holly Dickson with the username holly@Adatumyyxxxxx.hostdomain.com.

3. In the Password box, type Pa$$w0rd, and then click Sign in.

4. On the Office 365 home page, click Admin.

5. In the Office 365 admin center, click Users, and then click Roman Miler.

6. In the right pane, under Product licenses, click Edit.

7. Under Office 365 Enterprise E3, set the Office 365 ProPlus option to Off to remove the license from
Roman’s account, click Assign, and then click Close.

8. In Microsoft Edge, at the top right, click the Profile photo icon for Holly Dickson, and then click Sign
out.

9. On the Sign in page, type roman@Adatumyyxxxxx.hostdomain.com.

10. In the Password box, type Pa$$w0rd, and then click Sign in.

11. In the top-right corner, click the Settings icon, and then click Office 365 settings.
12. On the Settings page, click Software.

Note that the Office installation is no longer listed, as this user no longer has an active license
(although software is available).

Note: The Office 365 ProPlus applications will still be available to Roman on any machine on
which he already installed them, but within 30 days, they will drop into low-functionality mode.
This means he will only be able to read and print documents.

 Task 4: Reactivate Office 365 ProPlus


1. Sign out of the Office 365 page, and sign back in as holly@AdatumYYXXXXX.hostdomain.com.

2. In the Password box, type Pa$$w0rd, and then click Sign in.

3. On the Office 365 home page, click the Admin tile.

4. In the Office 365 admin center, click Users, and then click Roman Miler.

5. In the right pane, under Product licenses, click Edit.

6. Under Office 365 Enterprise E3, set the Office 365 ProPlus option to On, click Assign, and then click
Close.

7. Close Microsoft Edge.

Results: After completing this exercise, you should be able to activate Office 365 ProPlus for self-service
installations and set licensing options correctly for end users so that deployment and installation is possible.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L5-41

Exercise 3: Managing centralized Office 365 ProPlus installations


 Task 1: Configure a Group Policy Object (GPO) to distribute the custom installation
1. Switch to LON-DC1 and connect as Adatum\administrator, with the password Pa$$w0rd.

2. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.

3. In the console tree, right-click Adatum.com, point to New, and then click Organizational Unit.
4. Type Adatum_Computers, and then click OK.

5. In the console tree, under Adatum.com, click Computers.

6. Right-click LON-CL4, click Move, click Adatum_Computers, and then click OK.

7. In Server Manager, click Tools, and then click Group Policy Management.

8. In the Group Policy Management window, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click Adatum_Computers.
9. Right-click Adatum_Computers, and then click Create a GPO in this domain, and Link it here.

10. In the New GPO dialog box, in the Name box, type DeployO365, and then click OK.

11. In Group Policy Management, click Adatum_Computers, and in the right pane, right-click
DeployO365, and then click Edit. If you see a Group Policy Management Console window, click OK.

12. In Group Policy Management Editor, expand Computer Configuration, Policies, Windows Settings,
and then double-click Scripts (Startup/Shutdown).

13. Double-click Startup, and then click Show Files.

14. In File Explorer, click Home, click New item, click Text Document, and then press Enter to accept the
default name.
15. Double-click New Text Document.txt.

16. In Notepad, add the following line:

\\LON-CL1\Office16\setup.exe /configure \\LON-CL1\Office16\AdatumConfiguration.xml

17. Save the file as DeployO365.cmd. Ensure that in Save as type, you select All Files and that the file
extension is .CMD.

18. Click Save.

19. Close Notepad.

20. Delete New Text Document.

21. Switch back to the Group Policy Management Editor, Startup Properties dialog box.

22. Click Add.

23. In the Add a Script dialog box, click Browse.

24. In the Browse dialog box, select DeployO365.cmd, and then click Open.

25. In the Add a Script dialog box, click OK.

26. In the Startup Properties dialog box, click OK.

27. Close Group Policy Management Editor.

Note that you could also deploy this script by using Microsoft Intune, Microsoft System Center
Configuration Manager, or other electronic software distribution.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-42 Planning and deploying Office 365 ProPlus

 Task 2: Verify the installation


1. Switch to LON-CL4, and if necessary, sign in as Adatum\Maira, with the password, Pa$$w0rd.

2. Right-click the Start button, and click Command Prompt (Admin).

3. In the User Account Control dialog box, type Adatum\Holly as the user name and Pa$$w0rd as the
password, and click Yes.

4. Type gpupdate /force and press Enter.


5. Wait for the Group Policy to update for both the computer and user and then close the command
prompt.

6. Restart the computer.

Note: If any updates have downloaded, click Update, and then restart.

7. Wait five minutes after LON-CL4 has restarted before continuing. This is to allow the Group Policy
settings to take effect on LON-CL4.

8. Sign in as ADATUM\maira with the password Pa$$w0rd. You may have to wait for Office to finish
installing.
9. Navigate to the Start screen, and note that Office 2016 is installed. You might have to wait up to 15
minutes before you see any available Office applications.

10. Click Word 2016. If you do not see it on the Start screen, type Word to bring up the icon.

11. On the Activate Office page, in the E-mail address box, type
maira@Adatumyyxxxxx.hostdomain.com, and then click Next.

12. On the Sign in page, in the Password box, type Pa$$w0rd, and then click Sign in. Click OK on the
notification window.

13. In the First things first dialog box, click Accept.

14. Close the Welcome to your new Office dialog box.


15. In the templates list, click Blank document.

16. Type some text.

17. Click File, and then click Save.

18. Click Browse in This PC – Documents.

19. In File name, enter Meeting Report, and then click Save.

20. Right-click the taskbar, and then click Task Manager.

21. In Task Manager, click More details.

22. On the Processes tab, under Background processes, notice that Microsoft Office Click-to-Run
appears.
23. Click the Details tab, and notice officeclicktorun.exe in the task list.

24. Click the Services tab, and notice that the ClickToRunSvc service is running.

Note: Check Task Manager for your deployment. These items will all be present in a
successful install.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L5-43

25. Close Task Manager.

26. Close Word 2016.

Results: After completing this exercise, you will have enabled centralized managed deployment of Office
365 ProPlus and implemented a standardized Microsoft Office configuration by using one version of Office.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L6-45

Module 6: Planning and managing Exchange Online recipients


and permissions
Lab: Managing Exchange Online recipients
and permissions
Exercise 1: Configuring Exchange Online recipients
 Task 1: Create user mailboxes
1. On LON-CL1, open Microsoft Edge.

2. In the address bar, type https://login.microsoftonline.com/, and then press Enter.

3. Sign in as holly@Adatumyyxxxxx.hostdomain.com, with the password Pa$$w0rd.

4. On the Office 365 home page, click Admin.


5. In the Office 365 admin center, click Users.

6. Above the list of users, click Add a user.

7. On the Create new user account page, enter the following information, and then click Save:

o First name: Martina

o Last name: Blair

o Display name: Martina Blair


o User name: Martina

o Select Let me create the password, and then type the following password in both fields:
Pa$$w0rd

o Make this user change their password when they first sign in: Not selected

o Under Product licenses select licenses for this user: Office 365 Enterprise E3

8. Click Close, and then repeat step 7 to add the following additional users:

o Matt Villagomez (because Matt@adatumyyxxxxx.hostdomain.com is in use, assign the user name


MattV)

o Olivia Emerson

o Kendra Sexton

9. In the Office 365 admin center, on the Admin centers menu, click Exchange.

10. In the Exchange admin center, click recipients.

Note: It might take a few minutes for the mailboxes to appear. Click the refresh icon
periodically until they do.

 Task 2: Create groups and assign mailboxes


1. On the recipients tab, click groups.

2. Click the + icon, and then click Distribution group.

3. In the Distribution Group window, in the Display name box, type IT.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-46 Planning and managing Exchange Online recipients and permissions

4. In the Alias box, type IT.

5. Under Members, click the + icon.

6. In the Select Members window, click Olivia Emerson, click Add, and then click OK.

7. In the Distribution Group window, click Save.

8. Repeat steps 2 through 7 to add the following additional groups and members:

o Managers, Martina Blair

o Development, Matt Villagomez

o Sales, Kendra Sexton

 Task 3: Connect to Exchange Online with Windows PowerShell


1. On the desktop, right-click Windows Azure Active Directory Module for Windows PowerShell, and
then click Run as administrator.

2. At the User Account Control prompt, click Yes.

Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.

3. In the Windows PowerShell window, type the following command, and then press Enter:

$credential = Get-Credential

4. In the Enter Credentials dialog box, in the User name box, type
holly@Adatumyyxxxxx.hostdomain.com.

5. In the Password box, type Pa$$word, and then click OK.

6. In the Windows PowerShell window, type the following command, and then press Enter:

connect-msolservice –credential $credential

7. In the Windows PowerShell window, type the following command, and then press Enter:

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri


"https://outlook.office365.com/powershell-liveid/" -Credential $credential
-Authentication "Basic" -AllowRedirection

8. In the Windows PowerShell window, type the following command, and then press Enter:

Import-PSSession $exchangeSession -DisableNameChecking

9. In the Windows PowerShell window, type the following command, and then press Enter:

Get-AcceptedDomain

Note: This command returns the list of accepted domains and verifies that you can connect
to your Office 365 subscription.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L6-47

 Task 4: Create resource mailboxes


1. In Microsoft Edge, in the Exchange Admin center, in recipients, click resources.

2. In the Windows PowerShell window, type the following command, and then press Enter:

New-Mailbox -Name "Conference Room" –Room

3. In the Windows PowerShell window, type the following command, and then press Enter:

Set-CalendarProcessing "Conference Room" -AutomateProcessing AutoAccept

4. In the Windows PowerShell window, type the following command, and then press Enter:

New-Mailbox -Name "Demonstration Laptop” –Equipment

5. In the Windows PowerShell window, type the following command, and then press Enter:

Set-CalendarProcessing "Demonstration Laptop” -AutomateProcessing AutoAccept

Note: If you receive an error running the set-calendarprocessing cmdlet for either of these
objects, wait a few moments and repeat.

6. Switch to Microsoft Edge, and in the Exchange Admin center, click Refresh. You should be able to see
both resources.

7. In the Windows PowerShell window, type the following command, and then press Enter:

Set-mailbox “Conference room” –resourcecapacity “25”

8. Switch to Microsoft Edge, and in the Exchange Admin center, click Refresh. You should be able to see
the changes you made in the details pane on the right.

 Task 5: Configure additional Exchange Online recipients


1. On LON-CL1, browse to C:\Labfiles. Open ExternalContacts.csv. Review the file contents, and then
close Excel.

2. In Microsoft Edge, in the Exchange admin center, click contacts.

3. Switch to Windows PowerShell.

4. In the Windows PowerShell window, type the following command, and then press Enter:

CD C:\Labfiles

Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.

5. In the Windows PowerShell window, type the following command, and then press Enter:

Import-Csv .\Externalcontacts.csv | %{New-MailContact -Name $_.Name -DisplayName


$_.Name -ExternalEmailAddress $_.ExternalEmailAddress -FirstName $_.FirstName
-LastName $_.LastName}
MCT USE ONLY. STUDENT USE PROHIBITED
L6-48 Planning and managing Exchange Online recipients and permissions

6. In the Windows PowerShell window, type the following command, and then press Enter:

$Contacts = Import-CSV .\externalcontacts.csv

7. In the Windows PowerShell window, type the following command, and then press Enter:

$contacts | ForEach {Set-Contact $_.Name -StreetAddress $_.StreetAddress -City


$_.City -StateorProvince $_.StateorProvince -PostalCode $_.PostalCode -Phone $_.Phone
-MobilePhone $_.MobilePhone -Pager $_.Pager -HomePhone $_.HomePhone -Company
$_.Company -Title $_.Title -OtherTelephone $_.OtherTelephone -Department
$_.Department -Fax $_.Fax -Initials $_.Initials -Notes $_.Notes -Office $_.Office
-Manager $_.Manager}

8. In Microsoft Edge, in the Exchange Admin center, in contacts, click Refresh. You can see the newly
created objects.

Results: After completing this exercise, you will have created and configured Microsoft Exchange Online
recipients.

Exercise 2: Configuring delegated administration


 Task 1: Assign users to built-in role groups
1. In the Exchange admin center, click permissions.
2. On the admin roles tab, click Organization management, and then click Edit.

3. In the Role Group window, under Members, click the + icon.

4. In the Select Members window, click Olivia, click add, and then click OK.
5. In the Role Group window, click Save.

 Task 2: Create a new admin role and assign a user to it


1. Switch to Windows PowerShell.

Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.

2. In the Windows PowerShell window, type the following commands, pressing Enter after each
command:

Enable-OrganizationCustomization
New-RoleGroup –Name BranchOfficeAdmins –roles “Mail Recipients”, “Distribution
Groups”, “Move Mailboxes”, “Mail Recipient Creation”

3. In the Windows PowerShell window, type the following command, and then press Enter:

Add-RoleGroupMember "BranchOfficeAdmins" -Member Martina


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L6-49

4. In the Windows PowerShell window, type the following command, and then press Enter:

Get-RoleGroupMember "BranchOfficeAdmins"

5. Switch to Internet Explorer, and then in the Exchange admin center, click Refresh. Ensure that you can
see the new BranchOffice Admins role group.

 Task 3: Create a new role assignment policy


1. In Microsoft Edge, in the Exchange Admin center, click user roles.

2. Switch to Windows PowerShell.

Note: If you copy the following commands from the courseware, you can paste them into
the virtual machine. On the Virtual Machine Connection menu, click Clipboard, and then click
Type clipboard text.

3. In the Windows PowerShell window, type the following command, and then press Enter:

New-RoleAssignmentPolicy "Limited Mailbox Configuration" -Roles MyBaseOptions,


MyAddressInformation, MyDisplayName

4. To change the default role assignment policy for new mailboxes, in the Windows PowerShell window,
type the following command, and then press Enter:

Set-RoleAssignmentPolicy "Limited Mailbox Configuration" -IsDefault

5. When prompted, type Y, and then press Enter.


6. In the Exchange admin center, click Refresh. You can see the new role assignment policy.

 Task 4: To prepare for the next module


When you have finished the lab, leave all of the virtual machines running.

Results: After completing this exercise, you will have configured delegated administration of your
Exchange Online organization.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L7-51

Module 7: Planning and configuring Exchange Online services


Lab A: Configuring message transport in
Exchange Online
Exercise 1: Configuring message-transport settings
 Task 1: Connect to Exchange Online in Windows PowerShell
1. On LON-CL1, on the desktop, double-click Windows Azure Active Directory Module for Windows
PowerShell.

Note: You might have a Windows PowerShell connection to Office 365 open from a previous
lab. If so, you can use the existing connection and skip this step.

2. In Windows PowerShell, type $cred=Get-Credential, and then press Enter.

3. In the Windows PowerShell credential request window, in the User name box, type
Holly@adatumyyxxxxx.hostdomain.com.

4. In the Password box, type Pa$$w0rd, and then click OK.

5. In Windows PowerShell, type the following command, and then press Enter:

$Session=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri


https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication
Basic –AllowRedirection

6. Type the following command, and then press Enter:

Import-PSSession $Session

 Task 2: Create a custom send and receive connector to enforce TLS


1. On the taskbar, click Microsoft Edge.

2. In Microsoft Edge, in the search box, type https://login.microsoftonline.com, and press Enter.
3. At the login page, sign in as Holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

4. In the menu bar, click the Apps button, and then click Admin.

5. In the Office 365 admin center, on the menu on the left, under Admin centers, click Exchange.

6. In the Exchange admin center, click mail flow, and then click connectors.

7. Click New.

8. On the Select your mail flow scenario page, in the From box, select Office 365.

9. In the To box, select Partner organization, and then click Next.

10. On the New connector page, in the Name box, type Humongous Insurance Outgoing, and then
click Next.
11. Click Only when email messages are sent to these domains, and then click Add.

12. On the add domain page, type humongousinsurance.com, click OK, and then click Next.

13. Click Use the MX record associated with the partner’s domain, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-52 Planning and configuring Exchange Online services

14. Select the Always use Transport Layer Security (TLS) to secure the connection check box, click
Issued by a trusted certificate authority (CA), and then click Next.

15. On the confirmation page, click Next.

16. On the Validate this connector page, click Add.

17. In the Send the test email to the address box, type postmaster@humongousinsurance.com, click
OK, and then click Validate.

18. Wait while validation completes, and then click Close.

19. On the Validation Result page, click Save.

20. In the Warning window, click Yes.

Note: Validation of mail flow will fail because the connector is to a fictitious organization.
This is expected behavior for this lab.

21. In the Exchange admin center, on the connectors tab, click New.

22. On the Select your mail flow scenario page, in the From box, select Partner organization.

23. In the To box, select Office 365, and then click Next.
24. On the New connector page, in the Name box, type Humongous Insurance Incoming, and then
click Next.

25. Click Use the sender’s domain, and then click Next.

26. Click Add, type humongousinsurance.com, click OK, and then click Next.

27. Select the Reject email messages if they aren’t sent over TLS check box, and then click Next.

28. On the confirmation page, click Save.

 Task 3: Create transport rules


1. On LON-CL1, on the Exchange admin center page, click rules.

2. Click New, and then click Apply disclaimers.

3. In the new rule window, in the Name box, type A. Datum Disclaimer.

4. In the Apply this rule if box, select The recipient is located, click Outside the organization, and
then click OK.

5. Click Enter text.

6. In the specify disclaimer text window, type <HR> If you are not the intended recipient of this
message, you must delete it, and then click OK.

7. Click Select one.

8. In the specify fallback action window, select Wrap, and then click OK.

9. In the new rule window, click Save.

10. If the Warning window appears, click Yes.


11. In Exchange admin center, click New, and then click Send messages to a moderator.

12. In the new rule window, in the Name box, type Moderate Managers.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L7-53

13. In the Apply the rule if box, select The recipient is a member of, in the Select Members window,
click Managers, click add, and then click OK.

14. In the Do the following box, select Forward the message for approval to, click Holly Dickson, click
add, and then click OK.

15. In the new rule window, click Save.

16. On LON-CL2, on the taskbar, click Microsoft Edge.

17. In Microsoft Edge, in the search box, type https://login.microsoftonline.com, and then press Enter.

18. Sign in as Francisco@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.


19. In Office 365, click the Apps button, and then click Mail.

20. In the Mail window, click New.

21. In the To field, type alias@outlook.com, where alias@outlook.com is the Microsoft account that you
configured at the beginning of this course.

22. In the Subject field, type Disclaimer Test.

23. In the message body, type This message will have a disclaimer, and then click Send.
24. Sign in to Outlook.com, and then verify that the message has the disclaimer If you are not the
intended recipient of this message, you must delete it added at the end of the message body. If the
message is not in the Inbox, check the Junk folder.

25. In the Mail window in which you are signed is as Francisco, click New.

26. In the To field, type Martina.

27. In the Subject field, type Moderation Test.

28. In the message body, type This message requires approval by Holly, and then click Send.

29. On LON-CL1, click Start, type Outlook, and then click Outlook 2016.

30. Type Holly@Adatumyyxxxx.hostdomain.com and Pa$$w0rd in the Windows Security dialog box.
If needed, complete the account setup wizard by clicking Next four times.

31. In Outlook, read the approval request, and then click Approve.

32. Close Outlook 2016.

 Task 4: Create a journal rule for members of the research department


1. On LON-CL1, in the Exchange admin center, click compliance management, click journal rules, and
then click Select address.

2. In the non-delivery reports window, click Browse, click Holly Dickson, click OK, and then click Save.

3. In the Warning window, click OK.

4. Click New.

5. In the new journal rule window, in the Send journal reports to box, type
journal@humongousinsurance.com.

6. In the Name box, type Development Messages.

7. In the If the message is sent to or received from box, select A specific user or group, click
Development, click add, and then click OK.

8. In the Journal the following messages box, select All messages, and then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-54 Planning and configuring Exchange Online services

 Task 5: Track internal and external message delivery


1. On LON-CL1, in the Exchange admin center, click mail flow, and then click message trace.

2. Review the available search options, and then click search.

3. In the Message Trace results window, double-click the message sent to alias@outlook.com.

4. Review the information in the message, including the message events that show that the disclaimer
was applied.
5. Click Close.

6. Double-click the message sent from Francisco to Martina.

7. Review the information in the message, including that the message was sent for moderation.

8. Click Close.

9. In the Message Trace Results window, click Close.

Results: After completing the exercise, you will have configured message-transport settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L7-55

Lab B: Configuring email protection and


client policies
Exercise 1: Configuring email protection
 Task 1: Configure the malware filter
1. On LON-CL1, in the Exchange admin center, click protection, and then click malware filter.

2. Click Default, and then click Edit.

3. In the Default window, click settings.


4. Under Notifications, select the Notify internal senders check box.

5. Select the Notify administrator about undelivered messages from internal senders check box.

6. In the Administrator email address box, type Holly@Adatumyyxxxxx.hostdomain.com.

7. Select the Notify administrator about undelivered messages from external senders check box.

8. In the Administrator email address box, type Holly@Adatumyyxxxxx.hostdomain.com, and then


click Save.

 Task 2: Configure the connection filter


1. On LON-CL1, in the Exchange admin center, click connection filter.

2. Click Default, and then click Edit.

3. In the Default window, click connection filtering.

4. Under IP Block list, click Add.

5. In the add blocked IP address window, type 192.168.0.0/24, and then click OK.

6. Select the Enable safe list check box, and then click Save.

 Task 3: Configure the spam filter


1. On LON-CL1, in the Exchange admin center, click spam filter.

2. Click Default, and then click Edit.

3. In the Default window, click spam and bulk actions.

4. In the High confidence spam box, select Quarantine message, and then click Save.

5. Click Add.

6. In the new spam filter policy window, in the Name box, type Sales spam policy.

7. In the Spam box, select Prepend subject line with text.

8. In the High confidence spam box, select Move message to Junk Email folder.

9. In the Prepend subject line with this text box, type Junk:.

10. Scroll to the bottom of the window, and under Applied To, in the If box, select The recipient is a
member of, click Sales, click add, and then click OK.

11. Click Save.


MCT USE ONLY. STUDENT USE PROHIBITED
L7-56 Planning and configuring Exchange Online services

 Task 4: Test the spam-filter settings (optional)


1. Sign in to your alias@outlook.com account.

2. Create a new message to send to kendra@Adatumyyxxxx.hostdomain.com.

3. In the body of the message, include the text XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-


STANDARD-ANTI-UBE-TEST-EMAIL*C.34X, and then send the message.

4. Create a new message to send to francisco@Adatumyyxxxx.hostdomain.com.


5. In the body of the message, include the text XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-
STANDARD-ANTI-UBE-TEST-EMAIL*C.34X, and then send the message.

6. On LON-CL1, in the Exchange admin center, click protection, and then click quarantine.

7. Verify that the message sent to Francisco is in quarantine, but the message sent to Kendra is not.

8. Click the message sent to Francisco, click Release Message, and then click Release selected
message(s) to All recipients.

9. In the Warning window, click Yes.

10. When processing is complete, click Close.

11. On LON-CL2, in Outlook on the web, verify that the message was delivered.

Results: After completing this exercise, you should have configured anti-spam and antivirus settings.

Exercise 2: Configuring client access policies


 Task 1: Configure an Outlook Web App policy
1. On LON-CL1, in the Exchange admin center, click permissions, and then click Outlook Web App
policies.

2. Click New.
3. In the new Outlook Web App mailbox policy window, in the Policy name box, type Limited features.

4. Clear the following check boxes:

o Instant messaging

o Text messaging

o Unified messaging

o LinkedIn contact sync

o Journaling

5. Under Private computer or OWA for devices, clear the Direct file access check box, and then click
Save.

6. Click recipients, click Kendra Sexton, and then click Edit.

7. In the Kendra Sexton window, click mailbox features.

8. Under Email Connectivity, click View Details.


9. In the Outlook Web App mailbox policy window, click Browse, click Limited features, click OK, and
then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L7-57

10. In the Kendra Sexton window, click Save.

11. On LON-CL1, click Start, type Outlook and then click Outlook 2016. If prompted, type
Holly@Adatumyyxxxxx.hostdomain.com and Pa$$w0rd in the Windows Security dialog box.

12. Click New Email.

13. In the new email window, in the To box, type Kendra@adatumyyxxxxx.hostdomain.com, and then
click Check Names.

14. In the Subject box, type Attachment Test.

15. In the ribbon, click Attach File, and then click Browse This PC.

16. In the Insert File window, browse to C:\Windows\Logs\DISM, click dism, and then click Insert.

17. Click Send.

18. On LON-CL2, in Outlook on the web, sign out, and then sign in again as
Kendra@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

19. On the Outlook page, select your time zone and click Save.

20. Read the new Attachment Test message.


21. Click the message attachment.

22. Click OK to close the message, indicating that you do not have permission to download files.

 Task 2: Configure mobile-device access


1. On LON-CL1, in the Exchange admin center, click mobile, and then click mobile device access.
2. Click edit.

3. In the Exchange ActiveSync access settings window, click Quarantine – Let me decide to block or
allow later.
4. Under Quarantine Notification Email Messages, click Add, click Holly Dickson, click add, and then
click OK.

5. In the Exchange ActiveSync access settings window, click Save.

 Task 3: Configure a mailbox policy for mobile devices


1. On LON-CL1, in the Exchange admin center, on the mobile menu, click mobile device mailbox
policies.

2. Click Default (default), and then click Edit.


3. In the Default window, click security, and then select the Require a password check box.

4. Select the Allow simple passwords check box.

5. Select the Minimum password length check box, enter a value of 4, and then click Save.

 Task 4: Validate mobile-device management policies (optional)


1. On your mobile device, add a new ActiveSync account for Francisco Chaves.

2. If Autodiscover does not detect the server name, enter outlook.office365.com.

3. Your device will be placed into quarantine, and you must approve the device before you can send and
receive messages.

4. After you configure the Exchange ActiveSync account, the security settings from the mobile-device
mailbox policy will apply, and you may be prompted to create a password on your device.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-58 Planning and configuring Exchange Online services

5. When you finish your testing, you can delete the account from your mobile device.

6. Leave the virtual machines running for the next lab.

Results: After completing this exercise, you should have configured client access policies.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-59

Module 8: Planning and deploying Skype for Business Online


Lab: Configuring Skype for Business Online
Exercise 1: Configuring Skype for Business Online organization settings
 Task 1: Download and install the Skype for Business Online module for Windows
PowerShell
1. On LON-CL1, open Microsoft Edge, and then connect to
http://go.microsoft.com/fwlink/?LinkId=294688.

2. On the Skype for Business Online, Windows PowerShell Module page, click Download, and then
click Run.

3. Select I agree to the license terms and conditions, and then click Install.

4. If a User Account Control dialog box appears, click Yes.

5. After the installation completes, click Close.

6. Close the Microsoft Edge window.

 Task 2: Enable Skype Meeting Broadcast for the organization


1. On LON-CL1, in the search box on the taskbar, type PowerShell.

2. In the search results, right-click Windows PowerShell, and then click Run as administrator.

3. In the User Account Control dialog box, click Yes.

4. At the command prompt, type the following command, and then press Enter:

$cred = Get-Credential

5. In the credentials dialog box, enter the user name Holly@adatumyyxxxxx.hostdomain.com and
the password Pa$$w0rd, and then click OK.

6. Type the following command, and then press Enter:

$SfBSession = New-CSOnlineSession –Credential $cred

7. Type Y and press Enter.

8. Type the following command, and then press Enter:

Import-PSSession $SfBSession

9. Type the following command, and then press Enter:

Set-CsBroadcastMeetingConfiguration –EnableBroadcastMeeting $True

10. Type the following command, and then press Enter:

Get-CsBroadcastMeetingConfiguration

11. Verify that the EnableBroadcastMeeting parameter is set to True.


MCT USE ONLY. STUDENT USE PROHIBITED
L8-60 Planning and deploying Skype for Business Online

 Task 3: Configure the organization settings for Skype for Business Online
1. On LON-CL1, in the Windows PowerShell command-line interface window, type the following
command to enable privacy mode, and then press Enter:

Set-CSPrivacyConfiguration -EnablePrivacyMode $True

Note the warning that you receive about enabling client version checking.

2. To disable push notifications for Apple devices, type the following command, and then press Enter:

Set-CSPushNotificationConfiguration -EnableApplePushNotification $False

3. To verify the privacy notification settings, type the following command, and then press Enter:

Get-CSPrivacyConfiguration

You should see the following output:

o Identity: Global

o EnablePrivacyMode: True
o AutoInitiateContacts: True

o PublishLocationDataDefault: True

o DisplayPublishedPhotoDefault: True

4. To verify the push notification settings, type the following command, and then press Enter:

Get-CSPushNotificationConfiguration

5. To allow users to communicate with public Skype users, type the following command, and then press
Enter:

Set-CsTenantFederationConfiguration –AllowPublicUsers $True

6. To allow users to communicate with federated partners, type the following command, and then press
Enter:

Set-CsTenantFederationConfiguration –AllowFederatedUsers $True

7. To enable communication with all federated partners except for litware.com, type the following
commands, and then press Enter after each command:

$AllDomains = New-CsEdgeAllowAllKnownDomains
$BlockedDomain = New-CsEdgeDomainPattern -Domain "litware.com"
Set-CsTenantFederationConfiguration -AllowedDomains $AllDomains –BlockedDomains
$BlockedDomain
Get-CsTenantFederationConfiguration

8. Open Microsoft Edge, and then connect to https://portal.office.com.

9. If needed, sign in as Holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

10. On the Office 365 home page, click the Admin tile.

11. In the Microsoft Office 365 admin center, in the menu to the left, click Admin centers, and then click
Skype for Business.

12. On the left-hand side, click organization.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L8-61

13. On the general page, under presence privacy mode, verify that the setting is configured as Display
presence information only to a user’s contacts.

14. Under mobile phone notifications, verify that Apple Push Notification Service is not enabled, and
then click external communications.

15. Under external access, verify that On except for blocked domains is selected.

16. Verify that under blocked or allowed domains, litware.com is listed.

 Task 4: Configure the meeting invitation settings


1. On LON-CL1, in the Skype for Business admin center, click meeting invitation.

2. In the Help URL text box, type http://help.adatum.com.

3. In the Footer text text box, type Sample legal disclaimer. Click save.

4. At the Windows PowerShell command prompt, type the following command, and then press Enter:

Get-CsMeetingConfiguration

5. Verify that the Help URL and CustomFooterText display the correct information.

 Task 5: Validate the meeting invitation settings


1. On LON-CL1, click Start, type Skype, and then open Skype for Business 2016.

2. In the Skype for Business window, type Holly@adatumyyxxxxx.hostdomain.com, and then click
Sign in.
3. Type Pa$$w0rd for password, and then click Sign in. Click Yes.

4. Open Microsoft Outlook 2016.

5. On the ribbon, click New Items, click Meeting, and then click Skype Meeting.

6. In the To text box, type Maira.

7. Create a meeting request for some time tomorrow using a subject of Test Meeting.

8. Send the meeting request.


9. Open the calendar, and then double-click the meeting that you just created. Verify that the meeting
contains the custom footer text and that the help link references http://help.adatum.com.

Results: After completing this exercise, you should have configured Skype for Business Online service
settings.

Exercise 2: Configuring Skype for Business Online user settings


 Task 1: Configure Skype for Business user settings
1. On LON-CL1, navigate to the Office 365 admin center.

2. On the menu to the left, click Users, and then click Active users. Select Christie Thomas, and then
click Edit in the Product licenses section.

3. Turn off Skype for Business Online (Plan 2), click Assign, and then click Close.

4. On the menu to the left, select Admin centers, and then click Skype for Business.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-62 Planning and deploying Skype for Business Online

5. On the menu to the left, click Users.

6. Verify that Christie Thomas is not listed as a Skype for Business user.

7. Select Maira Wenzel, and then click Edit.

8. On the general tab, under Audio and video, clear Record conversations and meetings.

9. On the menu to the left, click external communications, clear External Skype users, and then click
Save.

10. Click the back icon, select Francisco Chaves, and then click Edit.

11. On the general tab, under Audio and video, select Audio only from the drop-down list box. Click
save.

12. Close Microsoft Edge.

 Task 2: Verify Skype for Business communications


1. On LON-CL4, ensure that you are signed in as Maira. Open Outlook 2016.
2. On the Welcome to Outlook 2016 page, click Next.

3. On the Add an Email Account page, click Next. If the Office installation wizard launches, wait for the
installation to finish, and then continue.
4. On the Auto Account Setup page, fill in the following information, and then click Next:

o Your Name: Maira Wenzel

o E-mail address: Maira@adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

o Retype Password: Pa$$w0rd

5. In the Microsoft Outlook dialog box, type Pa$$w0rd as the password, select Remember my
credentials, and click OK.

6. Click Finish.

7. Open Skype for Business 2016.


8. Click Skip for now.

9. Sign in as Maira@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

10. Save the sign-in information. In the Help Make Skype for Business Better! dialog box, click No.
11. On LON-CL1, ensure that you are signed in as Holly, and verify that Outlook 2016 and Skype for
Business 2016 are open.

12. In Outlook 2016, create a Skype meeting request for a meeting that will start within the next 15
minutes, and then send the request to Francisco Chaves and Maira Wenzel.

13. In Skype for Business, in the Find someone text box, type Maira.

14. Double-click Maira Wenzel to open an IM window.


15. Type a message, and then press Enter.

16. On LON-CL4, verify that the IM from Holly is received and respond to it.

17. In Outlook 2016, accept Holly’s meeting request.

18. Open the meeting, and then click Join Skype Meeting.

19. Click Don’t join audio, and then click OK.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L8-63

20. Verify that Maira is connected to the meeting.

21. On LON-CL1, open the meeting request, click Join Skype Meeting, click Don’t join audio, and then
click OK.

22. Verify that Holly is connected to the meeting.

23. On LON-CL1, in the meeting window, click the Present icon, and then click Present Desktop.
24. In the Present Desktop window, click Present.

25. In the Skype for Business window, click OK.

26. On LON-CL4, verify that Holly’s desktop is visible in the meeting window.

27. On LON-DC1, open Internet Explorer, and then connect to https://portal.office.com. Sign in as
Francisco@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

28. Click Mail.


29. Click the meeting request from Holly Dickson, click Accept, and then click Send the response now.

30. Click the App launcher at the top of the window, and then click Calendar.

31. Double-click Holly’s meeting request.

32. In the meeting details window, click Join Skype Meeting.

33. In the Skype for Business Web App window, click Sign in if you are an Office 365 user.

34. Ensure that Install the Skype for Business Web App plug-in is selected, click Join the Meeting, and
then click Run.

35. Verify that you can join the meeting and that Holly’s desktop is visible. Ignore the warning that you
need to set up an audio device.
36. Close the Internet Explorer window, and when prompted, click Leave this page.

37. On LON-CL4, disconnect from the meeting.

38. On LON-CL1, disconnect from the meeting.

Results: After completing this exercise, you should have configured Skype for Business Online user settings
and validated Skype for Business Online functionality.

Exercise 3: Configuring a Skype Meeting Broadcast


 Task 1: Configure a Skype Meeting Broadcast
1. On LON-CL1, open a new tab in the Microsoft Edge browser.

2. Connect to https://broadcast.skype.com, and then, if needed, sign in as


holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

3. In the Skype Meeting Broadcast window, click New Meeting.


MCT USE ONLY. STUDENT USE PROHIBITED
L8-64 Planning and deploying Skype for Business Online

4. In the Meeting details window, fill in the following information:

o Meeting title: Test broadcast meeting

o Meeting time: Today’s date

o Start time: Within the next 15 minutes

o Duration: 1 hour

o Members: Roman Miler

o Access: Secure

o Attendees: Maira Wenzel


5. Scroll back to the top of the window, and then click Create.

6. In the Skype Meeting Broadcast window, click Create Outlook invitation, and then click Open.

7. In the Test broadcast meeting - Meeting window, click Send Update.

 Task 2: Validate the Skype Meeting Broadcast configuration


1. On LON-CL3, open Outlook 2016.

2. On the Welcome to Outlook 2016 page, click Next.

3. On the Add an Email Account page, click Next.

4. On the Auto Account Setup page, fill in the following information, and then click Next:

o Your Name: Roman Miler

o E-mail address: Roman@adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

o Retype Password: Pa$$w0rd

5. In the Microsoft Outlook dialog box, type Pa$$w0rd as the password, select Remember my
credentials, and then click OK.

6. Click Finish.

7. Open Skype for Business 2016.

8. Click Skip for now.

9. Sign in as Roman@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

10. Save the sign-in information. In the Help Make Skype for Business Better! dialog box, click No.
11. Open PowerPoint 2016. Select the option to create a blank presentation.

12. Type a title for the presentation, and then save the presentation to the Documents folder using the
name Presentation.pptx.

13. Close PowerPoint 2016.

14. In Outlook, click the broadcast meeting request from Holly Dickson, and then click Accept.

15. In the Reminders pop-up window, double-click the meeting request from Holly.
16. Click Join the Meeting.

17. In the Skype for Business window, sign in as Roman@adatumyyxxxxx.hostdomain.com with the
password Pa$$w0rd, and then click Join the event.

18. In the Join Meeting Audio dialog box, click Don’t join audio, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L8-65

19. Ignore the warning about setting up an audio device.

20. In the Meeting window, click Present, and then click Present PowerPoint Files.

21. Browse to the Documents folder, click Presentation.pptx, and then click Open.

22. In the right side of the meeting window, click Content only, and then click Start Broadcast.

23. Click Start Broadcast again. Wait for the broadcast to start.

24. On LON-CL4, signed in as Maira, in Outlook 2016, accept the meeting request from Holly.

25. Open the meeting request, and then click Join the Meeting.

26. In the Skype for Business window, sign in as Maira@adatumvvxxxxx.hostdomain.com with the
password Pa$$w0rd, and then click Join the event.

27. On LON-CL3, in the broadcast window, click Stop Broadcast, and then click Stop Broadcast again.

28. On both LON-CL3 and LON-CL4, disconnect from the meeting.


29. Keep the virtual machines running for the next lab.

Results: After completing this exercise, you should have configured a broadcast meeting and verified that
users can join the meeting.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L9-67

Module 9: Planning for and configuring SharePoint Online


Lab: Configuring SharePoint Online
Exercise 1: Configuring SharePoint Online settings
 Task 1: Configure settings
1. Ensure you are signed in to the 20347A-LON-CL1 virtual machine as Holly with the password of
Pa$$word.

2. In LON-CL1, click the desktop, on the taskbar, click Microsoft Edge, and then browse to
https://portal.office.com.

3. Sign in as holly@Adatumyyxxxxx.hostdomain.com (where yyxxxxx is your unique Adatum.com


number) with the password of Pa$$w0rd.

4. In the Office 365 admin center, click Admin centers, and then click SharePoint.

5. On the leftmost side, click settings.


6. Under Site Collection Storage Management, click Automatic.

7. Scroll down to Enterprise Social Collaboration.

8. Select Use Yammer.com service.

9. Scroll down to external sharing. Go to Sharing (Outside of Settings)

10. Click Allow both external users who accept sharing invitations and anonymous guest links, and
then click OK.

 Task 2: Configure user profiles


1. On the leftmost side, click user profiles.

2. Under people, click Manage User Profiles.

3. In the Find profiles dialog box, type Brad, and then click Find.

4. In the result window, in the drop-down list, click Brad.

5. Click edit my profile, and in the Manager box, type Holly.

6. Click the check names field and verify that the field displays Holly Dickson.

7. In the right corner, click Save and close.

8. On the left side, click user profiles.

9. Under My Site settings, click Setup My Sites.

10. Scroll down to My Site Cleanup.

11. In the secondary owner list, type Holly and then click the Check names icon.

12. Scroll down, and click OK.


MCT USE ONLY. STUDENT USE PROHIBITED
L9-68 Planning and configuring SharePoint Online

 Task 3: Configure apps


1. On the leftmost side, click apps, and then click Configure Store Settings.

2. In the Apps for Office from the Store window, click No to disable apps from starting when documents
are opened in the browser.

3. Click OK and close the browser.

Results: After completing this exercise, you should have configured SharePoint Online service settings.

Exercise 2: Creating and configuring SharePoint Online site collections


 Task 1: Create a site collection using the SharePoint admin center
1. Open Microsoft Edge and sign in to https://portal.office.com with the user name
holly@Adatumyyxxxxx.hostdomain.com, and the password of Pa$$w0rd.

2. In the Office 365 admin center, on the left side menu, click Admin centers, and then click SharePoint.

3. In the leftmost side, click Site collections.


4. On the Site Collections ribbon, click New, and then click Private Site Collection.

5. In the new site collection dialog box, in the Title box, type marketing, in the empty text box, type
marketing, and then in the administrator list, type Holly. Then click the Check Names icon. Leave
the other settings as suggested. To confirm, click OK.

Note: SharePoint Online provisions the new marketing site. This process can take a few
minutes.

6. After marketing is created, select the https://adatumyyxxxxx.sharepoint.com/sites/marketing


check box.

Note: It can take a few minutes until the Sharing menu on the ribbon is active. You can
speed this up by pressing the F5 key to refresh the page.

7. When the marketing site is selected, on the ribbon, click Sharing.

8. In the Sharing dialog box, select Allow sharing with all external users, and by using anonymous
access links, and then click Save.

Note: The site settings changes to allow external user sharing. This process is usually done
within one minute. Now, external user sharing is enabled and you can use it for this marketing site.

 Task 2: Create a site collection using Windows PowerShell


1. To install the SharePoint Online Management Shell, you must first download it from the Microsoft
Download Center. To do so, open a new Microsoft Edge tab and browse to http://aka.ms/f04q5o.

2. On the SharePoint Online Management Shell download page, in the Select Language drop-down
list, select your appropriate language, and then click Download.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L9-69

3. On the Choose the download you want page, select the check box for the 64-bit version and for the
most current file. Click Next.

4. If a message about pop-ups appears, click Allow once.

5. In the Internet Explorer dialog box asking whether you want to run or save the file, click Run.

6. On the SharePoint Online Management Shell Setup page, select the I accept the terms in the
License Agreement check box, and then click Install.

7. If a User Account Control dialog box appears, click Yes.

8. When the installation completes, click Finish.

9. Click Start, type sharep, and right-click SharePoint Online Management Shell, and then click Run as
administrator.

10. In the User Account Control dialog box, click Yes.

11. At the command prompt, type the following command, and then press Enter (where yyxxxxx is your
unique Adatum domain name): If error: Connect-SPOService : Pour des raisons de sécurité, DTD interdite
Change DNS to 8.8.8.8. Avoid http error page from providor.
Connect-SPOService –Url https://adatumyyxxxxx-admin.sharepoint.com –credential
holly@Adatumyyxxxxx.hostdomain.com

12. In the Enter your credentials dialog box, in the Password box, type Pa$$w0rd, and then click OK.

13. At the command prompt, type the following command, and then press Enter:

New-SPOSite -Url https://Adatumyyxxxxx.sharepoint.com/sites/AcctsProj -Owner


holly@Adatumyyxxxxx.hostdomain.com -StorageQuota 500 -NoWait -Template PROJECTSITE#0
–Title “Accounts Project”

14. Close the Windows PowerShell window.

 Task 3: Configure permissions on the site collections


1. In LON-CL1, open Microsoft Edge, in the top-right corner, click the ellipsis, and then click New
InPrivate Window.

2. Browse to https://portal.office.com.

3. Sign in as holly@Adatumyyxxxxx.hostdomain.com, with the password of Pa$$w0rd.

4. In the Office 365 admin center, click Admin, and then click SharePoint.

5. On the leftmost side, click Site collections.

6. Select the https://adatumyyxxxxx.sharepoint.com/sites/marketing check box.

7. On the ribbon, click owners, and then click Manage Administrators.

8. In the Site Collection Administrators text box, type Brad, click the Check Names icon, and then click
OK.

9. Open another InPrivate window, browse to


https://adatumyyxxxxx.sharepoint.com/sites/marketing, and sign in as
brad@Adatumyyxxxxx.hostdomain.com, with the password of Pa$$w0rd.

10. In the upper-right corner, click the Settings icon (the wheel icon), and then navigate to site settings.

11. Under Users and Permissions, click Site collection administrators to open it.

12. Verify that Brad Sutton appears.

13. Close the Microsoft Edge window.


MCT USE ONLY. STUDENT USE PROHIBITED
L9-70 Planning and configuring SharePoint Online

 Task 4: Verify access to the site collections


1. In LON-CL1, open Microsoft Edge.

2. Browse to https://adatumyyxxxxx.hostdomain.com/sites/marketing.

3. Sign in as maira@Adatumyyxxxxx.hostdomain.com, with the password of Pa$$w0rd.

Note: You need permission to access this site, and you need to send an access request for
permission to view the site.

4. In the You need permission to access this site dialog box, type Please enable Maira’s access to this
site, and then click Request Access.

5. Close Microsoft Edge and then reopen it.


6. Browse to https://Adatumyyxxxxx.sharepoint.com/sites/marketing.

7. Sign in as holly@Adatumyyxxxxx.hostdomain.com with the password of Pa$$w0rd.

8. In the top-right corner, click the Settings icon (the wheel icon), and then click Site settings.
9. Under User and Permissions, click Site permissions.

10. Click Show access requests and invitations.

11. Verify that Maira’s request is listed, and click Approve.


12. Click Site Settings, and click Site permissions.

13. Click marketing Members.

14. Verify that Maira’s account is listed.


15. Click New, and click Add Users.

16. In the text box at the top, type Perry, and then click Perry Brill.

17. Click Share.


18. Close Microsoft Edge.

19. Open Microsoft Edge and connect to https://Adatumyyxxxxx.sharepoint.com/sites/marketing.

20. Sign in as maira@Adatumyyxxxxx.hostdomain.com, with the password of Pa$$w0rd.

21. Verify that you can access the site.

22. Close Microsoft Edge and reopen it.

23. Browse to https://Adatumyyxxxxx.sharepoint.com/sites/marketing.

24. Sign in as Perry@Adatumyyxxxxx.hostdomain.com, with the password of Pa$$w0rd.

25. Verify that you can access the site.

Results: After completing this exercise, you should have created and configured SharePoint Online site
collections.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L9-71

Exercise 3: Configuring and verifying external user sharing


 Task 1: Configure global settings for external user sharing
1. In LON-CL1, open Microsoft Edge.

2. Browse to https://portal.office.com.

3. Sign in as holly@Adatumyyxxxxx.hostdomain.com, with the password of Pa$$w0rd.


4. In the Office 365 admin center, click Admin, and then click SharePoint.

5. On the leftmost side, click settings, and then scroll down to external sharing.

6. Click Allow both external users who accept sharing invitations and anonymous guest links, and
then click OK.

 Task 2: Configure a site collection for external user sharing


1. In Microsoft Edge, click Site Collections.

2. Select the https://Adatumyyxxxxx.sharepoint.com/sites/AcctsProj check box.


3. On the ribbon, in the Manage section, click Sharing.

4. In the Sharing dialog box, click Allow sharing with all external users, and by using anonymous
access links.
5. Click Save.

6. Wait for the operation to complete, which might take about 5 minutes.

7. Close Microsoft Edge.

8. Open Microsoft Edge and browse to https://Adatumyyxxxxx.sharepoint.com/sites/AcctsProj.

9. Sign in as holly@Adatumyyxxxxx.hostdomain.com with the password of Pa$$w0rd.

10. In the top-right corner, click SHARE.


11. In the Share ‘Accounts Project’ dialog box, type in the email address of the Microsoft account you
used to set up Office 365.

12. In the text box, type You can now access this shared site on Adatum Publishing.
13. Click Share.

14. Browse to https://Adatumyyxxxxx.sharepoint.com/sites/marketing.

15. In the left navigation pane, click Documents.

16. Click New, and then click Word document.

17. In the Word Online window, type some text, and then wait to check if Saved appears in the document
title, and then click the marketing link.

18. In the document list, click the ellipsis button (…) next to the document you created, and then click
SHARE.

19. Click Get a link, and then click Edit link – no sign-in required.

20. Select the link, right-click it, and then click Copy.

21. Click Close.

22. In the SharePoint Online window, click the apps icon, and then click Mail.

23. If prompted, select your language and time zone, and then click Save.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-72 Planning and configuring SharePoint Online

24. Click New.

25. In the To box, type the email address for your Microsoft account, and then in the Subject box, type
Shared Document.

26. In the message box, right-click, and then click Paste.

27. Click SEND.


28. Close Microsoft Edge.

 Task 3: Verify external user sharing


1. Open Microsoft Edge and browse to https://outlook.com.

2. Sign in with your Microsoft account.

Note: The Inbox should show two emails from Microsoft Online Services Team. If the messages are
not in the Inbox, look in the Junk folder.

3. Open the message that has the subject Holly Dickson wants to share Accounts Projects.

4. Click the Accounts Project link in the email.

5. Click Microsoft Account. Verify that you can access the site.

6. Close the browser tab. In your Inbox, open the second invitation email message with the subject of
Holly Dickson wants to share the document.

7. Click the Document link.

Note: You are redirected directly to the Word Document. Word Online opens and shows the
document.

8. Verify that you can access the Word document, and then click Edit in Browser.

9. Add some text in this document.


10. Close Microsoft Edge.

11. Leave the virtual machines running for the next lab.

Results: After completing this exercise, you should have configured a new site collection for external user
sharing, and you should have shared a site and a document with external users.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-73

Module 10: Planning and configuring an Office 365


collaboration solution
Lab: Planning and configuring an Office 365
collaboration solution
Exercise 1: Configuring Yammer Enterprise
 Task 1: Configure a Yammer organization setting
1. In LON-CL1, click Desktop, open Microsoft Edge from the taskbar, and then browse to
https://portal.office.com.

2. Sign in as holly@Adatumyyxxxxx.hostdomain.com (where yyxxxxx is your unique Adatum number),


with the password Pa$$w0rd.

3. Click the Office 365 app launcher icon, and then click Yammer.

4. On the WHO DO YOU WORK WITH? page, click the X at the top-right corner to close the page.

5. In Yammer, in the left pane beside Holly Dickson, click the Settings icon.
6. Click NETWORK ADMIN.

7. In the Yammer admin center, in the left Navigation pane, click on Usage Policy.

8. In the Usage Policy window, select the Require users to accept policy during sign up and after any
changes are made to the policy check box.

9. In the Usage Policy window, select the Display policy reminder in sidebar check box.

10. In the Custom Policy Title text box, type Adatum Acceptable Use Policy.
11. In the Enter your policy in the textbox below text box, copy and paste the following text:

Welcome to Yammer! Our goal is to provide a collaborative environment to connect with


colleagues and bridge various departments and geographic locations to share meaningful
information.

12. Click Save.

13. In the Adatum Acceptable Use Policy window, click I Accept.

14. If needed, in Yammer, in the left pane beside Holly Dickson, click the Settings icon, and then click
NETWORK ADMIN.

15. In the left side menu of the Yammer console, click Configuration.
16. In the Email Settings section, click A weekly digest of your group messages.

17. On the Enabled Features page, clear the 3rd Party Applications check box.

18. Click Save.


19. In the left side menu of the Yammer console, click Data Retention.

20. On the Data Retention Policy page, read the description of available options, click Soft Delete, and
then click Save.

21. In the left side menu of the Yammer console, click Monitor Keywords.

22. On the Monitor Keywords page, type holly@Adatumyyxxxxx.hostdomain.com in the Email Address
field.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-74 Planning and configuring an Office 365 collaboration solution

23. In the text box, type the following words, one in each line: gambling, erotic, warez.

24. Click Save.

25. In the left side menu of the Yammer console, click Success.

26. Click Write a welcome message in the middle pane.

27. In the middle pane, in the What are you working on? text box, type Welcome to all Adatum users!,
and then click Post.

 Task 2: Configure Yammer service settings, and enforce Office 365 identity
1. In Yammer, in the left pane, click the Settings icon.

2. Click on NETWORK ADMIN.

3. In the Yammer admin center, in the left Navigation pane, in the Content and Security section, click
Security Settings.

4. Scroll down to Enforce Office 365 identity in Yammer.

5. Select the Enforce Office 365 identity in Yammer check box.

6. In the pop-up window, click Yes, I’m ready.

7. Click Save.

 Task 3: Configure the Yammer user experience


1. In Yammer, in the left pane, click the Settings icon, and then click SETTINGS.

2. In the left navigation pane, click Notifications.

3. In the Send me a digest of message activity drop-down list, click weekly.

4. Select only the following options in the Email me when...section:

o I receive a message in my inbox

o I log in from somewhere new

o I post a message via email (This will send a confirmation email)

5. Click Save.

6. Close Microsoft Edge.

 Task 4: Use Yammer


1. On LON-CL3, open Microsoft Edge, and connect to https://portal.office.com.

2. Sign in as Roman@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

3. On the Office 365 portal, click Yammer.


4. On the WHO DO YOU WORK WITH prompt, type Christie in the first text box, and then click DONE.

5. Click I Accept in the Adatum Acceptable Use Policy prompt.

6. Find the post from Holly Dickson in the post list.

7. Click Like, and then click SHARE.

8. In the Share This Conversation section, select Post in a Group, type All Company in the drop-down
box, and in the text box, type Welcome from me too.
9. Click Share.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L10-75

10. In the What are you working on text box, type free gambling here, and click Post.

11. Close the Microsoft Edge browser.

12. Open the Microsoft Edge browser and browse to https://portal.office.com.

13. Sign in as Holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

14. On the Office 365 portal, click Mail.

15. Verify that you received a message from Yammer with a report about monitored keyword appearance
in the Roman post. Still doesn't work !!!!!
16. Close Microsoft Edge browser.

Results: After completing this exercise, you should have enabled Yammer Enterprise for A. Datum.

Exercise 2: Configuring OneDrive for Business


 Task 1: Enable OneDrive for Business synchronization
1. On LON-CL3, click Start, click All apps, and then click Word 2016.

2. In the Word window, in the top right corner, verify that Word is licensed to Roman Miler.

3. If Word is licensed to another account, click Switch account.

4. In the Accounts dialog box, click SIGN OUT, and then click Sign out. In the Remove Account notice,
click Yes.

5. At the top right, click Sign in to get the most out of Office.

6. On the Sign in page, in the E-mail address box, type Roman@Adatumyyxxxxx.hostdomain.com,


and then click Next.

7. On the Sign in page, in the Password box, type Pa$$w0rd, and then click Sign in.
8. Verify that Word is now licensed to Roman. Close Word.

9. Open Microsoft Edge, and connect to https://portal.office.com.

10. Sign in as Roman@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

11. On the Office 365 portal, click OneDrive.

12. On the Welcome to OneDrive for Business page, click Next.

13. In the OneDrive window, click New, and then click Word document.
14. In the Word Online window, type some text, and then click Roman Miler at the top of the Window
beside Word Online.

15. In the OneDrive window, click Sync, and then click Sync now.

16. In the Did you mean to switch apps? dialog box, click Yes.

17. In the Sync the library ‘Documents’ for Roman Miler? dialog box, click Sync Now.

18. If prompted to sign in, type Holly@adatumyyxxxxx.hostdomain.com, and click Next.


19. Type Pa$$w0rd and click Sign In.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-76 Planning and configuring an Office 365 collaboration solution

20. In the Microsoft OneDrive for Business dialog box, click Show my files.

21. Note that File Explorer opens and displays the location where the synchronized files will be stored.
Verify that the Word document has been synchronized to the local computer.

 Task 2: Create files to synchronize with OneDrive for Business


1. On LON-CL3, ensure that the OneDrive for Business folder is open in File Explorer.

2. On the ribbon in File Explorer, click Home, click New folder, and then create a new folder named
Private.

3. On the ribbon, click Home, click New folder, and then create a second new folder named Project A.

4. Double-click the folder Private. Right-click in this folder, and on the context menu, click New, and
then click Microsoft Word Document. Name the document Holidays.docx.

5. Double-click Holidays.docx to open it, and then type some text. Save the changes, and then close
Microsoft Word.
6. See how the document icon in the taskbar changes from two blue arrows to a small green checkmark
icon after the synchronization process is complete. The document has been transferred to the cloud
storage automatically.
7. In the File Explorer window, navigate to OneDrive for Business in the navigation address line to move
one level up.

8. Double-click the folder Project A. Right-click in this folder, and on the context menu, click New, and
then click Microsoft Word Document. Name the document Project targets.docx.

9. Double-click Project targets.docx to open it, and then type some text. Save the changes, and then
close Microsoft Word.
10. Verify that the document synchronizes.

11. To view the files online, switch to the Microsoft Edge window. Refresh the view.

12. In the Files list, you should see your two folders, Private and Project A.
13. Navigate to the Private folder. Click the synchronized document Holidays.docx to open it in Word
Online.

14. Click Edit document, and then click Edit with Word Online. Add some text. The document is saved
automatically when Saved is displayed in the title bar.

15. In the menu bar right beside Word Online, click Roman Miler to return to OneDrive for Business.

16. The content of the Private folder changes, and you will see that you changed the document online.
The changed column shows that the document changed some seconds (or minutes) ago.

17. Switch back to File Explorer. Navigate to the folder Private, and then open Holidays.docx. You will see
that the changes you made in Word Online are synchronized back automatically.

 Task 3: Share files with other users


1. In File Explorer, right-click the folder Project A, point to OneDrive for Business, and then click Go to
browser.

2. Microsoft Edge opens. Open the Project A folder, right-click Project Targets.docx, and then click
Share.

SharePoint Online automatically opens a dialog box named Share Project targets.

3. The left navigation pane displays the link Invite people. In the text box, type Holly Dickson.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L10-77

4. Ensure that the drop-down list on the right has Can edit selected, add a short message in the message
text box, and then click Share.

5. Open a new InPrivate Microsoft Edge window, and connect to https://portal.office.com.

6. Sign in as Holly@adatumyyxxxxx.hostdomain.com using the password Pa$$w0rd.

7. In the Office 365 Portal, click Mail.


8. Click the message with the subject Roman Miler wants to share Project Targets.

9. In the message box, click Project Targets.

10. When the document opens, click Edit Document, and then select Edit in Word Online. Verify that
you can open the document and edit it. All modifications are stored online in the OneDrive for Business
cloud storage. By default, SharePoint Online creates a new version when the document changes. This
can be viewed by the owner in the version history.

11. Close the InPrivate Microsoft Edge window.

12. In the Microsoft Edge window, right-click Project Targets, and then click Share on the menu bar.

13. Click Shared with, and then click Stop sharing to stop sharing this document. Click Stop sharing
again, and then click Close.

14. Close the Microsoft Edge window.

Results: After completing this exercise, you should have configured OneDrive for A. Datum.

Exercise 3: Configuring Office 365 groups


 Task 1: Configure a private Office 365 group
1. On LON-CL1, sign in to http://portal.office.com as Holly@Adatumyyxxxxx.hostdomain.com with
the password Pa$$word.

2. Open the Office 365 admin center through the app launcher by clicking the Admin icon.

3. Select Groups in the left navigation pane, click Groups, and then click Add a group.

4. In the Add a group window, verify that Office 365 group is selected in the Type drop-down list.

5. In the Add a group window, configure the following settings:

o Name: AdatumMarketing

o E-Mail: Adatummarketing@Adatumyyxxxxx.hostdomain.com

o Description: Adatum Marketing Group

o Under Privacy, select Private – Only members can see group content.

o Set the language to English (United Kingdom)

o Group owner: Holly Dickson

6. Click Add.

7. Click Close.

8. In the Details window, in the Members section, click Edit.


MCT USE ONLY. STUDENT USE PROHIBITED
L10-78 Planning and configuring an Office 365 collaboration solution

9. Type Roman in the search box, and then click Roman Miler.

10. Click Save, and then click Close.

 Task 2: Configure a public Office 365 group with Windows PowerShell


1. On LON-CL1, double-click Windows Azure Active Directory Module for Windows PowerShell on
the desktop.

2. Type the following command, and then press Enter:

$cred = Get-Credential

3. In the Windows PowerShell credential request windows, sign in as


Holly@adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

4. Type the following command, and then press Enter:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri


https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication
Basic -AllowRedirection

5. Type the following command, and then press Enter:

Import-PSSession $Session –AllowClobber

6. To create a new public Office 365 group, type the following command, and then press Enter:

New-UnifiedGroup –DisplayName "Planning Group" -Alias "PlanningGroup" –EmailAddresses


PlanningGroup@Adatumyyxxxxx.hostdomain.com

7. To add a user to the owners group, type the following command, and then press Enter:

Add-UnifiedGroupLinks "Planning Group" –Links Holly@adatumyyxxxxx.hostdomain.com


–LinkType Owner

8. To add a user to the members group, type the following command, and then press Enter:

Add-UnifiedGroupLinks "Planning Group" –Links Francisco@adatumyyxxxxx.hostdomain.com


–LinkType Member

 Task 3: Explore the Office 365 group components


1. On LON-CL1, open Microsoft Edge, and sign in to https://portal.office.com as
Holly@Adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

2. Click the app launcher in the upper-left corner.

3. Click Mail.

4. In the left pane, click Planning Group, and then click Start a group conversation.

5. In the message window, type a subject and some content, and then click Send.
6. Click Calendar on the toolbar, and then view the group calendar.

7. Click New. In the Details pane, fill out the data for the meeting, type Planning meeting for the subject,
schedule it for tomorrow, and then click Save.

8. Ensure that the calendar item synchronizes with Holly’s personal calendar.

9. Click the Office365 apps icon, and then click Mail.

10. In the navigation pane, select Planning Group.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L10-79

11. Click Files on the toolbar, and then wait for the files store to be created. When you see Ready to go,
click Take me to Planning Group files.

12. Click New, and then click Word document.

13. Type some text, and when you see Saved in the title bar, close the Microsoft Edge tab.

14. In the Mail window, click Files, and verify that the document has been added to the group.
15. On LON-CL3, open Microsoft Edge, and then sign in to https://portal.office.com as
Roman@Adatumyyxxxxx.hostdomain.com, with the password Pa$$w0rd.

16. Click Mail. Verify that the AdatumMarketing group appears in your Groups list.

17. Under Groups, click Browse or Discover.

18. Click Planning Group, and then click Join. Because this is a public group, you can join the group.

19. In the left navigation pane, click Planning Group, and then click Conversations. Verify that you see
the message that Holly sent to the group.

20. Click Files, and then verify that you see the document that Holly created.

21. Close the Microsoft Edge browser.


22. Keep the virtual machines running for the next lab.

Results: After completing this exercise, you should have configured Office 365 groups at A. Datum.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L11-81

Module 11: Planning and configuring Rights Management


and compliance
Lab: Configuring Rights Management and
compliance
Exercise 1: Configuring Rights Management in Office 365
 Task 1: Activate Rights Management in Office 365
1. On LON-CL1, open Microsoft Edge, and then connect to https://portal.office.com.

2. Sign in to the Microsoft Office 365 portal as holly@Adatumyyxxxxx.onmicrosoft.com with the


password Pa$$w0rd.

3. In the app launcher, click the Admin icon.


4. In the Office 365 admin center, select Settings and then click Apps.

5. Click Microsoft Azure Rights Management.

6. On the Rights Management page, click Manage Microsoft Azure Rights Management settings.

7. On the Rights Management page, click activate.

8. When prompted with Do you want to activate Rights Management?, click activate.

 Task 2: Configure Rights Management for Exchange Online


1. Open the Windows Azure Active Directory Module for Windows PowerShell from the desktop.
2. Type the following commands, and then press Enter after each command to connect to remote
Exchange Online with remote PowerShell. Use Holly’s credentials to connect.

$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication
Basic -AllowRedirection
Import-PSSession $Session

3. Type the following command, and then press Enter to set the IRM sharing location to the region you
are in.

Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-


rms.na.aadrm.com/TenantManagement/ServicePartner.svc”

Note: Depending on the location of your tenant, replace the link in the preceding
command with one of the following:

 For Europe: https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

 For Asia: https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

 For South America: https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc


For Brexit GB
MCT USE ONLY. STUDENT USE PROHIBITED
L11-82 Planning and configuring Rights Management and compliance

4. Type the following command, and then press Enter to configure Azure RMS as a trusted publishing
domain.

Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"

5. Type the following command, and then press Enter to set the IRM configuration for licensed users
only.

Set-IRMConfiguration -InternalLicensingEnabled $true

6. Type the following command, and then press Enter to test the configuration.

Test-IRMConfiguration -Sender holly@adatumyyxxxxx.hostdomain.com

7. Type the following command, press Enter, and then close Windows PowerShell.

Remove-PSSession $Session

 Task 3: Configure Rights Management for SharePoint Online


1. In Microsoft Edge, access the Office 365 admin center by using App launcher icon.

2. In the left navigation pane, under Admin centers, click SharePoint.


3. In the SharePoint admin center, in the left pane, click settings.

4. On the settings page, in the Information Rights Management (IRM) section, click Use the IRM
service specified in your configuration, and then click Refresh IRM Settings.

 Task 4: Validate the Azure Rights Management functionality


1. On LON-CL1, open Word 2016.

2. In the Word window, at the top right corner, click Switch account.

3. In the Accounts dialog box, click Add Account.

4. In the Sign in dialog box, type Holly@adatumyyxxxxx.hostdomain.com, and then click Next.

5. Type Pa$$w0rd, and then click Sign in.

6. Close Word 2016.

7. On LON-CL1, open Microsoft Outlook 2016.

8. Create a new email with Brad Sutton as the recipient.

9. Type a subject, and then type some text in the message body.

10. On the Options tab, click Permission, and then click Connect to the Rights Management Server
and get templates.

11. Click Permission again, and then click Do Not Forward.

12. Send the message.

13. In Microsoft Edge, connect to https://adatumyyxxxxx.sharepoint.com/sites/marketing.

14. Click Documents, and then click the Library tab.


15. On the Library ribbon, click Library Settings.

16. On the Settings page, under Permissions and Management, click Information Rights
Management.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L11-83

17. On the Information Rights Management Settings page, select the Restrict permissions on this
library on download check box.

18. In the Create a permission policy title box, type Marketing Policy.

19. In the Add a permission policy description box, type Marketing policy for downloads.

20. Click SHOW OPTIONS.


21. Under Configure document access rights, select the Allow viewers to write on a copy of the
downloaded document check box.

22. Click OK.

23. Close Microsoft Edge.

24. Open Microsoft Edge, and then connect to https://portal.office.com. Sign in as


Brad@adtumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

25. In the Office 365 portal, in the App launcher, click Mail.

26. On the Outlook page, select your time zone and click Save.

27. Verify that you received an email from Holly that is IRM protected. Click the message.
28. Click the down arrow beside Reply all, and then verify that you do not have the option to forward or
print the message.

29. In Microsoft Edge, connect to https://adatumyyxxxxx.sharepoint.com/sites/marketing.

30. Click Documents, and then click document.

31. After the document opens, try to edit it in Word Online. Verify that you get a message that the
document is read-only.
32. Close Microsoft Edge.

Results: After completing this exercise, you will have configured Rights Management for Exchange Online
and SharePoint Online.

Exercise 2: Configuring compliance features


 Task 1: Configure Protection Center permissions and audit logging
1. On LON-CL1, open Microsoft Edge, and then connect to https://portal.office.com.

2. Sign in to the Office 365 portal as holly@Adatumyyxxxxx.hostdomain.com with the password


Pa$$w0rd

3. In the app launcher, click the Admin icon.

4. In the Office 365 admin center, in the left side menu, select Admin centers and then click
Compliance. If you are connected to the Compliance Center, click Check out your new Office 365
Protection Center.

5. In the Protection Center, click Permissions.

6. Click Compliance Administrator, and then click Edit.

7. On the Compliance Administrator page, under Members, click Add.

8. In the Select Members window, click Brad Sutton, click add, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-84 Planning and configuring Rights Management and compliance

9. Click Save.

10. Click To assign permissions for retention policies and archiving, go to the Exchange admin
center.

11. Click Compliance Management, and then click Edit.

12. On the Compliance Administrator page, under Members, click Add.


13. In the Select Members window, click Brad Sutton, click add, and then click OK.

14. Click Save.

15. Close the Exchange role groups window.

16. Click eDiscovery Manager, and then click Edit.

17. On the eDiscovery Manager page, under Members, click Add.

18. In the Select Members window, click Christie Thomas, click add, and then click OK.
19. Click Save.

20. Click Reports, and then click View reports.

21. Click Office 365 audit log report.


22. On the Audit log search page, click Start recording user and admin activities, and then click Turn
on and click OK twice.

23. Close Microsoft Edge.

 Task 2: Configure archive mailboxes


1. On LON-CL1, open Microsoft Edge, and then connect to https://protection.office.com.

2. Sign in to the Office 365 portal as Brad@Adatumyyxxxxx.hostdomain.com with the password


Pa$$w0rd. Brad is a member of the Compliance Administrator role, so he can connect to the
protection website.

3. In the navigation pane, click Data management, and then click Archive.

4. In the Archive window, click Christie Thomas, and then Ctrl + click Jessica Jennings.
5. Under Bulk Edit, click Enable. In the warning message, click Yes, and then click Close.

6. Click Refresh, and then verify that Christie and Jessica have been enabled for an archive mailbox.

 Task 3: Configure retention tags and policies


1. In the left pane, under Data management, click Retention.

2. Under Delete, click Manage retention tags for mailboxes.

3. On the Retention Tags page, click New tag, and then select applied automatically to entire
mailbox (default).

4. Type Research User 1 year move to archive as the name.

5. Select Move to Archive as the Retention action.

6. Type 365 as the Retention period.

7. Click Save.

8. On the toolbar, click New tag, and then select applied automatically to entire mailbox (default).

9. Type Default 2 years move to Deleted Items as the name.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L11-85

10. Select Delete and Allow Recovery as the Retention action.

11. Type 730 as the Retention period.

12. Click Save.

13. On the toolbar, click New tag, and then select applied automatically to a default folder.

14. Type Purge Deleted Items 30 days as the name.

15. Under Apply this tag to the following default folder, select Deleted Items.

16. Select Permanently Delete as the Retention action.

17. Type 30 as the Retention period.


18. Click Save.

19. On the toolbar, click New tag, and then select applied by users to items and folders (personal).

20. Type 2 Year Delete as the name.

21. Select Delete and Allow Recovery as the Retention action.

22. Type 730 as the Retention period.

23. Click Save.


24. On the toolbar, click New tag, which is the plus sign (+), and then select applied by users to items
and folders (personal).

25. Type Never archive as the name.

26. Select Move to Archive as the Retention action.

27. Select Never as the Retention period.

28. Click Save.


29. Close the Retention Tags window.

30. On the Retention page, click Manage retention policies for mailboxes.

31. On the toolbar, click New.

32. On the new retention policy page, type Research MRM Policy as the name.

33. Click Add below Retention tags.

34. In the select retention tags window, Ctrl+click the following retention tags:
 6 Month Delete

 1 Year Delete

 2 Year Delete
 Never Delete

 Research user 1 year move to archive

 Default 2 year move to Deleted Items

 Purge Deleted Items 30 days

 Personal 1 year move to archive

 Never archive

35. Click add, and then click ok. Click Save.


MCT USE ONLY. STUDENT USE PROHIBITED
L11-86 Planning and configuring Rights Management and compliance

36. Close the Retention Policies window.

37. On the Retention page, click Assign retention policies to mailboxes.

38. On the Assign Retention Policies to Mailboxes page, click Christie Thomas, and then click Edit.

39. On the Assign Retention Policy to Christie Thomas page, click Research MRM Policy, and then
click Save.
40. In the warning dialog box, click Yes.

41. Close Microsoft Edge.

 Task 4: Configure content deletion and preservation policies


1. On the Retention page, click Manage document deletion policies for SharePoint Online and
OneDrive for Business.

2. Verify that Brad does not have permission to configure Microsoft SharePoint Online deletion settings.
Close Microsoft Edge.

3. Open Microsoft Edge, and then connect to https://protection.office.com.

4. Sign in as holly@Adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

5. Click Data Management, and then click Retention.


6. On the Retention page, click Manage document deletion policies for SharePoint Online and
OneDrive for Business.

7. On the Compliance Policy Center page, click Sample Document Policy.

8. On the Sample Document Policy page, change the policy name to Marketing Document Policy.

9. Under Rules for this policy, click New.

10. In the New deletion rule dialog box, type Delete Messages at 7 years as the name, select
Permanently Delete as the delete action, select Created Date as the date from when the document
deletion date will be calculated, and then configure the time period after which the document will be
deleted as 7 years.

11. Select the Set as default rule check box, click Save, and then click OK.

12. On the Sample Document Policy page, click Save.

13. On the Compliance Policy Center page, click Policy Assignments for Site Collections.

14. On the Policy Assignments for Site Collections page, click new item.

15. On the New: Site Collection Assignment page, click First choose a site collection.

16. In the Choose a site collection dialog box, type Marketing in the search box, and then click the
Search icon.

17. Select the Marketing check box, and then click Save.

18. On the New: Site Collection Assignment page, click Manage Assigned Policies.
19. In the Add and manage policies dialog box, select the Marketing Document Policy check box, and
then click Save.

20. Select the Mark Policy as Mandatory check box, and then click Save.

21. Close the Policy Assignments for Site Collections tab.

22. On the Retention page, under Preserve, click New.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L11-87

23. On the New preservation policy page, type Retain contract details as the policy name, and then
click Next.

24. On the Where do you want us to look? page, select both Mailboxes and SharePoint Online and
OneDrive for Business sites, and then click Next.

25. On the Which mailboxes do you want to include? page, click Add, click Francisco Chaves, click
Add, click OK, and then click Next.

26. On the Which SharePoint Online or OneDrive for Business sites do you want to include? page,
click Add.

27. On the Choose sites page, type https://adatumyyxxxxx.sharepoint.com/sites/AcctsProj/ as the


site URL, and then click OK.

28. Click Next.


29. On the What do you want to look for? page, in the box, type Contract. Select the Start date check
box, and then pick a date that is two days ago.

30. Leave the End date check box cleared, and then click Next.
31. On the How long do you want to preserve the content? page, click 7 years, and then click Next.

32. On the Do you want to turn on Preservation Lock? page, click Next.

33. On the Do you want to turn on this policy after it is created? page, accept the default, and then
click Next.

34. On the Review your settings page, click Create.

35. Close Microsoft Edge.

 Task 5: Configure data loss protection policies in SharePoint Online


1. Open Microsoft Edge, and then connect to https://protection.office.com.

2. Sign in to the Office 365 portal as Brad@Adatumyyxxxxx.hostdomain.com with the password


Pa$$w0rd.
3. In the navigation pane, click Security Policies, and then click Data loss prevention.

4. Click New DLP policy from template.

5. On the What information do you want to protect? page, verify that Custom is selected, and then
click Next.

6. On the Which services do you want to protect? page, accept the default, and then click Next.

7. On the Customize rules page, click New DLP rule.

8. In the New DLP Rule window, click Add condition.

9. Click Choose a condition, and then click Content contains sensitive information.

10. Click Add, and in the Sensitive information types window, click IP address, click Add, and then
click OK.

11. On the New DLP Rule page, click Actions.

12. Click Add Actions.

13. Click Select an action, and then click Send a notification.

14. Review the default actions, and then click Incident reports.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-88 Planning and configuring Rights Management and compliance

15. Select the Send an incident report to these people when this rule is matched check box, and then
click Add people.

16. Click Christie Thomas, click add, and then click OK.

17. On the New DLP Rule page, click General.

18. Type IP address check as the rule name, and then click OK.
19. On the Customize rules page, click Next.

20. On the New DLP policy page, type Test DLP policy as the policy name. Select the Send
notifications and Policy Tips to end users check box, and then click Create.

 Task 6: Configuring data loss protection policies for email


1. Open Microsoft Edge, and then connect to https://protection.office.com.

2. Sign in as holly@Adatumyyxxxxx.hostdomain.com with the password Pa$$w0rd.

3. In the Protection Center, click Security Policies, and then click Data Loss Prevention.
4. On the Data loss prevention page, click go to the Exchange admin center.

5. On the Policy Mode page, click New custom DLP policy.

6. On the new custom DLP policy page, type Test DLP policy for email as the policy name. Click
Enforce, and then click Save.

7. On the Policy Mode page, click Edit.

8. On the Test DLP policy for email page, click rules.


9. Click the New icon, and then click Block messages with sensitive information unless the sender
overrides.

10. On the new rule page, click Select sensitive information types.
11. On the Contains any of these sensitive information types page, click Add, click IP address, click
Add, and then click OK twice.

12. On the new rule page, click Select one, click Christie Thomas, and then click OK.
13. Click add action.

14. Click Select one, point to Modify the message security, and then click Apply rights protection.

15. In the select RMS template dialog box, click OK.

16. Select the Activate this rule on the following date check box, and then click Save.

17. In the warning dialog box, click OK, and then click Save.

18. Close Microsoft Edge.

 Task 7: Create compliance check content


1. Open Microsoft Edge, and then connect to https://portal.office.com.

2. Sign in to the Office 365 portal as Brad@Adatumyyxxxxx.hostdomain.com with the password


Pa$$w0rd.

3. On the Office 365 home page, click Mail.

4. Click New, type your Microsoft account name on the To line, type Server IP address as the Subject,
type 10.10.10.10 as the message body, and then click Send.
5. Click the message that you receive from Outlook, and then review the message content.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L11-89

6. At the top of the message, click click here.

7. In the Policy tip, click Show details.

8. Click Override, and then click Send.


Still doesn't work!
9. Close Microsoft Edge.

 Task 8: Validate the configuration


1. Open Microsoft Edge, and then connect to https://outlook.com. Sign in with your Microsoft
account.

2. Click the message from Brad Sutton with the subject Server IP address.

3. Verify that the message is protected with Microsoft Information Protection and that you cannot open
the attachment in Microsoft Edge.

4. Close Microsoft Edge.

5. Open Microsoft Edge, and then connect to https://portal.office.com.


6. Sign in to the Office 365 portal as Christie@Adatumyyxxxxx.hostdomain.com with the password
Pa$$w0rd. Christie is a member of the eDiscovery Manager role group.

7. Click Mail.

8. Select your time zone, and then click Save.

9. In the left pane of Christie’s mailbox, under Folders, click More.

10. Verify that a folder named In-Place Archive – Christie Thomas has been created.
11. Click the newest message in the mailbox, and then verify that it is a report on the message sent with
the Server IP address subject.

Results: After completing this exercise, you will have implemented the Office 365 compliance features.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L12-91

Module 12: Monitoring and troubleshooting Microsoft


Office 365
Lab: Monitoring and troubleshooting
Office 365
Exercise 1: Monitoring Office 365
 Task 1: Send an email to a nonexistent domain
1. On LON-CL1, on the taskbar, click Microsoft Edge.

2. Browse to https://portal.office.com/, and then sign in as


holly@Adatumyyxxxxxx.hostdomain.com by using the password Pa$$w0rd.

3. Click Mail, and then click New.


4. In the To text box, type user@alt.none.

5. Enter a subject and some body text, and then click Send.

 Task 2: Track mail delivery


1. Wait for the delivery failure message to appear.
2. Note the reason for the failure (“The domain name in the email address is incorrect.”).

3. Select the body text of the message, including the phrase “Generating server” down to “X-
OriginatorOrg: adatumyyxxxxx.hostdomain.com” and then press Ctrl+C to copy it to the Clipboard.
4. In Microsoft Edge, press Ctrl+T to create a new tab.

5. In the new tab, browse to testconnectivity.microsoft.com.

6. On the Microsoft Remote Connectivity Analyzer page, click the Message Analyzer tab.

7. Under Message Header Analyzer, paste the message, and then click Analyze headers.

8. Note the diagnostic information and the time taken for the message to be rejected.

9. Click Clear to reset the Message Header Analyzer.

 Task 3: Send an email to a nonexistent user


1. In Microsoft Edge, click Holly’s Mail tab.

2. Click New, and then in the To text box, type difflop4890@outlook.com.

3. Enter a subject and some body text, and then click Send.

 Task 4: Track mail delivery


1. Wait for the delivery failure message to appear.

2. Note the reason for the “550 Requested action not taken: mailbox unavailable” failure.

3. Select the body text of the message including the phrase “Generating server” down to “X-
OriginatorOrg: adatumyyxxxxx.hostdomain.com” and then press Ctrl+C to copy it to the Clipboard.

4. In Microsoft Edge, switch to the Microsoft Remote Connectivity Analyzer tab.

5. On the Microsoft Remote Connectivity Analyzer page, ensure that you are on the Message
Analyzer tab.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-92 Monitoring and troubleshooting Microsoft Office 365

6. Under Message Header Analyzer, paste the message, and then click Analyze headers.

7. Note the diagnostic information and the time taken for the message to be rejected.

8. Close the Microsoft Remote Connectivity Analyzer page.

 Task 5: Analyze mail flow


1. On Holly’s Mail tab in the Microsoft Office 365 portal, click the Apps launcher in the top task bar, and
click Admin.

2. Access the new Office 365 admin center, click Admin centers, click Exchange, and then click mail
flow.

3. In mail flow, click message trace.

4. In message trace, next to Sender, click add sender.

5. In the Select Members dialog box, click Holly, click add, and then click OK.

6. Under Date range, select Past 24 hours.


7. Under Delivery status, select Failed, and then click Search. Note the two messages.

8. Double-click each message to view the sender, recipient, message size, ID, and IP address information.

9. Note the differences between the message processing events: Receive, Submit, Spam Diagnostics, and
Fail for the nonexistent domain, and Submit, Receive, Spam Diagnostics, and Fail for the nonexistent
user.

10. Close the Message Trace window.

Results: After completing this exercise, you should have used the Message Header Analyzer to identify why
email failed to deliver.

Exercise 2: Monitoring service health and analyzing reports


 Task 1: View Office 365 service health
1. In the new Office 365 admin center, click Home.

2. On the Home page, in the left menu, select Health, and then click Service Health.

3. Select Exchange Online in the left column.

4. On the right side of the page, click View history.

5. Click any entry in the calendar that is colored yellow to see further details about incident. Details
appear below the calendar.

6. Click the Home icon on the menu to the left.

 Task 2: View reports in the Office 365 admin center


1. In the Office 365 admin center, on the Home page, click Switch back to the old admin center to go
to the previous Office 365 admin center.

2. In the Office 365 admin center, click REPORTS.


MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L12-93

Note: At the time of writing this course, reports were not available in the new Office 365
admin center.

3. On the Reports page, in the Mail section, click Mailbox usage.

Note: There might be little or no data shown because there is not much mailbox usage in the
lab environment.

4. Click the back arrow.

5. On the Reports page, in the Protection section, click Sent and received mail, and then click View
table.

6. Close the table view.

Note: There might be little or no data shown because there is not much mailbox usage in the
lab environment.

7. Close the open window.


8. On the Reports page, in the Protection section, click Malware detections.

9. Close the open window.

10. On the Reports page, in the Protection section, click Spam detections.

11. Close the open window.

12. Keep the virtual machines running for the next lab.

Results: After completing this exercise, you should have monitored the health of Office 365 services and
viewed reports in the Office 365 admin center.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L13-95

Module 13: Planning and configuring identify federation


Lab: Planning and configuring identity
federation
Exercise 1: Deploying Active Directory Federation Services (AD FS) and
Web Application Proxy
 Task 1: Add DNS records required for AD FS
1. On LON-DS1, on the Task bar, click Windows PowerShell.

2. Type IPConfig and press Enter.

3. Record the IPv4 address assigned to the server.


4. On LON-DC1, open Server Manager, click Tools, and then click DNS.

5. Expand LON-DC1, expand Forward Lookup Zones, and click Adatumyyxxxxx.hostdomain.com.

6. Right-click Adatumyyxxxxx.hostdomain.com, and click New Host (A or AAAA).

7. In the New Host dialog box, leave the Name box empty, in the IP address box, type the External IP
address provided by the hosting partner.

8. Click Add Host, and then click OK.


9. In the New Host dialog box, leave the Name box empty, in the IP address box, type the LON-DS1
IP address that you recorded in Step 3.

10. Click Add Host, and then click OK, and then click Done.

 Task 2: Install and configure the AD FS server role


1. Sign in to the LON-DS1 virtual machine as ADATUM\Administrator with a password of Pa$$w0rd.

2. On the desktop task bar, right click Windows PowerShell and click Run as administrator.

3. At the command prompt, type the following command and press Enter. This command creates the
Key Distribution Services root key to generate group Managed Service Account passwords for the
account that will be used later in this lab. You should receive a Guid value as a response to this
command.

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

4. On the Start screen, click Server Manager.

5. In Server Manager, click Manage, and then click Add Roles and Features. If you get a Server Manger
message about collecting inventory data, click OK. Wait a minute and then try this step again.

6. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

7. On the Select installation type page, click Role-based or Feature-based installation, and then
click Next.
8. On the Select destination server page, click Select a server from the server pool, verify that the
target computer is highlighted, and then click Next.

9. On the Select server roles page, click Active Directory Federation Services, and then click Next.

10. On the Select features page, click Next.


MCT USE ONLY. STUDENT USE PROHIBITED
L13-96 Planning and configuring identify federation

11. On the Active Directory Federation Service (AD FS) page, click Next.

12. On the Confirm installation selections page, click Install.

13. When installation completes, on the Installation progress page, click Close.

14. Click the exclamation mark icon on the toolbar and then click Configure the federation service on
this server.
15. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create
the first federation server in a federation server farm, and then click Next.

16. On the Connect to AD DS page, click Next.


17. On the Specify Service Properties page, use the following settings, and then click Next:

o For SSL Certificate, click the wild card certificate provided by the hosting partner.

o For Federation Service Name, type adatumyyxxxxx.hostdomain.com, replacing


adatumyyxxxxx with your unique Adatum domain name.

o For Federation Service Display Name, type Adatum Corporation.

18. On the Specify Service Account page, select the option Create a Group Managed Service
Account, for Account Name type svc-ADFS, and then click Next.

19. On the Specify Configuration Database, click Create a database on this server using Windows
Internal Database, and then click Next.

20. On the Review Options page, click Next.

21. Once the prerequisites check is complete, on the Pre-requisite Checks page, click Configure.

22. When the configuration completes, on the Results page, click Close.

 Task 3: Install the Web Application Proxy server role service


1. Sign in to the LON-WAP1 virtual machine as LON-WAP1\Administrator with a password of
Pa$$w0rd.

2. On the Start screen, click Server Manager.


3. In Server Manager, click Manage, and then click Add Roles and Features.

4. In the Add Roles and Features Wizard, on the Before you begin page, click Next.

5. On the Select installation type page, click Role-based or Feature-based installation, and then
click Next.

6. On the Select destination server page, click Select a server from the server pool, verify that the
target computer is highlighted, and then click Next.

7. On the Select server roles page, click Remote Access, and then click Next.

8. On the Select features page, click Next.

9. On the Remote Access page, click Next.


10. On the Select role services page, click Web Application Proxy, in the popup window, click Add
Features, and then click Next.

11. On the Confirm installation selections page, click Install.

12. When the installation is complete, on the Installation progress page, click Close.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L13-97

 Task 4: Configure the Web Application Proxy server


1. On LON-WAP1, in Server Manager, click Tools, and then click Remote Access Management.

2. In the Remote Access Management Console, in the left navigation pane, click Web Application
Proxy. In the middle navigation pane, click Run the Web Application Proxy Configuration Wizard.

3. In the Web Application Proxy Configuration Wizard, on the Welcome page, click Next.

4. On the Federation Server page, use the following settings and then click Next:
o Federation service name: adatumyyxxxxx.hostdomain.com, replacing adatumyyxxxxx with your
unique Adatum domain name.

o User name: Adatum\Administrator

o Password: Pa$$w0rd

5. On the AD FS Proxy Certificate page, select the *.hostdomain.com certificate, click Next.

6. On the Confirmation page, click Configure.


7. When the configuration is complete, on the Results page, click Close.

 Task 5: Verify that the AD FS server is working


1. Switch to the LON-DS1 virtual machine.

2. In Server Manager, click Tools, and then click Event Viewer.


3. In Event Viewer, in the details pane, expand Applications and Services Logs, expand AD FS, and
then click Admin.

4. In the Event ID column, verify that event ID 100 displays.

5. On LON-DC1, open Internet Explorer and connect to https://Adatumyyxxxxx.hostdomain.com


/adfs/fs/federationserverservice.asmx, replacing adatumyyxxxxx with your unique Adatum
domain name, and then press Enter.
6. If you get a message stating There is a problem with this website’s security certificate, click
Continue to this website.

Results: After completing this exercise, you should have deployed the AD FS server in a federation server
farm, and deployed the Web Application Proxy server to support AD FS.

Exercise 2: Configuring federation with Microsoft Office 365


 Task 1: Switch the Office 365 tenant to federated mode
1. Switch to the LON-DS1 virtual machine.

2. Open Internet Explorer and connect to https://portal.office.com.

3. Sign in as holly@adyyxxxxx.hostdomain.com with the password Pa$$w0rd.


4. If you are connected to the previous Office 365 admin center, click the banner at the top of the page
to access the new Office 365 admin center

5. Click Users.
6. Click Holly Dickson, and in the Email addresses section, click Edit.
MCT USE ONLY. STUDENT USE PROHIBITED
L13-98 Planning and configuring identify federation

7. Change the email address suffix to Adatumyyxxxxx.onmicrosoft.com. In the Warning window, click
Save, and then click Close.

8. Close Internet Explorer. Holly cannot change the Adatumyyxxxxx.hostdomain.com to a federated


domain if she is logged in using an account from this domain.

9. On the taskbar, click the Windows PowerShell icon.

10. At the Windows PowerShell prompt, type the following commands, pressing Enter at the end of each
line:

Set-ExecutionPolicy
Unrestricted –force
Import-Module MSOnline

11. At the Windows PowerShell prompt, type the following command, and then press Enter:

$msolcred = Get-Credential

12. In the Windows PowerShell Credential dialog box, enter the following credentials, and then
click OK:

o User name: holly@ Adatumyyxxxxx.onmicrosoft.com

o Password: Pa$$w0rd
13. At the Windows PowerShell prompt, type the following command, and then press Enter:

Connect-MsolService -Credential $msolcred

14. At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolDomain

15. Verify that your lab domain, Adatumyyxxxxx.hostdomain.com, is listed as Verified and Managed.
16. At the Windows PowerShell prompt, type the following command, and then press Enter:

Convert-MsolDomainToFederated -DomainName Adatumyyxxxxx.hostdomain.com

17. Verify that you get a Successfully updated Adatumyyxxxxx.hostdomain.com domain message.

18. At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolFederationProperty -DomainName Adatumyyxxxxx.hostdomain.com

Results: After completing this exercise, you should have enabled a federation trust between your on-
premises Active Directory domain and Office 365 through your AD FS federation server, and you should
have converted your domain for federated authentication in Office 365.
MCT USE ONLY. STUDENT USE PROHIBITED
Enabling and Managing Office 365 L13-99

Exercise 3: Verifying single sign-on (SSO)


 Task 1: Verify SSO for internal users
1. On LON-CL1, open Microsoft Edge and connect to https://portal.office.com.

2. Type brad@adyyxxxxx.hostdomain.com as the user name and press Tab.

3. Verify that you are redirected to the Adatum sign in page.


4. Type Pa$$w0rd as the password, and press Enter.

5. Verify that you are connected to Office 365.

6. Close Microsoft Edge.

 Task 2: Verify SSO for external users


1. On your local computer, open a Web browser.

2. In the Address bar, type https://login.microsoftonline.com, and then press Enter.

3. In the Windows Credential dialog box, enter the following credentials, and click Sign in:
o User name: francisco@ Adatumyyxxxxx.hostdomain.com

o Password: Pa$$w0rd

4. Verify that you are redirected to the Adatum Corporation sign-in page.

5. Review the Office 365 page for Francisco Chaves, and then close the Web browser window.

Results: After completing this exercise, you should have verified SSO authentication to Office 365 for a
user on your corporate network and for a user on your host computer that is connected to the Internet.
MCT USE ONLY. STUDENT USE PROHIBITED

You might also like