Office 365 General
ADFS 2.0 Sign in Customizations - MasterPage.master
A master page template for all the pages. Add an "Authorized Use" disclaimer or other text at bottom of page Remove or Change the Hostname Header Above the Login Box
Enable/Disable App Passwords
Active Users - Set Up - Multi Factor Auth Click Service Settings Choose allow or disallow app passwords Can also allow users to suspend multi-factor auth on per-device basis by allowing o365 to remember the device default time device will be remembered is 14 days
Add-SPOUser
Add-SPOUser -Site https://contoso.sharepoint.com/sites/sc1 -LoginName [email protected] -Group "SC1 Owners" Add-SPOUser [-Site] <SpoSitePipeBind> [-LoginName] <String> [-Group] <String>
Setting up an Office 365 trial
An email account that will be associated with the trial configure this account to use two-factor authentication can use outlook.com accounts A mobile device that can receive SMS messages
O365 Core components
Azure AD Exchange Online MS Teams Skype for Business Office 365 Pro Plus
Exchange DNS Records - when you have custom domain
CNAME - for autodiscover MX - for mail routing SPF - to verify identity of mail server TXT - exchange federation CNAME - for exchange federation
ADFS 2.0 Sign in Customizations - CommonResources.en.resx
Change the "Example" Instructions Change the Instruction Text Change the Page Title
Identifying synchronized attributes
DirSync synchronizes some, but not all, attributes from the on-premises Active Directory instance to Azure Active Directory instance that supports an Office 365 tenancy One-hundred forty-three separate attributes synchronize, depending on whether the object is a user account, a group account, or a mail-enabled contact object.
Enabling/Disabling Super User
Enable-aadmsuperuser cmdlet - enable super user role Add-aadmsuperuser cmdlet - add user and service accouts Disable-aadmsuperuser cmdlet - disable super user role Get-aadmsuperuser cmdlet - view which users have been assigned super user privileges
O365 Subscriptions Free
For education - online versions 1tb storage and 50gb mailbox
Azure AD Connect and Azure AD
HTTP 80 (TCP/UDP) Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates. HTTPS 443(TCP/UDP) Used to synchronize with Azure AD.
ADFS 2.0 Sign in Customizations - Signout.aspx
Handles Sign-Out requests.
Exchange Online
Messaging and Collab Platform 50 GB Mailbox Unlimited storage with E3 and E5 or Exchange Online Plan 2 Works with MS Outlook, OWA or Outlook Mobile Storage Limit for Archive Mailbox 100gb additional thru support
Confirm Ownership of Domain
Need to do some dns config changes to confirm ownership Type name - click Use a TXT record Enter values - TTL etc. changes each time - Okay O365 will attempt to verify record has been added Option to update user accounts to use name is next or skip this step
Removing Licence Conflicts
Purchasing more licenses Removing licenses from existing users Deleting users - will release licences
Scheduling synchronization
Scheduled synchronization occurs every three hours You can change the synchronization frequency by modifying the Microsoft.Online.DirSync.Scheduler.exe.Config configuration file Once you have modified this file, you need to restart the synchronization service on the computer that hosts DirSync.
AD Connect Stop Sync Cycle
Stop-ADSyncSyncCycle
Assigning licenses
Users who have been assigned the global administrator or user management administrator roles can assign licenses
AD Connect Password Sync Install
When you install Azure AD Connect by using the Express Settings option, password synchronization is automatically enabled. If you use custom settings when you install Azure AD Connect, password synchronization is available on the user sign-in page
Managing certificate life cycle
You need to ensure that the AD FS Service Communications Certificates installed on your federation server remain valid. you need to replace the certificates on each AD FS server in the farm before they expire. If you have configured the AD FS server to manage the token-signing certificates, these will automatically be replaced - manual token signing not recommended will have to be replaced
Setting up certificates (on web application proxy server)
You need to install the AD FS Service Communications Certificate on each Web Application Proxy server. This certificate needs to be placed in the Personal Certificate Store
Azure Information Protection
can enhance security of documents and provide classification service, uses azure rights management
MS Teams (SharePoint Online)
chat based workplace, share documents, insights, status updates Default Storage 10gb per tenant, 500mb per user Another 25gb OneDrive for Business
SERVICE STATUS
displays a tree of services and features for the subscription selected in the Subscription Health area. This area lists the Service as well as any active incidents related to that service ■■ Office 365 Portal Administration Portal ■■ SharePoint Online SharePoint Features Office Web Apps Custom Solutions and Workflows Provisioning Search and Delve Tenant Admin Access Services SP Designer InfoPath Online Project Online ■■ Lync Online Audio and Video Instant Messaging Sign-In Presence All Features Dial-In Conferencing Federation Online Meetings Mobility Management and Provisioning ■■ Identity Service Administration Sign-In ■■ Rights Management Service RMS Available ■■ Mobile Device Management ■■ Office Subscription Network Availability Office Professional Plus Download Licensing and Renewal ■■ Exchange Online Voice Mail Email timely delivery Sign-in ■■ Yammer Enterprise Yammer Components
configure Office integration with rights management
office 2010 - must have the Azure Information Protection client or the Rights Management sharing application for Windows. office 2013/2016 - natively support the Azure Rights Management service, no client computer configuration is required
ad connect
source anchor is also called the immutable ID in Azure
SPF (Sender Protection Framework)
special TXT that reduces possibility of malicious third parties using custom domain to send spam/email Used to validate which email servers are authorized to send messages on behalf of custom domain Value - v-spf1 include:spf.protection.outlook.com - all TTL value 3600
get-stalemailboxdetailreport
view mailboxes that haven't been accessed for at least 30 days.
AD Connect Connectivity
•The Azure AD Connect server needs DNS resolution for both intranet and internet •Azure AD Connect is by default using TLS 1.0 to communicate with Azure AD. You can change this to TLS 1.2 by following the steps in Enable TLS 1.2 for Azure AD Connect.
Data Loss Prevention reports
■■ Top DLP policy matches - for mail Allows you to view the top DLP policy matches for sent and received email. ■■ Top DLP rule matches for mail - Allows you to view the top DLP rule matches for sent and received email. ■■ DLP policy matches by severity - for mail Allows you to track DLP policy matches by severity. ■■ DLP policy matches, overrides, and false positives for mail - Allows you to view DLP matches, overrides, and false positives for incoming and outgoing messages
Transport Reliability IP Probe
(TRIPP) is a tool that allows you to validate the following: ■■ The path between a computer and a specific Lync, now termed Skype for Business, online hosting location ■■ The availability of specific ports ■■ Routing to the Lync/Skype for Business datacenter ■■ Voice over IP quality ■■ Network speed
Configuring Office 365 for use with the Management Pack
1. In the Office 365 Admin Center, click Users and then click Active Users. 2. In the Select a View drop-down list, select Global Admins 3. In the list of Global Admins, click the Plus icon to open the Create New User Account dialog box. 4. In the Create New User Account dialog box, provide a name and password. The creation of an account named [email protected] Click Create. 5. Once the account is created, select the All Users view, select the account, and click Edit. 6. Click Settings. Under Assign role, click Yes and then set the Global Administrator role as and click Save
To configure filtering, perform the following steps
1. Open the Synchronization Service Manager console. 2. On the Management Agents tab, double-click Active Directory Connector. 3. In the Actions pane, click Properties. 4. If you want to remove specific organizational units from replication, click Configure Directory Partitions. 5. On the Configure Directory Partitions page, click Containers. 6. On the Select Containers page, select the organizational units that you want to allow to replicate during synchronization. 7. To filter on the basis of attributes, click Configure Connector Filter. 8. You can select a User Data Source Object and then configure a filter based on the attribute that you want to configure. You can also click New and create your own filter based on the available data source attributes.
Exchange Federation TXT records
2 Special TXT records that include custom-generated domain-proof hash text contoso.com and hash exchangedelegation.contoso.com and hash
Reports - Usage
7/30/90/180 Email Activity One Drive Files SharePoint Files SFB Activity Office Activations Yammer Activity
AD FS Servers
An internal AD FS deployment is termed a farm. In versions of AD FS prior to 3, released with Windows Server 2012 R2, you could choose to deploy AD FS as a standalone or as a farm. With AD FS 3, you always install AD FS as a farm. The key to understanding AD FS farms is that an AD FS farm can consist of a single server. MS recommends: ■■ Fewer than 1,000 users Deploy a single AD FS server in a farm. Deploy a single Web Application Proxy server on the perimeter network. ■■ 1,000 to 15,000 users Deploy two AD FS servers in a farm. Deploy two load-balanced Web Application Proxy servers on the perimeter network. ■■ 15,000 to 60,000 users Deploy between three and five AD FS servers in a farm. Deploy two load-balanced Web Application Proxy servers on the perimeter network.
Azure AD admin center
Azure AD admin center, you can manage users, domains, and settings for the directory.
Custom Domain Name - Update/Add Users
Can add users or skip
REPORTS - Hide user details
Go to OAC Services & Addins Reports Toggle on Show an anonymous identifier instead of the user name in all reports Save
manually force directory synchronization using Windows PowerShell
Import-Module DirSync Start-OnlineCoexsitenceSync
Azure Rights Management
Not enabled by default Allows Azure to function as rights mgmt provider provides subscribers ability to control how documents are consumed and who can access them even if they are sent to unauthorized third parties Uses per user charges once activated
Azure AD
Online Instance of AD Provides Authentication and Authorization for other MS Cloud Offerings Authentication can be done through ADFS and Dir Sync
SharePoint Online DNS Records
Only need to configure dns record in custom domain if you are going to allow sp online to email people outside of your org Update spf to include include:sharepointonline.com
Sync Options
Rather than performing a Full Sync, you can trigger one of the following types of synchronization using the Synchronization Service Manager: ■■ Full Sync Performs a full synchronization ■■ Delta Import Delta Sync Imports changed schema and objects ■■ Delta Sync Stage Only Imports changed schema only ■■ Delta Sync Synchronizes only objects changed since the last Sync ■■ Export Writes data from the Azure instance to the on-premises instance ■■ Full Import Full Sync This is suitable for initiating the first full synchronization or the first full synchronization after you have changed the filtering parameters ■■ Full Import Stage Only Imports schema
Hard Delete powershell
Remove-MsolUser -UserPrincipalName [email protected] -Force
Password complexity policies
Set by Microsoft min 8 max 16 cannot include Unicode, spaces or dot character preceding @ can disable complex pw requirement per user using PS can't use last pw again - allows you to rotate pw recommend multi-factor authentication lockout policies managed by MS after 10 unsuccessful logins - user will need to respond to CAPTCHA dialog box after 10 attempts - will be locked out for 90 seconds
AD Connect Sync Immediately for Change
Start-ADSyncSyncCycle -PolicyType Delta
Billing administrator
View organization and user information Manage support tickets Perform billing and purchasing operations
O365 Admin Centre Tools
Web based portal Office 365 admin centre Exchange admin centre SFB admin centre SharePoint admin centre security and compliance centre azure ad admin centre Azure AD module for Windows PS
Password Complexity powershell
o365 accounts are subject to azure ad pw policy can use powershell to exempt an account Set-MsolUser -UserPrincipalName [email protected] -StrongPasswordRequired $false or $true
Get-MailboxStatistics
obtain information about a mailbox, such as the size of the mailbox, the number of messages it contains, and the last time it was accessed.
Password policy powershell command
set-msolpasswordpolicy set-msoluser - can be used for password expiration false will expire true will not expire
Changing user pw powershell
set-msoluserpassword Set-MsolUserPassword -UserPrincipalName [email protected] -NewPassword Pa$$w0rd -ForceChangePassword $true
SFB admin centre
settings for instant messaging, audio & video calls, persistent chat and online meetings
SharePoint admin center
settings include site collections, user profiles, business connectivity services, and search.
ADFS 2.0 Sign in Customizations - HomeRealmDiscovery.aspx
shows a drop-down list that contains the list of trusted claims providers Presents a selection UI for the user to select the organization to which he or she belongs.
Upgrade from Dirsync to adconnect - supported configs
•Domain and OU filtering •Alternate ID (UPN) •Password sync and Exchange hybrid settings •Your forest/domain and Azure AD settings •Filtering based on user attributes
Internet Email Tests
■■ Inbound SMTP Email Checks that inbound SMTP email can be sent to the Office 365 domain. ■■ Outbound SMTP Email Checks that the Office 365 mail domain is correctly configured for Reverse DNS, Sender ID, and RBL (Realtime Blackhole List) checks. ■■ POP Email Performs a POP3 client email check against an Office 365 mailbox. ■■ IMAP Email Performs an IMAP4 client email check against an Office 365 mailbox.
Adding additional servers
1-1000 users one adfs server 1000-15000 ms recommends 2 servers for each 15k ms recommends adding one more When you deploy AD FS using the Windows Internal Database, the first server deployed in the farm has read and write access to that database. Additional AD FS servers deployed to the farm store read-only copies using their own Windows Internal Database instance If the first server deployed in the farm fails, one of the other servers in the farm can be promoted so that it has read and write access to the database. If you deploy AD FS using a SQL Server instance, all servers in the farm have read and write access to the database. The drawback of doing this is that it requires that the SQL Server is licensed appropriately
You need to modify the users and groups who are authorized to administer the Rights Management service Which Windows PowerShell cmdlet should you run?
A. Add-MsolGroupMember B. Get-Add rm Role Based Administrator D. Enable AadrmSuperUserFeature answer C. Remove-AadrmRoleBasedAdministrator
Configuring farm or stand-alone settings
AD FS prior to 3.0 - including ws 2012 r2, you could choose standalone or farm choosing standalone - can't convert deployment to farm later With AD FS 3.0 on Windows Server 2012 R2, there is no longer the option to deploy a stand-alone server and you always deploy AD FS as part of a farm only choice you are presented with is whether it is first server in new farm or additional server in existing farm - in the ADFS config wizard
Reports - Security and Compliance
Auditing -mailboxes access by non-owners -Mailbox litigation holds -role group changes -azure AD reports -mailbox content search and hold Protection -top senders and recipients -spam detections -top malware for mail -sent and received mail -malware detections -spoof mail report Rules -top rules matches for email -rules match for email DLP -top dlp policy matches for mail -top dlp rule matches for mail -DLP policy matches by severity for mail -DLP policy matches, overrides, and false positives for mail
o365 user accounts and security groups stored where
Azure Active Directory subject to Azure AD policies like password and lockout policies
O365 Business Subscriptions
Business Essentials, Business, Business Premium under 300 users 1tb per users essentials - no full office - online only trial available for business/business premium
Using certificates
Certificates verify the identity of each element of an AD FS deployment Certificates are also used to secure communication across computers hosting the AD FS Federation Server roles,computers hosting the Web Application Proxy role, as well as the Office 365 servers. The Service Communications Certificate is the certificate that you install for the purpose of service identification and secure communication. This certificate is a server authentication certificate, occasionally called a Secure Sockets Layer (SSL) certificate or web server certificate
Get Ready to Update DNS Records
Click Next Which Services? Outlook or SFB - or choose later Finish - custom domain now listed
Federation server certificate requirements
Computers that host the federation server role have different certificate requirements depending on whether they are running AD FS 3.0 on Windows Server 2012 R2 or have a previous version of AD FS running on an earlier version of Windows Server. If the AD FS Federation Server is running the Windows Server 2012 R2 operating system, it requires a Service Communications Certificate or SSL certificate
User management cmdlets - manage user accounts
Convert-MsolFederatedUser - allows you to update user in domain used for single-sign-on identity fed authentication Get-MsolUser - retrieve info for one or number of users New-MsolUser - create users Remove-MsolUser - hard delete a user Restore-MsolUser - restore user from recycle bin Set-MsolUser - modify user properties Set-MsolUserPassword - change user pw Set-MsolUserPrincipalName - alter upn name Redo-MsolProvisionUser - reprovision user if previous error
Cleaning up existing Active Directory objects
Do any Active Directory objects use invalid characters? Do any Active Directory objects have incorrect Universal Principal Names (UPNs)? What are the current domain and forest functional levels? Are any schema extensions or custom attributes in use? Remove any duplicate proxy-Addresses attributes. Remove any duplicate user-Principal-Name attributes. Ensure that blank or invalid user-Principal-Name attribute settings have been altered so that the setting contains only a valid UPN. Ensure that for user accounts the cn and sAMAccountName attributes have been assigned values. Ensure that for group accounts, the member, alias, and display name (for groups with a valid mail or proxy-Addresses attribute) are populated. Ensure that the following attributes do not contain invalid characters: ■■ givenName ■■ sn ■■ sAMAccountName ■■ givenName displayName ■■ mail ■■ proxyAddresses ■■ mailNickName UPNs that are used with Office 365 can only contain the following characters: ■■ Letters ■■ Numbers ■■ Periods ■■ Dashes ■■ Underscores
O365 Enterprise Subscriptions
E1 E3 - trial available (25) E5 - trial available (25) O365 ProPlus E1,3,5 - include online versions and 1tb storage, 50gb mailbox E1 doesn't include option to fully install E3 adds on BI, archiving and legal hold E5 adds on advanced security, analytic tools, pstn conferencing, and cloud pbx
AD Connect Soft Match Filtering
EnableSoftMatchOnUpn Allows objects to join on userPrincipalName in addition to primary SMTP address. Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $true Check if it is on by: Get-MsolDirSyncFeatures -Feature EnableSoftMatchOnUpn
Global Admin Roles in Exchange Admin
Exchange Online admin Company admin SharePoint Online admin Skype for Business Online admin
Tools to estimate bandwidth
Exchange client network bandwidth calculator - what is needed for outlook, owa and mobile devices SFB online bandwidth calculator OneDrive for Business Sync calculator
Bulk update user properties powershell
Get-MsolUser -Department "HR" | Set-MsolUser -City "Melbourne"
Azure AD Connect and AD FS Federation Servers/WAP
HTTP 80 (TCP/UDP) Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates. HTTPS 443(TCP/UDP) Used to synchronize with Azure AD. WinRM 5985 WinRM Listener
AD Connect - If the built-in scheduler does not satisfy your requirements, then you can schedule the Connectors using PowerShell.
Invoke-ADSyncRunProfile -ConnectorName "name of connector" -RunProfileName "name of profile"
365 Trial Continued
Mobile - one that can receive text Click Text Me Enter Verification Code from Text - click create my account Make note of new Office 365 ID
Self-service (user) password reset options
Mobile Phone Office Phone Security Questions Alternate Email Address
SharePoint Management Shell
Need to install only once
Enabling AD Recycle Bin
Needs to be a function forest level of Windows 2008 R2 Use the Enable-ADOptionalFeature
Add Domain to O365 (non-federated) via Powershell
New-msoldomain Get-msoldomainverificationdns confirm-msoldomain set-msoldomain
Identify Workloads that Don't Require Migration
Not everything needs to be moved to O365 factors depend on region - local legislation Most countries/regions don't have local Microsoft datacenters, which might mean that moving workloads to Office 365 means moving workloads across national/regional borders. For some workload types, this may not present a problem; for other workload types, such as for workloads that deal with confidential medical data, it may not be possible to migrate the workloads across borders without contravening local legislation.
Deploy Desktop setup for previous version of office clients
Office 2003 needs special config to work with o365 Office 2007 is supported with o365
Microsoft Office 365 Client Performance Analyzer
Office 365 Client Performance Analyzer (OCPA) helps identify issues impacting network performance between your company's client PCs and Office 365. OCPA currently supports analyzing Exchange and SharePoint network performance. Generates a report that you can share with support engineer.
Admins cannot view or change app pw's
Option is to force users to recreate app pw's by deleting all existing app pw's Active Users - Set Up - set multi-factor auth on Multi-factor auth page - click check box for the user that you want to delete all existing app app and click manage users settings on manage user settings dialog box - select delete all existing app pw's - save
AD Connect Password Sync
Password synchronization is an extension to the directory synchronization feature implemented by Azure AD Connect sync. To use password synchronization in your environment, you need to:+ •Install Azure AD Connect. •Configure directory synchronization between your on-premises Active Directory instance and your Azure Active Directory instance. •Enable password synchronization. To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory instance Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. Passwords are synchronized on a per-user basis and in chronological order.
Forcing synchronization
To perform a full synchronization using Synchronization Service Manager, perform the following steps: 1. Open Synchronization Service Manager located in the C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell folder as miisclient.exe. 2. Click the Management Agents tab. 3. On the Management Agents tab, click Active Directory Connector 4. On the Actions pane, click Run. 5. In the Run Management Agent dialog box, select Full Sync
Multi-factor Authentication options
Use of mobile device app Phone Call One-time password SMS Text
Azure AD cmdlets
User management Group and role management Service principal management Domain management Single sign-on management Subscription and license management Company information and service management Administrative unit management
Password administrator
View organization and user information Manage support tickets Can reset non-privileged user passwords as well as passwords of other password administrators; cannot reset passwords of global administrators, user management administrators, or billing administrators Exchange Online Help Desk admin role Skype for Business Online admin role can reset for other pw admins
Service administrator
View organization and user information Manage support tickets Must be assigned admin permissions to a o365 service first such as Exchange or SP
Configure app passwords
app passwords allow you to configure app specific pw's for non-browser clients that might not support multi-factor auth. they are enabled by default when you enable multi-factor auth app pw's are separate from users pw's and remain valid when user changes user account pw's
Service administrator
are able to manage service requests and monitor service health.
Azure Active Directory Module for Windows PowerShell,
automate repetitive tasks such as creating large numbers of user accounts, adding users to groups, and updating multiple user properties.
AD Soft Match
checks to see if azure ad SMTP matches either the mail or primary proxy address upper case SMTP once matched the objectGUID becomes the source anchor can pick another attribute to be source anchor but then you have to make sure it is accurate always
Project Online
cloud version of project server
Get-StaleMailboxReport
cmdlet to view the number of mailboxes that haven't been accessed for at least 30 days.
Import CSV
fields must be separated by comma minimum field is user name and display name once csv created Active Users - Users Node Bulk Add On select csv page, select file - next On verification page - ensure all users passed - Next On settings page - specify whether users are allowed to sign in and access services and location on send results page - can send to email address Click create to make the new o365 accounts on results page - see list of users created and temp pws
Azure Active Directory Sync
follow-up tool to DirSync Support for replication of multi-forest Active Directory and Exchange deployments Control over attribute synchronization on a per-cloud service basis Selective replication of accounts on the basis of OU and domain Reduced privilege requirements when configuring replication Synchronization rules that allow attribute mapping and flow
Rights Management - Confidental Template Usage Rights
grants read and modify permissions for the protected content.
Rights Management - Highly Confidental Template Usage Rights
grants read-only permission for the protected content.
Dirsync computer hw requirements
hardware requirements of the computer that hosts DirSync depend on the number of objects in the Active Directory environment that you need to sync The greater the number of objects that you need to sync, the steeper the hardware requirements all configurations requiring at least a 1.6 GHz processor Number of objects in Active Directory Memory Storage Fewer than 10,000 4 GB 70 GB 10,000-50,000 4 GB 70 GB 50,000-100,000 16 GB 100 GB 100,000-300,000 32 GB 300 GB 300,000-600,000 32 GB 450 GB More than 600,000 32 GB 500 GB new Office 365 tenancy has a limit of 50,000 objects. However, once the first domain is verified, this limit is increased to 300,000 objects.
Bulk Import Process
import list of users from specially formatted csv into o365 file must have following in first row user name first name last name Display name Job title Department Office number Office phone Mobile phone Fax Address City State or province ZIP or postal code Country or region
ADFS 2.0 Sign in Customizations - web.config
logo displayconsent displayexceptions identityprovider - how long to save user's selection singlesignon - enabled by default error.aspx
Security and Compliance Center
manage features include archiving, data loss prevention (DLP), eDiscovery, reports, retention, and search.
Manage role membership
manage on user properties specify role and alternate email address for pw recovery can add user to a role not group use settings page to remove a role - select no option and save view list of users assigned to role - active users node - select role you wish to view
Modifying users and groups
modifications that occur in the on-premises Active Directory instance overwrite the current state of the objects within the Azure Active Directory instance that supports the Office 365 tenancy only exception to this rule is with the assignment of licenses, which only occurs using the Office 365 Admin Center tool or Windows PowerShell
Tenant Name
name.onmicrosoft.com name has to be unique and no two organizations can share cannot be changed after you configure your Office 365 subscription can assign a domain name that you own to the tenant once you've set up Office 365, you can assign a custom domain name and have the custom domain name used as the primary email suffix
Resetting PW
o365 admins can reset user pw - set-msoluserpassword if you use the admin centre - temp pw is assigned temp pw can be emailed or choose to send an SMS or provide verbally
ADFS 2.0 Sign in Customizations - FormsLoginPage
page to collect username and password credentials Handles Form-based authentication with user name and password.
New-SPOSite
url, owner, storagequota, compatibilitylevel, template, title
Converting from standard to federated domain
using cmdlets found in the Azure Active Directory module for Windows PowerShell. You can only perform the conversion once your AD FS deployment is functioning correctly and you have deployed your Web Application Proxy server on the perimeter network to allow Office 365 to communicate with your internal AD FS deployment first establish a connection from your Azure Active Directory PowerShell session to Office 365 using the Connect-MsolService cmdlet. Once you have presented your credentials, you provide information about the AD FS deployment by using the Set-MsolADFSContext Set-MsolADFSContext -Computer SYD-ADFS.adatum346er.net once connected and context has been set, then you can convert: Convert-MsolDomainToFederated -DomainName Adatum346er.net You can verify that the domain is now federated by using the Get-MsolDomain cmdlet
Exchange Admin Centre
web based console - manage exchange settings recipients, protection, mail flow, public folders, other settings not in o365 admin centre
Once you have received the certificate from a CA and installed it on the computer that hosts the AD FS role
you should export the certificate as well as the private key so that you can use the certificate when configuring the Web Application Proxy server or when adding additional AD FS servers to the farm.
AD Connect Accounts
•An Azure AD Global Administrator account for the Azure AD tenant you wish to integrate with. This account must be a school or organization account and cannot be a Microsoft account. •If you use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your local Active Directory.
Microsoft Exchange ActiveSync Connectivity Tests
■■ Exchange ActiveSync - Checks that clients on the Internet can connect to an on-premises Exchange deployment using ActiveSync. ■■ Exchange ActiveSync Autodiscover - Checks that clients on the Internet can be automatically configured with an on-premises Exchange deployment's settings.
Dirsync Filters
■■ If you create multiple filter rules that have a single condition, the filter applies if any rules match. ■■ If you create multiple conditions within the same rule, the filter will only be applied if all the conditions are true. You configure filtering using the Synchronization Service Manager, sometimes called Identity Manager
Microsoft Office Outlook Connectivity Tests
■■ Outlook Connectivity Checks client connectivity to Office 365 using both RPC over HTTP and MAPI over HTTP. ■■ Outlook Autodiscover Checks the provisioning of Office 365 settings to outlook through the Autodiscover service.
Office 365 Monitoring Dashboard
■■ Subscription Health ■■ Service Status ■■ Active Incidents ■■ Resolved Incidents ■■ Message Center
Bulk licencing users
$LicenseUsers = Import-Csv =Path .\LicenseUsers.csv $Sku=Get-MsolAccountSku ForEach($LicenseUser in $LicenseUsers){Set-MsolUserLicense -UserPrincipalName $LicenseUser.UPN -AddLicenses $Sku.AccountSkuId}
Bulk Import powershell
$NewUsers = Import-Csv -path .\NewUsers.csv to licence during import $Sku = Get-MsolAccountSku get sku variable ForEach($NewUser in $NewUsers){New-MsolUser -UserPrincipalName $NewUser. UserPrincipalName -DisplayName $NewUser.DisplayName -FirstName $NewUser.Firstname -LastName $NewUser.LastName -Password $NewUser.Password -Department $NewUser.Department -UsageLocation $NewUser.UsageLocation -LicenseAssignment $Sku.AccountSkuId}
Add Additional ADFS Server (steps after cert/service added)
1. Click the AD FS node of the Server Manager console. 2. Next to the Configuration Required For Active Directory Federation Services notification, 3. In the All Servers Task Details dialog box click Configure The Federation Service. 4. On the Welcome page of the Active Directory Federation Services Configuration Wizard, select the Add A Federation Server To A Federation Server Farm option as shown in then click Next. 5. On the Connect To Active Directory Domain Services page of the Active Directory Federation Services Configuration Wizard, specify a user account that has Domain Administrator Permissions then click Next. 6. On the Specify Farm page, select the Specify The Primary Federation Server In An Existing Farm Using Windows Internal Database and specify the FQDN of the Primary Federation Server. If you are using an SQL Server instance to support AD FS, you should instead specify the address of the SQL Server instance, click Next 7. On the Specify SSL Certificate page of the Active Directory Federation Services Configuration Wizard, specify the SSL Certificate 8. On the Specify Service Account page of the Active Directory Federation Services Configuration Wizard, specify the same service account that you configured when configuring the first Federation Server. If you are using an account you created yourself for this purpose, rather than a group Managed Service Account, you will need to specify the password. Click Next. 9. On the Review Options page of the Active Directory Federation Services Configuration Wizard, review the options and then click Next. 10. On the Pre-requisite Checks page of the Active Directory Federation Services Configuration Wizard, verify that the pre-requisite checks have completed successfully and then click Configure. 11. On the Results page of the same Wizard, click Close
Configuring AD FS Web Application Proxy
1. Click the Remote Access node of the Server Manager console and then click More next to Configuration Required For Web Application Proxy 2. On the All Servers Task Details And Notifications page of the All Servers Task Details console, click Open The Web Application Proxy Wizard 3. On the Welcome page of the Web Application Proxy Configuration Wizard, click Next. 4. On the Federation Server page, enter the name of the AD FS and provide the credentials of an account with Local Administrator rights on those servers. Click Next. 5. On the AD FS Proxy Certificate page, select the AD FS Service Communications Certificate, which you have already installed in the Personal Certificate Store of the Web Application Proxy server's computer account, and click Next. 6. On the Confirmation page, review the information and then click Configure. 7. On the Results page, verify that the Web Application Proxy was configured successfully and click Close. To confirm that the Web Application Proxy server is functioning correctly, open the Remote Access Management Console and then select the Operations Status node
Deploying DirSync in Microsoft Azure
1. Create an Azure virtual network. 2. Configure a site-to-site VPN connection from the on-premises network to the Azure virtual network. 3. Deploy a virtual machine on the virtual network in Microsoft Azure. 4. Join this Azure virtual machine to the on-premises domain. 5. Install DirSync
Replacing Service Communication Cert (server authentication cert) also known as SSL or web server cert
1. Ensure that you have installed the new Service Communications Certificate in the Personal Store of each AD FS server in the AD FS farm. 2. Click AD FS Management on the Tools menu of the Server Manager console. 3. In the AD FS console, click the Certificates node under the Service node and then select the Service Communications certificate 4. In the Actions pane, click Set Service Communications Certificate. 5. In the Windows Security dialog box, confirm the correct Service Communications Certificate to use with AD FS by clicking OK. You may be prompted with a warning about the private key being required on each AD FS server in the farm.
Configuring the Management Pack
1. In the Administration node of the Operations Manager console, click the Office 365 node 2. On the Office 365 Overview page, click Add Subscription. This opens the Add Subscription Wizard. 3. On the Subscription Details page, specify a subscription name and the password for that account. This will be the name of the account you set up to monitor the subscription. 4. On the Server Pool page, accept the default as click Add Subscription. 5. Verify that you get the message that the Office 365 Subscription is ready for monitoring, and click Finish.
Install Role running WS 2012 R2 steps
1. In the Server Manager console, select the Dashboard node and then select Add Roles and Features. 2. On the Before You Begin page of the Add Roles And Features Wizard, click Next. 3. On the Installation Type page, select Role-Based Or Feature-Based Installation as and then click Next. 4. On the Select Destination Server page, ensure that the local server is selected. Click Next 5. On the Select Server Roles page, select Active Directory Federation Services then click Next 6. On the Select Features page, click Next. 7. On the Active Directory Federation Services (AD FS) page, review the information then click Next. 8. On the Confirmation page, select the Restart The Destination Server Automatically If Required check box and then click Install. 9. Click Close to close the Add Roles And Features Wizard.
configure the first server in a farm, perform the following steps:
1. On the Server Manager console, select the AD FS node. 2. With the AD FS node of the Server Manager console selected, click the text that says More next to Configuration Required For Active Directory Federation Services 3. In the All Servers Task Details dialog box, click Configure The Federation Service. 4. On the Welcome page of the Active Directory Federation Services Configuration Wizard, ensure that Create The First Federation Server In A Federation Server Farm is selected and then click Next. 5. On the Connect To AD DS page, provide the credentials of a user account that has domain administrator permissions, and then click Next. 6. On the Specify Service Properties page, select the Server Authentication certificate that will be used to identify the ADFS service. You should also provide a display name The Federation Service Name will be taken from the Subject Name of the Server Authentication certificate, also termed the SSL Certificate. Click Next. 7. On the Specify Service Account name page, you can have the AD FS Configuration Wizard create a group Managed Service Account if the KDS Root Key has been configured and there is at least one domain controller running Windows Server 2012 in the domain. As an alternative, you can configure a service account with the appropriate rights and settings as outlined earlier in this chapter. If manually specifying a service account, you will need to provide the service account password. Click Next. 8. On the Specify Database page, choose between an existing SQL Server instance or having AD FS create a Windows Internal Database instance. Microsoft recommends using a SQL Server instance if the AD FS server experiences performance problems when using the Windows Internal Database. It is possible to migrate from the Windows Internal Database to a separate SQL Server instance using SQL Server Management Studio. 9. On the Review Options page, review the configuration options and then click Next. 10. You also have the option on this page of clicking View Script. This will provide you with a PowerShell script to add additional servers with the AD FS role to the farm. 11. On the Pre-requisite Checks page, ensure that all pre-requisite checks are passed successfully, and then click Configure. 12. Click Close to complete the Active Directory Federation Services Configuration Wizard.
Initial DirSync configuration
1. Open Directory Sync Configuration from the icon that is present on the desktop after DirSync is installed. 2. On the Welcome page of the Windows Azure Active Directory Sync Tool Configuration Wizard, click Next. 3. On the Windows Azure Active Directory Credentials page of the Windows Azure Active Directory Sync Tool Configuration Wizard, enter the credentials of the Office 365 Tenant Administrator account. onmicrosoft.com tenancy. Click Next. 4. On the Active Directory Credentials page, , provide the credentials of a user account with Enterprise Administrator credentials. Click Next. 5. On the Hybrid Deployment page, select Enable Hybrid Deployment if you want to configure a deployment where you want to have Azure Active Directory write data back to your on-premises Active Directory instance 6. On the Password Synchronization page, select whether or not you want to allow DirSync to synchronize passwords from the on-premises Active Directory to the Azure Active Directory instance that supports the Office 365 tenancy and then click Next. 7. The DirSync tool performs configuration. When configuration is complete, click Next. 8. On the Finished page, select Synchronize Your Directories Now and then click Finish.
AD Connect Disaster Recovery
1. Rebuild - install sync engine/initial import and sync 2. Staging Mode - have spare standby server 3. Virtual Machines - if host has an issue, the image with sync engine server can be migrated to another server
request a certificate from a CA
1. Sign in to the computer that will host the AD FS role using an account that has local administrator privileges. 2. Right-click the Start hint and click Run. 3. In the Run dialog box, type mmc.exe and click OK. 4. On the File menu of the Console1 - [Console Root] dialog box, click Add/Remove Snap-in. 5. On the Add Or Remove Snap-ins dialog box, click Certificates then click Add. 6. In the Certificates Snap-in dialog box, click Computer Account and then click Next. 7. On the Select Computer page, ensure that Local Computer is selected then click Finish. 8. Click OK to close the Add or Remove Snap-ins dialog box. 9. On the Console1 - [Console Root] dialog box, expand the Certificates (Local Computer) node and then select the Personal node 10. On the Action menu, click All Tasks and then click Request New Certificate. 11. On the Before You Begin page of the Certificate Enrollment Wizard, click Next. 12. In the Select Certificate Enrollment Policy dialog box, ensure that Active Directory Enrollment Policy click Next. 13. On the Request Certificate page, select Web Server and then click More Information Is Required To Enroll For This Certificate, Click Here To Configure Settings. If the Web Server certificate template is not available, you must ensure that the computer account of the AD FS server is configured with enrollment permissions on the certificate template. You can do this using the Certificate Templates console on an Enterprise CA. 14. In the Certificate Properties dialog box, set the Subject Name Type to Common Name, enter the fully qualified domain name of the Federation Service name (which is separate from the fully qualified domain name of the AD FS server), and then click Add.as adfs.adatum345er.net.the computer account of the AD FS server is configured with enrollment permissions on 15. Under Alternative Name, set the Type to DNS, then enter the value enterpriseregistration with the UPN suffix of the organization and then click Add. enterpriseregistration.adatum346er.net.the certificate template. 16. Click OK to close the Certificate Properties dialog box. 17. In the Certificate Enrollment dialog box click Enroll. 18. On the Certificate Installation Results page, click Finish.
SFB SRV records
1st one for flow between SFB clients service: _sip protocol: _tls priority: 100 Weight: 1 Port: 443 Target: sipdir.online.lync.com 2nd one for messaging features service: _sipfederationtls protocol: _tcp priority: 100 Weight: 1 Port: 5061 Target: sipfed.online.lync.com _sip - The first record is used to coordinate the flow of data between Skype for Business clients. _sipfederationtls - The second record is used by Skype for Business to share instant messaging features with clients other than Lync for Business by allowing SIP federation
Domain management cmdlets- manage domains stored within Azure Active Directory
3 Confirm-MsolDomain - confirm that you own a specific domain 4 Get-MsolDomain - retrieve company domains 2 Get-MsolDomainVerificationDns - determine which DNSrecords you need to configure to confirm a domain 1 New-MsolDomain - create a new domain that uses managed/federated identities Remove-MsolDomain - remove a domain from Azure Active Directory Set-MsolDomain - update settings for a domain Set-MsolDomainAuthentication - alter the authentication model for the Azure Active Directory domain between single sign-on/federated and standard identities Get-MsolPasswordPolicy - view the current password policy. Set-MsolPasswordPolicy - change the current password policy.
Creating AD FS service accounts
AD FS requires a dedicated service account. You create this service account before configuring the first AD FS server in a farm When you add the first server to the farm, or add additional servers, you provide the credentials of this service account. Remember that you will need to provide the same service account credentials each time you add a new server running the AD FS role to an existing AD FS farm. The password should be configured not to expire Ensure that the account has the Log On As A Service right on computers hosting the AD FS role. (you can configure this thru gpo) Ensure that the account has the Log On As A Batch Job on computers hosting the AD FS role. (can be configured thru gpo) When you run the AD FS Configuration Wizard and specify the service account, the AD FS configuration process will automatically configure the appropriate Service Principle Names (SPN). setspn.exe command line tool if you want to register the SPN manually Setspn.exe -a host/<server name> <service account> With AD FS in Windows Server 2012 R2, you have the option of using a group Managed Service Account (gMSA). Group Managed Service Accounts require that at least one domain controller in the domain is running Windows Server 2012 or later
Administrative unit management cmdlets - manage administrative units
Add-MsolAdministrativeUnitMember- add an account to an administrative unit. Add-MsolScopedRoleMember - add an account to a specific role that is scoped to a specific administrative unit Get-MsolAdministrativeUnit - generate a list of administrative units stored in Azure AD Get-MsolAdministrativeUnitMember - et a list of all of the members of a specific administrative unit. Get-MsolScopedRoleMember - get a membership list of a specific role that is scoped to a specific administrative unit New-MsolAdministrativeUnit - add a new administrative unit to Azure Active Directory. Remove-MsolAdministrativeUnit - remove an administrative unit from Azure Active Directory. Remove-MsolAdministrativeUnitMember- remove a user account from a specific administrative unit. Remove-MsolScopedRoleMember - remove a user account from a specific role that is scoped to a specific administrative unit. Set-MsolAdministrativeUnit - modify the properties of an administrative unit stored in Azure Active Directory.
Company information and service management cmdlets - manage company and service information
Add-MsolForeignGroupToRole - add a partner tenant security group to an Office 365 or Azure Active Directory role. Connect-MsolService - initiate a connection to Azure AD and start of each Windows PowerShell session Get-MsolCompanyInformation - retrieve company-level information from Azure Active Directory. Get-MsolContact - get information about a specific contact object, or to generate a list of contacts. Get-MsolPartnerContract - used by partner organizations to generate a list of partner-specific contracts. Get-MsolPartnerInformation - used by partner organizations to generate partner-specific information. Redo-MsolProvisionContact - if you receive a validation error when attempting to provision a contact object. Remove-MsolContact - delete an object from Azure Active Directory. Set-MsolCompanyContactInformation - to configure company-level contact preferences, such as email addresses for billing,marketing, and technical notifications. Set-MsolCompanySecurityComplianceContactInformation - configure company-level contact preferences for security and compliance correspondence. Set-MsolCompanySettings - modify company-level configuration settings Set-MsolDirSyncEnabled - enable or disable directory synchronization. Set-MsolPartnerInformation - configure partner specific settings. These settings are visible by all tenants to which the partner has access.
Group and role management cmdlets- manage roles and groups
Add-MsolGroupMember - add members to group add-msolrolemember - add users to o365 or ad role get-msolgroup - get group info get-msolgroupmembers - get group membership get-msolrole - list of admin roles get-msolrolemember - user for members of specific role get-msoluserrole - determine with admin role a user has new-msolgroup - add new security group redo-msolprovisioninggroup - reattempt provision of group remove-msolgroup - delete security group remove-msol
Powershell Command for Roles in o365
Add-MsolRoleMember Use this cmdlet to add a user to a role. Remove-MsolRoleMember Use this cmdlet to remove a user from a role. Get-MsolRole Use this cmdlet to retrieve a list of administrative roles. Get-MsolRoleMember Use this cmdlet to list the members of a specific administrative role.
Once Dirsync finished installing:
After installation has completed, examine the local groups on the computer on which DirSync has been installed and verify that the following groups ■■ FIMSyncAdmins ■■ FIMSyncBrowse ■■ FIMSyncJoiners ■■ FIMSyncOperators ■■ FIMSyncPasswordSet These groups are used with the stripped-down Forefront Identity Manager (FIM) component used in DirSync
After Licence is Assigned following occurs:
An Exchange Online mailbox is created for the user. Edit permissions for the default SharePoint Online team site are assigned to the user. The user will have access to Skype for Business features associated with the license. For Office 365 ProPlus, the user will be able to download and install Microsoft Office on up to five computers running Windows or Mac OS X. Find # of licences assigned on licence node under billing node
ADFS - Configure Identity Provider to use certain email suffixes
An organization can federate with multiple claims providers. AD FS now provides the in-box capability for administrators to list the suffixes, for example, @us.contoso.com, @eu.contoso.com, that is supported by a claims provider and enable it for suffix-based discovery To configure an identity provider (IDP), such as fabrikam, to use certain email suffixes, use the following Windows PowerShell cmdlet and syntax. Set-AdfsClaimsProviderTrust -TargetName fabrikam -OrganizationalAccountSuffix @("fabrikam.com";"fabrikam2.com")
AD Connect Install Requirements
Azure AD - If you use custom settings when you install Azure AD Connect, password synchronization is available on the user sign-in page •Add and verify the domain you plan to use in Azure AD. Prepare your on-premise data - ID Fix - Review optional sync features you can enable in Azure AD On-Prem AD - must be forest functional level Windows 2003 or later If you want to use password writeback - then the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. •The domain controller used by Azure AD must be writable •It is recommended to enable the Active Directory recycle bin. Azure AD Connect server - The server must be using Windows Server standard or better. •The Azure AD Connect server must have a full GUI installed •If you install Azure AD Connect on Windows Server 2008 or Windows Server 2008 R2, then make sure to apply the latest hotfixes from Windows Update. •If you plan to use the feature password synchronization, then the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later. •If you plan to use a group managed service account, then the Azure AD Connect server must be on Windows Server 2012 or later. •The Azure AD Connect server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed. •If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later •If Active Directory Federation Services is being deployed, you need SSL Certificates. •If Active Directory Federation Services is being deployed, then you need to configure name resolution.
Assign Roles for MS Azure AD RM
Azure RM administrators are able to control the service but unable to view data protected by the services Add user or group as administrator by using add-aadrmrolebasedadministrator cmdlet
Small Business Subscriptions
Business - office applications - no other o365 services - desktop versions and one drive file storage plus web versions of word/excel/pp Premium - all office apps and services - desktop versions too Essentials - no desktop office applications - but includes services (exchange/lync/sp/yammer/onedrive/teams) web office apps of outlook/word/excel/pp
Planning O365 Subscription
Business Requirements Current IT infrastructure Change Management Process Future org growth
Accessing filtering using claims rules
By configuring the claim rules after you've configured federation between your on-premises Active Directory environment and Office 365, you can block access to Office 365 depending on the properties of the account making the claim. For example, you could block access to Office 365 for users when they are located on networks outside the organization, but allow the same users access to Office 365 when they are using a computer located on an organizational network.
Supporting multiple forests
By itself, DirSync doesn't support synchronization from two or more Active Directory forests to a single Azure Active Directory instance that supports an Office 365 tenancy. To accomplish this task, you can use the Azure Active Directory Connector for Forefront Identity Manager 2010 DirSync includes a stripped-down and optimized version of Forefront Identity Manager, but this only enables a single on-premises forest connection. Azure Active Directory Connect tool supports synchronization from multiple on-premises Active Directory forests to a single Azure Active Directory instance
Exchange Federation CNAME record
Contains autodiscover.service points to autodiscover.outlook.com
Using namespacesname of the AD FS service must be resolvable through external DNS
For example, if the name of your AD FS service is adfs.adatum346er.net, clients must be able to resolve this name using a DNS server. This means that the name must be configured as a host record in the appropriate publicly accessible DNS zone. Microsoft recommends using a host (A) record for the AD FS service rather than using a CNAME that points to another record. points to the IP address of the adfs server This is because in some circumstances, using a CNAME record rather than a HOST record can cause authentication issues as Kerberos tickets may be issued to the incorrect name. Kerberos is used to identify the AD FS service on the internal network. This occurs through the service's Service Principal Name (SPN). The AD FS SPN is set automatically when running the AD FS Configuration Wizard.
Internet Connectivity for Clients
For o365 clients need to establish unauthenticated connections over 80 and 443 to o365 servers on the internet Problems include: Clients configured with APIPA addresses 169.254.0.0 /16 No default gateway - clients need to be configured with default gateway address of a devices that can route to internet Firewall configuration - requires access to internet on ports Proxy server authentication - won't work if proxy requires authentications for connections - need exclusion
ADFS - Configure an identity provider list per relying party
For some scenarios, an organizations might want end users to only see the claims providers that are specific to an application so that only a subset of claims provider are displayed on the home realm discovery page. To configure an IDP list per relying party (RP), use the following Windows PowerShell cmdlet and syntax. Set-AdfsRelyingPartyTrust -TargetName claimapp -ClaimsProviderName @("Fabrikam","Active Directory")
Delegated administrator
Full administration When you assign the full administration role to a delegated administrator, that administrator has the same privileges as a member of the global admin role. Limited administration When you assign the limited administration role to a delegated administrator, that administrator has the same privileges as a member of the password admin role. Delegated admins are managed in the Delegated Admins node
Designating Pilot Users
Full-time employees of the organization Representative of the organization Have been with the organization a minimum of six months Already trained on the software that they will be using Willingness to provide feedback
Subscription and license management cmdlets - related to subscription and license management
Get-MsolSubscription - view all of the subscriptions that your organization has purchased Get-MsolAccountSku - generate a list of all of the SKUs that your organization owns. New-MsolLicenseOptions - allow you to create a new License Options object. Set-MsolUserLicense - adjust the licenses assigned to a user, including assigning a new license and removing or updating a license.
View Soft Deleted powershell
Get-MsolUser -ReturnDeletedUsers
Empty all users from recycle bin powershell
Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
Free/busy information can't be retrieved from one environment
Get-OrganizationRelationship | FL To display the trust information that is currently set up for the default Office 365 domain Get-SharingPolicy | FL If the free/busy problem persists, make sure that the sharing policies in the on-premises Exchange Server environment and in Exchange Online match.
Admin Roles
Global administrator Billing administrator Password administrator Service administrator user management administrator
Administrator Roles in o365
Global administrator Billing administrator User management administrator Service administrator Password administrator Delegated administrator Manage role membership
Specify Domain Name (custom)
Go to Domains - click add domain if you have one or can buy thru godaddy/o365 advantage to buying is process automatic setup in o365 If hosted elsewhere - need to confirm ownership by configuring special txt records
AD Connect - Staging Mode
High Availability Test and Deploy new config changes Introduce a new server and decommission the old won't export - only active for import and synch won't run password sync and writeback Once you disable staging mode - exporting starts, password sync and writeback is enabled when in staging mode still receives changes from AD and Azure AD
Domain Purpose
How it will be used with Office 365 Domains - select your domain Manage DSN page - click Domain Purpose Choose Outlook and/or SFB - Next Either Choose DNS records added by O365 or click to Add These Records Yourself
ADFS Deploying AD FS topologies
How you deploy AD FS to work with Office 365 depends on the number of users who need to perform single sign-on operations most basic form of AD FS deployment is that you place a server on your internal network running Windows Server 2012 R2 with the AD FS role installed and configured. You then place at least one server on your organization's perimeter network that functions as a proxy, relaying traffic between the AD FS server on the internal network and the Office 365 infrastructure.
prepare a server to become an additional AD FS server in the farm:
Importing appropriate cert and assigning ADFS service account appropriate rights: 1. Install the Active Directory Federation Services binaries using the method outlined earlier or by issuing the following Windows PowerShell command: Install-WindowsFeature -IncludeManagementTools ADFS-Federation 2. Ensure that the AD FS Service Communications Certificate is installed in the Personal Certificate store of the computer account copying the exported certificate across to the computer that you want to add to the AD FS farm and then double-clicking it to run the Certificate Import Wizard On the Welcome To The Certificate Import Wizard page of the Certificate Import Wizard, click Local Machine and then click Next. 3. On the File To Import page of the Certificate Import Wizard, enter the name of the file you want to import then click Next. 4. On the Private Key Protection page of the Certificate Import Wizard, provide the password for the private key, ensure that the key is marked as exportable and that you want to include all extended properties then click Next. 5. On the Certificate Store page, click Place All Certificates In The Following Store and then click Browse. 6. In the Select Certificate Store dialog box, select Personal, and then click OK. 7. Verify that the Certificate Store page of the Certificate Import Wizard then click Next. 8. On the Completing the Certificate Import Wizard page, click Finish. 9. Right-click the Start hint and then click Run. 10. In the Run dialog box, type gpedit.msc and then click OK. 11. In the Local Group Policy Editor, navigate to the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment node 12. In the Policy pane, double-click Log On As A Batch Job. 13. In the Log On As A Batch Job Properties dialog box, click Add User Or Group and then add the service account used for the AD FS service. Click OK. 14. In the Policy pane, double-click Log On As A Service 15. In the Log On As A Service Properties dialog box, click Add User Or Group and then add the service account used for the AD FS service. Click OK.
AD FS is a role service
In Windows Server 2012 R2, the AD FS Proxy server role was modified to become the Web Application Proxy server role. Although the 70-346 exam objectives mention AD FS proxy servers, you'll need to remember that this term is only used when AD FS is installed on computers running Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. ■■ AD FS 1.0 Released with Windows Server 2003 R2 ■■ AD FS 1.1 Released with Windows Server 2008 and Windows Server 2008 R2 ■■ AD FS 2.0 Released as a separate download for Windows Server 2008 and Windows Server 2008 R2 ■■ AD FS 2.1 Released with Windows Server 2012 ■■ AD FS 3.0 Released with Windows Server 2012 R2 An internal AD FS deployment is termed a farm.
RSS feed
In the Service Health Dashboard, you can click the RSS icon to access an RSS feed. This will provide you with notifications, using the RSS protocol, when a new event is added or an existing event is modified. You can use Outlook to subscribe to RSS feeds.
ADFS Server Install - Group Managed Powershell command
Install-WindowsFeature adfs-federation Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_Name>$
Installing required Windows roles and features (web app proxy)
Installing the Web Application Proxy role involves installing the Remote Access role rather than the AD FS role. To install the Web Application Proxy role, perform the following steps: 1. In the Dashboard node of the Server Manager console, click Add Roles And Features 2. On the Before You Begin page of the Add Roles And Features Wizard, click Next. 3. On the Installation Type page, click Role-Based Or Feature Based Installation and then click Next. 4. On the Select Destination Server page, ensure that the server that you want to host the Web Application Proxy server role is selected. Click Next 5. On the Select Server Roles page, ensure that Remote Access is selected then click Next. 6. On the Features page, click Next. 7. On the Remote Access page, click Next. 8. On the Select Role Services page, select Web Application Proxy then click Next. 9. On the Confirm Installation Selections page, click Install.
ADFS user sign-in customization
Logo - Set-AdfsWebTheme -TargetName default -Logo @{path="c:\Contoso\logo.png"} Illustration - Set-AdfsWebTheme -TargetName default -Illustration @{path="c:\Contoso\illustration.png"} Sign-In Description - Set-AdfsGlobalWebContent -SignInPageDescriptionText "<p>Sign-in to Contoso requires device registration Home, Privacy, Help Links - Set-AdfsGlobalWebContent -HelpDeskLink https://fs1.contoso.com/help/ -HelpDeskLinkText Help -privacylink -homelink
Add DNS Records for Outlook/SFB Services
MX Record - customdomain.mail.protection.outlook.com TTL 3600 CNAME Records - Autodisover - autodiscover.outlook.com Sip - sirdir.online.lync.com Lyncdiscover - webdir.online.lync.com moisd - clientconfig.microsoftonline-p.net TXT Record - vspf1.includespf.protection.outlook.com -all SRV Records - _sip sipdir.online.lync.com protocol _tls _sipfederationtls sipfed.online.lync.com protocol _tcp
Managing user pw with powershell
Modify a user's password Configure the password policy for the Office 365 tenant (number of days to expire and notification settings) Configure whether a user's password will expire Remove password complexity requirements You can also use Windows PowerShell to generate lists of users based on their password-setting properties,
Changing Portal Company Branding - logo/sign-in
More Services - Users and Groups - Company Branding - edit - save
ADFS - Bypass Home Realm Discovery for the intranet
Most organizations only support their local Active Directory for any user who accesses from inside their firewall. In those cases, administrators can configure AD FS to bypass home realm discovery for the intranet. + To bypass HRD for the intranet, use the following Windows PowerShell cmdlet and syntax. Set-AdfsProperties -IntranetUseLocalClaimsProvider $true
Yammer
Ms enterprise social networking tool
Self-service PW reset
Must use Azure AD tenant (basically o365 - with azure subscription) Must have Azure premium or basic must be at least one admin account and one user account azure basic or premium licence must be assigned to the administrator and user account go to Azure mgmt. portal - select AD section select your AD instance on configure tab - select YES to Users Enabled for Password Reset button can allow standard users to reset pw or restrict to specific group of users can opt for various authentication methods: office phone mobile phone alternate email address security questions once you enable the self-service pw policy users will be able to perform them by clicking 'can't access your account" in login o365 portal
Single sign-on management cmdlets- managing federated, also known as single sign-on, domains
New-MsolFederatedDomain - add a new identity federated/single sign-on domain and configure the relying party trust settings Convert-MsolDomainToStandard - convert an Azure AD domain between identity federation/single sign-on to standard authentication Convert-MsolDomainToFederated - get key settings from Azure AD and the on-premises AD Federation Services 2.0 server Get-MsolDomainFederationSettings - get key settings from Azure AD Remove-MsolFederatedDomain - remove a specific identity federated/single sign-on domain from Azure AD Set-MsolDomainFederationSettings - update the settings of an identity federated/single sign-on domain. Set-MsolADFSContext - configure the credentials thatconnect the on-premises AD Federation Services 2.0 server and Azure AD Update-MsolFederatedDomain - alter settings in both Azure AD and AD Federation Services
O365 Non-Profit/Government
Non-profit - 4 options Government - 2 options Trial available for Business Premium and E3 (25)
Syncing passwords
Password Sync allows the synchronization of user account passwords from on-premises Active Directory to the Azure Active Directory instance that supports the Office 365 tenancy The advantage of this is that users can sign in to Office 365 using the same password that they use to sign in to computers on the on-premises environment. Password Sync does not provide single sign-on or federation When you enable Password Sync, the on-premises password complexity policies override password complexity policies configured for the Azure Active Directory instance that supports the Office 365 tenancy Password expiration works in the following way: the password of the account of the cloud user object is set to never expire that change replicates to the Azure Active Directory instance that supports the Office 365 tenancy possible for a user account password to expire on the on-premises Active Directory instance, but that user can still use the same password to sign in to Office 365. next time they sign in to the on-premises environment, they are required to change their password When Password Sync is enabled and you disable a user's account in the on-premises Active Directory instance, the user's account in the Azure Active Directory instance that supports the Office 365 tenancy is disabled within a few minutes If Password Sync is not enabled and you disable a particular user account in the on-premises Active Directory instance, then the same user account in the Azure Active Directory instance that supports the Office 365 tenancy is not disabled until the next full synchronization.
ADFS 2.0 Sign in Customizations - idpinitiatedsignonpage
Presents a selection UI for the user to select an RP application to sign in to. This page only works for RP applications that use the SAML protocol.
Azure AD Connect and On-premises AD
Protocol Ports Description DNS 53 (TCP/UDP) DNS lookups on the destination forest. Kerberos 88 (TCP/UDP) Kerberos authentication to the AD forest. MS-RPC 135 (TCP/UDP) Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest, and also during Password synchronization. LDAP 389 (TCP/UDP) Used for data import from AD. Data is encrypted with Kerberos Sign & Seal. LDAP/SSL 636 (TCP/UDP) Used for data import from AD. The data transfer is signed and encrypted. Only used if you are using SSL. RPC 49152- 65535 (Random high RPC Port)(TCP/UDP) Used during the initial configuration of Azure AD Connect when it binds to the AD forests, and during Password synchronization. See KB929851, KB832017, and KB224196 for more information.
https://products.office.com/en-us/business/office-365-enterprise-e3-business- software and click Free Trial
Region - geographical region in which the organization for which you are creating the subscription is based First name Input your first name. Last name Input your last name. Business email address - not personal, will be used to recover the tenancy global admin account pw - needs to be secure Business phone numbers Username - name for global admin account Company name - your org's onmicrosoft.com password - between 8-16 upper/lower/numbers/symbols
Rights Management Templates
Rights Management templates are now integrated with the Azure Information Protection policy •Rights Management templates for your tenant are displayed in the Azure Information Protection - Global policy blade, in the Templates section. Custom templates have moved to the Azure portal where you can continue to manage them as templates, or convert them to labels. To create a new template, create a new label and configure the data protection settings for Azure RMS. Under the covers, this creates a new template that can then be accessed by services and applications that integrate with Rights Management templates.
DLP Rule
Rules are what enforce your business requirements on your organization's content Condition/Action/User Notification/User Override/Incident Report
Troubleshooting tools - creating service request
Service requests allow tenant administrators to contact Microsoft to resolve problems can create a service request online through the Office 365 Admin Center or by telephone 1. Sign in to the Office 365 Admin Center with an account that has tenant administrator privileges. 2. In the left pane, click Support. Under Support, click Service Requests. 3. On the Service Requests page, click the Plus item to create a new Service Request. 4. On the Create a Service Request page, , select a category of Service Request. You can choose from the following: ■■ Billing ■■ Mail ■■ Online collaboration ■■ Sites and document sharing ■■ Office client subscription ■■ Visio Pro ■■ Project Pro ■■ Yammer Enterprise ■■ Identity management ■■ User and domain management ■■ Delve ■■ Mobile Device management 5. Once you've selected an issue, you'll be presented with the New Service Request page, Here you'll be asked to: ■■ Identify the issue ■■ Review suggestions ■■ Add details ■■ Confirm and submit 6. The features that you can select from the drop-down list will depend on the category of problem that you have selected. The symptoms that you can select will depend on the feature that you choose. Make your selections and click Next. 7. When you have selected a Feature and a Symptom, you'll need to provide an issue summary and issue details, and then click Next. 8. On the Review Suggestions page, you will be presented with some suggestions that may assist you in resolving the problem without having to lodge a service request. 9. On the Add Details page,provide more information about the disruption causing the service request. The content of this page will vary depending on the type of issue you are attempting to get resolved. You can add up to five screen shots or additional documents on this page, as long as each document is less than 5MB in size 10. Once you have added the appropriate details, you can confirm and submit the request. Response times will depend on the severity of the issue and the type of subscription that your organization has to Office 365.
ADFS enable sign-on page
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
Service principal management cmdlets - manage the configuration of service principals
Set-MsolServicePrincipal - update AD service principal New-MsolServicePrincipal - create new service principal Get-MsolServicePrincipal - retrieve a list of service principals New-MsolServicePrincipalAddress - create a new service principal address object Get-MsolServicePrincipalCredential - view a list of credentials that are tied to a specific service principal New-MsolServicePrincipalCredential - add new credentials to a service principal Remove-MsolServicePrincipalCredential - remove a credential key from a specific service principal
Configure password expiration powershell
Set-MsolUser -UserPrincipalName [email protected] -PasswordNeverExpires $true or $false to configure tenant so no pw's expire Get-MsolUser | Set-MsolUser -PasswordNeverExpires $true or $false
Add a license to a user
Set-MsolUserLicense -UserPrincipalName "[email protected]" -AddLicenses "Contoso:ENTERPRISEPACK" This command adds the Office 365 for Enterprises license to the user.
Replace one license with another
Set-MsolUserLicense -UserPrincipalName "[email protected]" -AddLicenses "contoso:DESKLESS" -RemoveLicenses "contoso:ENTERPRISEPACK"
Remove a license from a user
Set-MsolUserLicense -UserPrincipalName "[email protected]" -RemoveLicenses "contoso:ENTERPRISEPACK" This command removes the Office 365 for Enterprises license from the user. This may result in the user's data being removed from each service.
Reset a password
Set-MsolUserPassword -UserPrincipalName "[email protected]" -NewPassword "pa$$word" This command resets the password for [email protected]. The user will be required to reset the password on next sign in.
Reset a password with a random password
Set-MsolUserPassword -UserPrincipalName "[email protected]" -ForceChangePassword This command resets the password for [email protected]. The cmdlet generates a random password. The user is required to reset the password on next sign in.
Set-SPOUser
Set-SPOUser [-Site] <SpoSitePipeBind> [-LoginName] <String> [-IsSiteCollectionAdmin] <$true | $false> Configures properties on an existing user.
Office 365 additional components
SharePoint online, project pro for office 365, project online, project online with project pro for O365, ms office visio pro for O365, ms dynamics 365, azure information protection
Activate Azure Rights Management
Sign in to o365 Admin center with global perms Service settings - Rights Mgmt On Protect Your Information Page - click manage On Rights Mgmt Page - click Activate On the Do you want to Active Page - click activate
Pilot Office 365 with a few email addresses on your custom domain
Sign in to the Office 365 admin center Verify that you own the domain you want to use Mark the domain as shared in Exchange Online Optionally, unblock the existing email server Update DNS records at your DNS hosting provider Set up email forwarding at your current provider Test mail flow Move mailbox contents
Creating users and groups
Source of authority is a very important concept when it comes to creating users and groups in an environment where DirSync is configured When you create a user or group in the on-premises Active Directory instance, the on-premises Active Directory instance retains authority over that object. Objects created within the on-premises Active Directory instance that are within the filtering scope of objects synchronized via DirSync will replicate to the Azure Active Directory instance that supports the Office 365 tenancy. Newly created on-premises user and group objects will only be present within the Azure Active Directory instance that supports the Office 365 tenancy after synchronization has occurred default sync time is 3 hours force synchronization to occur using the Synchronization Service Manager tool, sometimes called Identity Manager, or by using Windows PowerShell. user accounts created in Office 365 by the synchronization process will not automatically be assigned Office 365 licenses simplest methods to assign licenses to a large number of accounts is by using Windows PowerShell Get-MsolUser -UnlicensedUsersOnly Get-MsolUser -UnlicensedUsersOnly | Set-MsolUser -UsageLocation <location> assign sku $Sku=Get-MsolAccountSku aapply the appropriate account SKU ID to correctly license each account: Get-MsolUser -UnlicensedUsersOnly | Set-MsolUser -AddLicenses $Sku.AccountSkuID
Service Communications Certificate
Subject Name and Subject Alternative Name must include the federation service name. Subject Alternative Name must contain the value enterpriseregistration and the UPN suffix of the organization. cannot be a wildcard certificate must be stored in the local computer account's Personal Certificate store. must be issued by a trusted third-party CA.
Enable Recover of Protected Document
Super User Role in RM is able to remove protection from document using: unprotect-rmsfile cmdlet protect-rmsfile
Azure Rights Mgmt Super User feature abilities
Super User feature allows authorized people and services to view the data that is protected by the service. Super User can: modify the protection applied to protected document can access docs left by people gone from org alter protection policy applied to existing files be configured to allow exchange server to index mailboxes containing protected content be configured to allow data loss prevention products to scan protected docs perform bulk decryption of files for auditing, legal or compliance reasons Super user not enabled by default - enabled automatically when the rights mgmt connector is configured for exchange server
Microsoft Support and Recovery Assistant for Office 365
Support and Recovery Assistant is a new tool users can run to fix common Office 365 problems. The app can troubleshoot and fix several common Outlook problems, help install Office client, and run various check to make sure account settings are correct.
Ports and Protocols Need to Be Open
TCP - 443 - o365 portal, outlook, owa, sp online, sfb, adfs federation, adfs proxy TCP - 25 - Mail Routing TCP - 587 - SMTP relay TCP - 143/993 - IMAP Simple Migration Tool TCP - 80/443 - Azure AD Sync Tool, Exchange Mgmt console, Exchange Mgmt Shell TCP - 995 - POP3 PSOM/TLS - 443 - SFB Online - outbound data sharing STUN/TCP - 443 - SFB Online - outbound audio, video, application sharing STUN/UDP - 3478 SFB Online - outbound audio and video sessions TCP - 5223 SFB - mobile client push notifications UDP - 20000-45000 - SFB outbound phone RTC/UDP - 50000-59000 - SFB outbound audio and video sessions
Free/busy information can't be retrieved from a cloud account by using an on-premises account
Test-FederationTrust -UserIdentity <OnPremisesMailbox> -verbose
Microsoft Online Services Diagnostics and Logging Support Toolkit
The 70-346 exam objectives mention the Microsoft Online Services Diagnostics and Logging Support Toolkit. This toolkit is no longer available from Microsoft and no information has been provided about a replacement
Installing and configuring AD FS
The AD FS role must be installed on a computer that is joined to a domain. The AD FS role can be installed on a computer that hosts the domain controller role There are two steps to installing the role: the first is to install the role and the second is to configure the role.
Office 365 Management Pack
The Office 365 Management Pack for System Center Operations Manager allows you to monitor the status of one or more Office 365 subscriptions from your on-premises Operations Manager deployment.
ADFSSyncProperties
The Set-ADFSSyncProperties cmdlet changes the frequency of AD FS configuration database synchronization. It also specifies which federation server is the primary federation server in the federation server farm Set-ADFSSyncProperties [-PollDuration <int>] [-PrimaryComputerName <string>] [-PrimaryComputerPort <int>] [-Role <string>] [-Confirm] [-WhatIf] [<CommonParameters>]
Installation account requirements
The account used to configure Office 365 must have Administrator permissions in the Office 365 tenant The account used to install and configure DirSync must have Enterprise Administrator permissions within the on-premises Active Directory forest. This account is only required during installation and configuration. Once DirSync is installed and configured, this account no longer needs Enterprise Administrator permissions. Best practice is to create a separate account for DirSync installation and configuration and to temporarily add this account to the Enterprise Admins group during the installation and configuration process. The account used to install and configure DirSync must be a member of the local Administrators group on the computer on which DirSync is installed. Once DirSync is installed, the account used to run the Configuration Wizard must be a member of the FIMSyncAdmins group. The account used to install DirSync is automatically added to this group during the installation process
AD Connect Password Sync cont'd
The first time you enable the password synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You cannot explicitly define a subset of user passwords that you want to synchronize. When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes The synchronization of a password has no impact on the user who is currently signed in. Your current cloud service session is not immediately affected by a synchronized password change that occurs while you are signed in to a cloud service. However, when the cloud service requires you to authenticate again, you need to provide your new password.
AD Connect Password Sync Considerations
There are two types of password policies that are affected by enabling password synchronization:+ •Password complexity policy •Password expiration policy When password synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. If a user is in the scope of password synchronization, the cloud account password is set to Never Expire. Account expiration If your organization uses the accountExpires attribute as part of user account management, be aware that this attribute is not synchronized to Azure AD Overwrite synchronized passwords An administrator can manually reset your password by using Windows PowerShell. In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password. If you change your on-premises password again, the new password is synchronized to the cloud, and it overrides the manually updated password.
Export Cert and Private Key
To export the private key, perform the following steps: 1. In the Console1 - Console Root console with the Certificates (Local Computer) snap-in added, navigate to the Personal\Certificates node and select the certificate. 2. On the Action menu, click All Tasks and then click Export. 3. On the Welcome To The Certificate Export Wizard page of the Certificate Export Wizard, click Next. 4. On the Export Private Key page, select Yes, Export The Private Key If this option is not available, you need to update the Certificate Template on the Enterprise CA so that you are able to export private keys and then request a new certificate. 5. On the Export File Format page of the Certificate Export Wizard, ensure that you select the Include All Certificates In The Certificate Path If Possible option and the Export All Extended Properties option. Ensure that you do not select the Delete The Private Key If The Export Is Successful Option. Click Next. 6. On the Security page of the Certificate Export Wizard, select the Password option and then provide a password to protect the certificate Click Next. 7. On the File To Export page of the Certificate Export Wizard, select a location to save the exported certificate and click Next. 8. On the Completing The Certificate Export Wizard page, click Finish.
Installing the Office 365 Management Pack
To install the Office 365 Management Pack for System Center Operations Manager, perform the following steps: 1. Download the Office 365 Management Pack from https://www.microsoft.com/en-us/ download/details.aspx?id=43708 to the desktop of the Operations Manager server. 2. Double-click the System Center Management Pack for Office 365 MSI installer file. 3. On the License Agreement page, click I Accept, and then click Next. 4. In the Select Installation Folder dialog box, accept the default location, and then click Next, click Install, and click Close. 5. Open the Operations Manager console and then select the Administration workspace. 6. Select the Management Packs node and then click Import Management Packs from the Tasks pane. 7. In the Import Management Packs dialog box, click Add and then click Add From Disk. 8. In the Online Catalog Connection dialog box, click Yes. 9. In the Select Management Packs To Import dialog box, navigate to C:\Program Files (x86)\System Center Management Packs\System Center Management Pack for Office 365\ and select Microsoft.SystemCenter.O365.mpb and then click Open. 10. On the Import Management Packs dialog box, ensure that Microsoft Office 365 is selected, and then click Install. When the import completes,click Close.
Setting custom proxy forms login page
To set the company name, use the Set-AdfsGlobalWebContent cmdlet Set-AdfsGlobalWebContent -CompanyName "Adatum Hovercraft" You can change the company logo displayed on the sign-in page with an image file in PNG resolution 260*35 no greater than 10k Set-AdfsWebTheme -TargetName default -Logo @{path="c:\logos\logo.png"} change the large illustrative graphic on the left, you use the Set-AdfsWebTheme cmdlet with the -Illustration parameter file should be 1420*1080 pixels and no larger than 200k Set-AdfsWebTheme -Targetname default -Illustration @{Path="c:\illustrations\ illustration.png} add a sign-in page description using the Set-AdfsGlobalWebContent cmdlet with the SignInPageDescriptionText parameter. Set-AdfsGlobalWebContent -SignInPageDescriptionText "Welcome to the Adatum single sign-on page"
Get-MsolAccountSku
To view summary information about your current licensing plans and the available licenses for each plan, run the following command in Office 365 PowerShell: AccountSKuID - shows available licencing plans Active Units - number of licences you have purchased for specific plan WarningUnits - number of licences in a licencing plan you haven't renewed and will expire in 30 day grace period ConsumedUnits-number of licences you have assigned to users from a specific licencing plan
SFB - A/V Edge Service Interface Ports
UDP - source 3478 dest 3478 TCP - source 50k-59999 dest 443
Setting up perimeter network name resolution (AD FS Proxy Servers)
Very important to remember is that from Windows Server 2012 R2 onward, the role service known as AD FS Proxy Server has been renamed Web Application Server Microsoft recommends that for external name resolution you configure an A record that maps the public name of the AD FS service to the public IP address of the Web Application Proxy server on the perimeter network. The computer that will function as the proxy server itself needs to be able to resolve the address of the AD FS servers. You can perform this operation by configuring DNS if you are using a split DNS An alternative is to configure the hosts file on each computer, mapping the name of the AD FS service to the IP addresses of each member of the AD FS server farm. Remember that the name resolution requirement for the Web Application Proxy server is different from the name resolution requirement for the Office 365 servers. One requires resolution of the AD FS service name to the Web Application Proxy server, while the other requires name resolution to the AD FS servers on the internal network.
User management administrator
View organization and user information Manage support tickets Reset the passwords of all user accounts except those assigned the global administrator, billing administrator, or service administrator roles Create and manage user views Can create, edit, and delete users and groups except users who are assigned global administrator privileges Can manage user licenses Have the Skype for Business Online admin role
Global administrator
View organization and user information Manage support tickets Reset user passwords Perform billing and purchasing operations Create and manage user views Create, edit, and delete users Create, edit, and delete groups Manage user licenses Manage domains Manage organization information Delegate administrative roles to others User directory synchronization
ADFS Home Realm Discover Customization
When the AD FS client first requests a resource, the resource federation server has no information about the realm of the client. The resource federation server responds to the AD FS client with a Client Realm Discovery page, where the user selects the home realm from a list. The list values are populated from the display name property in the Claims Provider Trusts. Use the following Windows PowerShell cmdlets to modify and customize the AD FS Home Realm Discovery experience.
Deleting users and groups
When you want to delete a user or group account that was created in the on-premises Active Directory instance, you should use tools such as Active Directory Users And Computers or Active Directory Administrative Center to remove that user When you delete a user from Office 365, their account remains in the Azure Active Directory Recycle Bin for 30 days. you can recover the account online should it be necessary to do so. If you delete a user from your on-premises Active Directory environment, but have enabled the on-premises Active Directory Recycle Bin, recovering the user from the on-premises Active Directory Recycle Bin will automatically recover the user account in Office 365. If you don't have Active Directory Recycle Bin enabled, you'll need to create another account with a new GUID
auditing and reporting related Windows PowerShell cmdlets
Windows PowerShell cmdlets related to message auditing include: ■■ Search-AdminAuditLog Search the administrator audit log. ■■ Write-AdminAuditLog Add entries to the administrator audit log. ■■ Get-AdminAuditLogConfig View the configuration of the administrator audit log. ■■ New-AdminAuditLogSearch Search the administrator audit log, outputting the results as email to specified recipients. ■■ Get-MailboxAuditBypassAssociation View mailboxes that are configured to bypass mailbox audit logging. ■■ Set-MailboxAuditBypassAssociation Configure one or more mailboxes so that they bypass mailbox audit logging. ■■ Search-MailboxAuditLog Examine the contents of the mailbox audit log. ■■ New-MailboxAuditLogSearch Search the mailbox audit log, outputting the results as email to specified recipients. Windows PowerShell cmdlets related to message tracking include: ■■ Get-MessageTrackingReport Provides data from a specific message tracking report. ■■ Search-MessageTrackingReport Allows you to locate a specific message tracking report based on search criteria.
Planning for filtering Active Directory
With DirSync, you can choose to filter based on the following options: ■■ Domain-based In a forest with multiple domains, you can configure filtering so that only objects from some domains, and not others, are filtered. ■■ Organizational-unit (OU)-based With this filtering type, you choose which objects are filtered, based on their location within specific organizational units. ■■ User-attribute-based You can also create filters based on the attributes of user objects. You can create filters based on any Active Directory user-object attribute. You can combine filters such that it is possible to use a combination of domain, OU, and attribute-based filtering to limit which user account objects are synchronized
Move Ownership of DNS to Office 365
You can change the name servers that host your custom domain from the original registrar to Office 365 depends on the domain registrar that currently hosts the records that point to the name servers associated with the custom domain. can only move if you have gone thru with confirming org with config of txt records change following settings Primary name server ns1.bdm.microsoftonline.com Secondary name server ns2.bdm.microsoftonline.com
Configuring multi-factor authentication
You can configure AD FS on Windows Server 2012 R2 to support multi-factor authentication by downloading and installing the Azure Multi-Factor Authentication Server This server can be downloaded from the Microsoft Azure portal and installed either on a server with the AD FS role installed on it or on a separate computer that is a member of the same domain. •The account that you use to sign in must have user rights to create security groups in your Active Directory service. You can use the following methods for multi-factor authentication: ■■ Phone Call ■■ Text Message ■■ Mobile App ■■ OATH Token You can also configure a specific number of security questions as a fallback option When configured, users will be required to use two forms of authentication when accessing Office 365 resources using single sign-on.
Free/busy information can't be retrieved from an on-premises account by using a cloud account
a.Open the Microsoft Remote Connectivity Analyzer at the following Microsoft website: https://www.testconnectivity.microsoft.com/?testid=OutlookAutoDisc
Billing administrator
able to make purchases, manage subscriptions, manage support tickets, and monitor service health
enable multi-factor authentication
active users - set multi factor - click set up on multi factor page - click enable click enable multi-factor auth click close at next sign-in users will be re-directed to webpage that allows them to setup multi-factor auth when enforcing for user - you are presented with warning box that they will need to create app pw's
Run the Office 365 on-ramp readiness tool - might be Office 365 readiness checks
allows you to run a set of tools to identify troubleshooting and config problems https://onramp.office365.com advanced setup page - make your own selections or have an app check to discover what is installed on your premise depending on your selections - you will be given advice and tools on how to perform each step of the deployment
IdFix
allows you to scan an Active Directory instance to determine if any user accounts, group accounts, or contacts have problems that will cause them not to synchronize between the on-premises instance of Active Directory and the Office 365 instance of Azure Active Directory can also perform repairs on objects that would otherwise be unable to sync. The computer where you install IdFix needs to needs to be joined to the same Active Directory domain from which you want to synchronize users to Office 365. The computer also needs to have .NET Framework 4.0 installed. The user account that you use to run IdFix needs to have read/write access to the ad directory.
Service Health Dashboard
allows you to view the health of all of the services related to your organization's Office 365 subscription By clicking View Details and History, you can view the status history for the past seven days, These icons have the following meanings: ■■ Normal service This icon indicates that the service has suffered no issues in the reporting time period. ■■ Investigating This icon indicates that Microsoft is investigating a potential issue and that more information will be forthcoming. ■■ Service interruption This icon indicates that the service is not functioning. ■■ Service degradation This icon indicates that the service is slow and occasionally unresponsive for brief periods. ■■ Restoring service This icon indicates that the service is in the process of being fixed. ■■ Extended recovery This icon indicates that while steps have been completed to resolve the incident, an extended amount of time might be required before operations return to normal. ■■ Service restored This icon indicates that an incident was active in the last 24 hours but that service has been restored. ■■ Additional information This icon indicates that the incident was active in the previous 48 hours and that you should check the Today column to determine if the incident has been resolved. ■■ PIR published The Post Incident Report (PIR) is a report published about the service incident that provides additional data about the status. You can also view the history for the previous 30 days by clicking the View History For Past 30 Days item.
Proxy Server Configuration
clients can't communicated to o365 if traffic goes thru proxy server that requires authentication either choose to disable or selectively disable authentication for traffic to o365 related resources on internet # of URL's that need to be configured for exclusions
ms dynamics 365
cloud based platform that combines crm and erp functions and delivers apps to manage business functions like sales, marketing, finances, customer service
Get-MailboxActivityReport
cmdlet to view the number of mailboxes created and deleted in your cloud-based organization.
Get-MailboxUsageReport
cmdlet to view the number of mailboxes in your organization that are within 25% of the maximum mailbox size, and the number of mailboxes that are over the maximum size for your organization.
Microsoft Connectivity Analyzer
companion tool for the Remote Connectivity Analyzer run the Microsoft Remote Connectivity Analyzer from a website on the Internet, whereas you run the Microsoft Connectivity Analyzer from your local on-premises infrastructure. allows you to perform connectivity tests against your on-premises messaging deployment as well as against Office 365.
Dirsync installation
computer running DirSync must be able to establish communication with the Microsoft Azure servers on the Internet over TCP port 443 computer hosting DirSync does not need a publicly routable IP address always initiates synchronization communication to Microsoft Azure. Microsoft Azure Active Directory does not initiate synchronization communication to the computer hosting DirSync on the onpremises network. While you can install DirSync on a domain controller, Microsoft recommends that you deploy DirSync on a computer that does not host the domain controller role If you are going to be replicating more than 50,000 objects, Microsoft recommends that you deploy SQL Server on a computer that is separate from the computer that will host DirSync If you plan to host the SQL Server instance on a separate computer, ensure that communication is possible between the computer hosting DirSync and the computer hosting the SQL Instance on TCP port 1433. If you are going to use a separate SQL Server instance, you must perform installation of DirSync using the command line. If you are using a full SQL Server instance, ensure that the account used to install and configure DirSync has "systems administrator" rights on the SQL instance and that the service account used for DirSync has "public" permissions on the DirSync database.
O365 admin centre
deploy o365 for your org create users, groups, manage domains and licences and administer O365
Create a test plan or use case - phases
deploying o365 tenancy to be used for pilot create user accounts for pilot users configure active use of email for pilot users deploy o365 proplus s/w enable pilot user to access o365 services ask for feedback
project pro for o365
desktop project management capabilities for small teams and organization
Password policies
determine how often o365 user must change pw default is every 90 days with warning at 14 change policies in o365 admin centre To change - service settings - passwords Options include: password never expire days before passwords expire - max days pw stays -valid min 14 max 730 Days Before a User is Notified That Their Password Will Expire - value can be set between 1 and 30
Tenant Region
determines which Office 365 services, taxes that will be applied as a part of the subscription charges, the billing currency for the subscription the Microsoft datacenter that will host the resources allocated to the subscription.
ACTIVE INCIDENTS
displays a list of alerts for currently active Office 365 incidents for the subscription selected in the Subscription Health area. Each alert contains information about the list of affected services, features, and the status of those features Alerts can have one of the following states: ■■ Information Unavailable ■■ Investigating ■■ Service Interruption ■■ Service Degradation ■■ Restoring Service ■■ Extended Recovery
How to Assign a Licence
editing the properties of the user select the user's account, click edit, licence tab select check box by each licence type, or remove
ADModify.NET
enables you to make changes to specific attributes for multiple objects simultaneously
Forefront Identity Manager 2010 R2
enables you to perform identity management tasks beyond that which is possible with the built-in roles and features available to support an on-premises Active Directory instance can deploy on-premises self-service password reset configure a user-provisioning workflow provide a centralized interface for certificate management tasks next version of Forefront Identity Manager will be known as Microsoft Identity Manager
Meeting the DirSync installation requirements
ensure that your environment, DirSync computer, and account used to configure DirSync meet relevant software, hardware, and privilege requirements ensure that your Active Directory environment is configured at the appropriate level, that the computer on which you will run DirSync has the appropriate software and hardware configuration, and that the account that you use to install DirSync has been added to the appropriate security groups.
Service Communications Certificate
must have following properties: ■■ The certificate's Subject Name and Subject Alternative Name must include the federation service name. For example, adfs.adatum346ER.net. ■■ The certificate's Subject Alternative Name must contain the value enterpriseregistration and the UPN suffix of the organization. For example, enterpriseregistration.adatum346ER.net. ■■ Certificate cannot be a wildcard certificate. ■■ It is necessary to have both the certificate and the private key when running the Active Directory Federation Services Configuration Wizard. ■■ Certificate must be issued by a trusted third-party certification authority (CA). Although you cannot use a certificate generated from an internal Enterprise CA to connect to Office 365, you can perform many of the steps required to configure AD FS using this certificate.
dirsync o365 requirements
need to ensure that you have configured an additional domain for Office 365 and enabled Active Directory Synchronization from within the Office 365 Admin console. You can only enable Active Directory Synchronization once an additional domain has been configured
MX Record
needed to get mail routed In custom domain to point to O365 target mail server O365 Admin Center - Domains Node Custom Domain - click Find and Fix Issues MX Records section - select What Do I fix Follow directions to determine MX token value MX priority needs to be lower than any other MX records configured. Lower number gets priority
O365 made up of separate services
o365 platform service, exchange online, exchange online archiving, exchange online protection, sharepoint online, one drive for business, sfb, office online, office application, project online, project pro for o365, yammer, power bi for o365, ms dynamics CRM online
using multi-factor authentication
once enabled - client must use 2 forms of authentications Use of a Mobile Device App - downloaded, use code One-time Password - single use pw Phone Call - call to pre-configured number - user must use code when answering SMS Message- message contains code - use to sign in to o365
adfs multi-factor authentication
phone call text message oath token mobile app
Office 365 ProPlus
plans can include online downloadable version of word, excel, powerpoint, outlook, access, publisher, onenote, InfoPath, skype for business web app versions available can run this version along older versions
CNAME - autodiscover
points alias autodiscover to point to the hostname autodiscover.outlook.com autodiscover.worksafebc.com - autodiscover.outlook.com
Connect existing email accounts for pilot users
possible to do pilot migration while keeps majority on-prem Add domain - verify it Mark domain as shared/internal relay optional step - unblock existing email server in Exchange online protection create o365 accounts and mark reply to address as the custom domain update existing dns records - spf setup mail forwarding on-prem current provider to onmicrosoft.com accounts Simple domain sharing for smtp address Use Internal Relay Configure on-prem mail solution to forward mail for each pilot user account to onmicrosoft.com mail domain Configure each o365 user account to use on-prem dns zone mail name Migrate contents of pilot user's on-prem mailbox using EAC
Skype for Business Online
presence and instant messaging info ability to chat, call, video conference online meetings with audio, video and web conference for 250
DLP Policy
protect sensitive information and prevent its inadvertent disclosure Where to protect the content - locations such as Exchange Online, SharePoint Online, and OneDrive for Business sites. When and how to protect the content by enforcing rules comprised of: Conditions the content must match before the rule is enforced -- for example, look only for content containing Social Security numbers that's been shared with people outside your organization. Actions that you want the rule to take automatically when content matching the conditions is found -- for example, block access to the document and send both the user and compliance officer an email notification
Message Center
provides a list of information messages related to the Office 365 subscription. Each alert in the Message Center will provide an external link to an article or blog post with details.
Planned maintenance
provides details of upcoming planned maintenance events, as well as recent planned maintenance events.
Using Azure Active Directory Graph API
provides organizations with REST API endpoints through which they can programmatically access Azure Active Directory allows apps to: Create, disable, or delete a user account. Retrieve user properties, such as group membership and licensing status. Modify user properties, including changing a user's password application needs to be registered and configured with access to the azure ad
SUBSCRIPTION HEALTH
provides you with information about each of the monitored Office 365 subscriptions. can be used to monitor the status of multiple Office 365 subscriptions. A healthy state indicates that a connection has been successfully made from the Operations Manager instance to a specific Office 365 subscription. A critical state indicates that a connection cannot be made from the Operations Manager instance to the Office 365 subscription.
SFB Online DNS records
requires 2 srv and 2 cname records
Adhering to Web Application Proxy certificate requirements
requires a server authentication certificate that has the same subject name as the server authentication certificate installed on the computer that hosts the AD FS role. This certificate must be imported into the Personal Certificates store of the computer that hosts the Web Application Proxy role. If you are using a computer that has an operating system running Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 that is functioning as a federation proxy server, this server authentication certificate must be installed on the default website of the computer that hosts the federation proxy server role.
Software environment requirements
requires that the on-premises Active Directory environment be configured at the Windows Server 2003 forest functional level or higher Forest functional level is dependent on the minimum domain functional level of any domain in a forest. For example, if you have five domains in a forest, with four of them running at the Windows Server 2012 R2 domain functional level and one of them running at the Windows Server 2003 domain functional level, then Windows Server 2003 will be the maximum forest functional level. You can check the forest functional level using the Active Directory Domains And Trusts console. To do this, perform the following steps: 1. Open the Active Directory Domains And Trusts console. 2. Select the Active Directory Domains And Trusts node. 3. On the Actions menu, click Raise Forest Functional Level. 4. The dialog box displays the current functional level and, if possible, provides you with the option of upgrading the forest functional level You can also check the forest functional level by using the following Windows PowerShell command: (Get-ADForest).ForestMode
RESOLVED INCIDENTS
shows a list of resolved alerts for the currently selected subscription.
To register application
sign in to azure mgmt. portal click on AD item and ensure appropriate directory is selected click Add button from command bar on what do you want to do page - click add an app my org is developing on tell us about your app page - specify app name and where it is web app or web api or native client app, click arrow on app properties page - enter the sign-in url and the app ID url and click Check once app is added, the app quick start page will open will allow you to add additional capabilities to the app, such as allowing user sign-in and access to web api's in other apps
SFB Cname records
sip point to sipdir.online.lync.com This CNAME record allows the client to find the Skype for Business service and assists in the process of signing in. lyncdiscover point to webdir.online.lync.com The second CNAME record assists the Skype for Business mobile device client to find the Skype for Business service and also assists with sign-in.
Deleting User Accounts
soft delete - moved to the azure ad recycle bin hard delete - permanently deleted delete account form admin portal - active users, select user click delete - will be prompted use remove-msoluser cmdlet user accounts can be deleted through exchange admin centre if dir sync is configured, users can be deleted when removed on-prem soft deletes remain visible for 30 days and can be recovered, after is deleted and unrecoverable can restore user in the azure ad directory recycle bin by selecting user in list and clicking restore users
Recommended Bandwidth Factors
specific o365 services which you subscribed # of clients connecting to o365 from one site at a time type of interaction client is having with o365 capacity of network connection available to each computer your org network topology
ms office visio pro for o365
subscription version of visio pro 2013, can install on up to 5 machines
Azure Active Directory Connect
the Microsoft replacement for DirSync and Azure Active Directory Sync designed to streamline the process of configuring connections between an on-premises deployment and Azure Active Directory. can automatically configure and install simple password synchronization or Federation/Single Sign-on, depending on your organizational needs tool supports: Exchange hybrid deployment Azure AD app and attribute filtering Password writeback User writeback Group writeback Device writeback Device sync Directory extension attribute sync
If the AD FS Federation Server is running a version of AD FS prior to AD FS 3.0
the Service Communications Certificate requirements differ from what is required if the AD FS server is running prior to AD FS 3.0 These requirements are as follows: ■■ The certificate requires the Subject Name to be a short name, rather than a fully qualified domain name. ■■ This certificate must be trusted by Microsoft cloud services as well as AD FS clients. This means that it needs to be issued by a trusted third-party CA. ■■ The certificate cannot be a wildcard certificate. The AD FS server needs a token-signing certificate. The token-signing certificate is an X.509 certificate. This certificate is used to sign the tokens issued by the federation server that the cloud service accepts and validates The default is that you use the self-signed token-signing certificate that is generated by AD FS for this task rather than generating a certificate from a CA
Global administrator
this role have access to all administrative features. are the only users able to assign other admin roles More than one Office 365 user account can be assigned the global admin role first tenancy account created when you sign up for Office 365 is automatically assigned the global admin role.
Hybrid Free/Busy Troubleshooter
tool that you can access at http://aka.ms/hybridfreebusy. allows you to troubleshoot free/busy calendar issues when you have Office 365 deployed in a hybrid configuration with an on-premises Exchange deployment. tool is designed to be used with Office 365 Tenant Administrator privileges. Accessing the Hybrid Free/Busy Troubleshooter tool gives you the following options: ■■ My Cloud User Cannot See Free/Busy For An On-Premises User ■■ My On-Premises User Cannot See Free/Busy For A Cloud User ■■ I Want To See Some Common Tools For Troubleshooting Free/Busy Issues choosing I want option - connects you to remote connectivity analyzer tool, advice on how to troubleshoot free and busy issues for Outlook 2007 and Outlook 2010 clients, as well as a video providing troubleshooting tips. You can use the Hybrid Free/Busy Troubleshooter tool to troubleshoot free and busy issues for on-premises deployments of Exchange when your on-premises deployment uses Exchange Server 2010 or Exchange Server 2013 You can also use the Hybrid Environment Free/Busy Troubleshooter to assist in resolving issues if your organization's on-premises deployment is running Exchange 2007 and 2003 It is reasonable to assume that when Exchange 2003 reaches the end of extended support, the Hybrid Environment Free/Busy Troubleshooter will no longer support this scenario. It is also reasonable to assume that when Exchange 2016 is released, the Hybrid Environment Free/Busy Troubleshooter will be updated to support scenarios involving the product.
ad connect schedule synchronization
two schedulers - one for password sync one for other objects and attribute synching to get object scheduler info: Get-ADSyncScheduler to disable the schedule: Set-ADSyncScheduler -SyncCycleEnabled $false to customize it: Set-ADSyncScheduler -CustomizedSyncCycleInterval d.HH:mm:ss to start it to update changes: Start-ADSyncSyncCycle -PolicyType Delta. to start it to do full sync: Start-ADSyncSyncCycle -PolicyType Initial might need to stop it if you want to say go into wizard: Stop-ADSyncSyncCycle to customize the schedule if you don't like built-in: Invoke-ADSyncRunProfile -ConnectorName "name of connector" -RunProfileName "name of profile"
Password administrator
users assigned the password admin role are able to reset the passwords of most Office 365 user accounts, except those assigned the global admin, service admin, or billing roles. role can reset the passwords of other users assigned the password admin role
User management administrator
users can reset passwords and monitor service health. manage user accounts, user groups, and service requests are unable to delete accounts assigned the global admin role; create other admin roles; or reset passwords for users assigned the billing, global, or service admin roles.
Office Integration with Rights Mgmt
users must be signed in to o365 to utilize rights mgmt once signed in they have access to protect document menu might need to connect to azure rights mgmt to get templates Click Restrict Access, click Connect to Rights Mgmt Servers and Get Templates Once templates have been retrieved from server, then they will be visible in the restrict access menu
Microsoft Remote Connectivity Analyzer
web application that you can access at https://testconnectivity.microsoft.com/. allows you to perform remote tests that run from Microsoft's servers on the Internet. diagnose common connectivity problems for Office 365, on-premises Exchange, Lync/OCS Server, the Outlook client and Internet email.
Using UPN suffixes and non-routable domains
you must ensure that all user account objects in the on-premises Active Directory environment are configured with a value for the UPN suffix that is able to function for both the on-premises environment as well as Office 365. Things become more complicated when the internal Active Directory domain suffix is not publicly routable If a domain is non-routable, the default routing domain—for example, adatum346ER. onmicrosoft.com—should be used for the Office 365 UPN suffix modifying the UPN suffix of accounts stored in the on-premises Active Directory instance Modification of UPN after initial synchronization has occurred is not supported. ensure that on-premises Active Directory UPNs are properly configured prior to performing initial synchronization using DirSync. To add a UPN suffix to the on-premises Active Directory for non-routable name-space 1.Open the Active Directory Domains And Trusts console and select Active Directory Domains And Trusts. 2. On the Action menu, click Properties. 3. On the UPN Suffixes tab, enter the UPN suffix to be used with Office 365. Figure 4-6 shows the UPN suffix of adatum346ER.onmicrosoft.com. 4. Once the UPN suffix has been added in Active Directory Domains And Trusts, you can assign the UPN suffix to user accounts. 5. You can use the ADModify.NET tool to reset the UPNs of multiple accounts 6. You can also use Windows PowerShell scripts to reset the UPNs of multiple user accounts.
SQL Server used by Azure AD Connect
•Azure AD Connect requires a SQL Server database to store identity data. By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects •If you use a separate SQL Server, then these requirements apply:◦ Azure AD Connect supports all flavors of Microsoft SQL Server from SQL Server 2008 (with latest Service Pack) to SQL Server 2016 SP1 ◦You can only have one sync engine per SQL instance
Get-MSOLUser
•If you use the Get-MsolUser cmdlet without using the All parameter, only the first 500 accounts are returned
Office 365 Mail reports
■■ Active and inactive mailboxes - Shows the number of active and inactive mailboxes over time. A mailbox is listed as inactive if the user associated with it has not connected to it for more than 30 days. ■■ New and deleted mailboxes - Lists the number of mailboxes that have been created and the number that have been deleted. ■■ New and deleted groups - Shows the number of groups created and deleted for the Office 365 subscription. ■■ Mailbox usage - Shows the total number of mailboxes associated with the Office 365 subscription, the number of mailboxes that are exceeding their storage quota, and the number of mailboxes using less than 25 percent of their storage limit. ■■ Types of mailbox connections - Lists the number of mailboxes accessed by each of the following protocols: MAPI, Outlook on the web, Exchange ActiveSync, EWS, IMAP, and POP3.
Skype for Business
■■ Active users - Number of users who took part in at least one peer-to-peer session in the reporting period. ■■ Peer-to-peer sessions - Total number of peer-to-peer sessions, including instant messaging, audio, video, application sharing, and file transfers during the specified time period. ■■ Conferences - Total number of conferences during the specified reporting period. ■■ Audio minutes and video minutes - Total number of minutes that were spent in either audio or video peer-to-peer sessions during the reporting period. ■■ Client devices - Tracks the number of unique users per type of device accessing Skype for Business. ■■ Client devices per user - Allows you to track the number of peer-to-peer sessions that a specific user engaged in during the last three months. ■■ User activities - Allows you to view the types of activities, including peer-to-peer sessions, instant messaging, audio, video, application sharing, file transfers, and conferences an individual user participated in during the reporting period.
Usage reports
■■ Browser used - Shows information about the different web browsers used to access Office 365 by users. ■■ Operating system - used Shows information about the different operating systems used to access Office 365 by users. ■■ Licensing vs. Active Usage - Provides information on how Office 365 services are used in comparison to what the subscription level provides.
Microsoft Exchange ActiveSync Connectivity Tests
■■ Exchange ActiveSync This test checks whether a mobile device can connect to Office 365 messaging resources using Exchange ActiveSync. ■■ Exchange ActiveSync Autodiscover This test checks whether a device uses Exchange ActiveSync to successfully obtain configuration settings from the Autodiscover service hosted through Office 365.
Connectivity Analyzer diagnostic tests
■■ I Can't Log On With Office Outlook - This test checks Outlook Anywhere (RPC over HTTP) functionality. ■■ I Can't Send Or Receive Email On My Mobile Device - This test checks Exchange ActiveSync functionality. ■■ I Can't Log On To Lync On My Mobile Device Or The Lync Windows Store App - This check verifies that DNS records have been correctly configured in your on-premises environment. It also checks the Autodiscover web service to verify that authentication and certificates are configured correctly. ■■ I Can't Send Or Receive Email From Outlook (Office 365 Only) - This test verifies the incoming and outgoing SMTP configuration. The test will also check DNS configuration. ■■ I Can't View The Free/Busy Information Of Another User - This test will perform a check to see if an Office 365 mailbox can access the free/busy information of an on-premises mailbox, or that an on-premises mailbox is able to access the free/busy information of an Office 365 mailbox. ■■ I Am Experiencing Other Problems With Outlook (English Only) - This test checks for Outlook configuration problems. ■■ I Can't Set Up Federation With Office 365, Azure, Or Other Services That Use Azure Active Directory - This test checks the prerequisites for setting up federation between an on-premises Active Directory deployment, Office 365, and Azure Active Directory.
Internet Email Tests
■■ Inbound SMTP Email - Checks that inbound SMTP email can be successfully sent to the on-premises Exchange deployment. ■■ Outbound SMTP Email - Checks outbound SMTP configuration to ensure that Reverse DNS, Sender ID, and RBL (Realtime Blackhole List) checks are passed. ■■ POP Email - Checks that a client can access an on-premises Exchange mailbox using the POP3 protocol. ■■ IMAP Email - Checks that a client can access an on-premises Exchange mailbox using the IMAP4 protocol.
Auditing reports
■■ Mailbox access by non-owners - You can use this report to search for mailboxes accessed by people other than their owners. One reason to use this report would be to check whether users with Administrative privileges have accessed certain Office 365 mailboxes. ■■ Role group changes - This report allows you to view changes made to administrator role groups. ■■ Mailbox content search and hold - This report provides information on all In-Place eDiscovery & Hold operations performed across the Office 365 subscription. ■■ Mailbox litigation holds - This report shows all mailboxes that are configured for litigation hold. ■■ Azure AD reports - This option allows you to view Azure Active Directory reports. It requires a paid Azure Active Directory subscription.
Office 365 General Tests
■■ Office 365 Exchange Domain Name Server (DNS) Connectivity Test - Checks the external domain name settings, including checking whether there are issues for mail delivery and any client connectivity issues related to DNS. ■■ Office 365 Lync Domain Name Server (DNS) Connectivity Test - Checks the external domain name settings related to Lync for a custom Office 365 domain user. ■■ Office 365 Single Sign-On - This test allows you to verify that it is possible to sign on to Office 365 using on-premises credentials. This test also performs basic validation of the Active Directory Federation Services configuration.
OneDrive for Business
■■ OneDrive for Business sites deployed - This report shows the number of OneDrive for Business sites deployed within the reporting period. ■■ OneDrive for Business storage - This report shows the storage space consumed by OneDrive for Business sites -. This report can also be configured to show the amount of storage space consumed by team sites as well as the entire Office 365 subscription.
Microsoft Office Outlook Connectivity Tests
■■ Outlook Connectivity Checks that an Outlook client on the Internet is able to connect to the on-premises Exchange deployment. ■■ Outlook Autodiscover Checks that an Outlook client on the Internet can be configured with on-premises Exchange settings through Autodiscover.
TRIPP performs the following tests:
■■ Speed This test will determine download and upload speed, data quality, and TCP efficiency. The test uses TCP port 443. Speeds below 1 Mbps will lead to problems with audio and video quality. ■■ Route This test determines route quality by measuring packet loss, latency, round trip time, and ISP peering points and test uses ICMP. ■■ VoIP This test determines VoIP quality by assessing UDP loss and jitter. It uses UDP ports 50021 and 50022 It checks whether the round trip response time is consistent. Inconsistent round trip times may lead to choppy or jittery connections. In general, if there is more than a 5ms variance in round trip time, VoIP will be jittery. If greater than 2 percent packet loss is experienced, then the audio and video quality will be degraded. ■■ Firewall This test checks the following ports: ■■ TCP port 443 for Client Signaling plus AppShare ■■ TCP port 5061 for Federation Signaling ■■ UDP port 3478 for Media Access ■■ UDP ports in range 50,000 through 59,999 for Audio/Video transport tests
Microsoft Exchange Web Services Connectivity Tests
■■ Synchronization, Notification, Availability, and Automatic Replies - Checks the functionality of many on-premises Exchange Web Services tasks. ■■ Service Account Access (Developers) - Checks that a specified service account is able to access a nominated on-premises mailbox and to perform operations such as the creation and deletion of mailbox items. Also checks Exchange impersonation functionality.
Microsoft Exchange Web Services Connectivity Tests
■■ Synchronization, Notification, Availability, and Automatic Replies Checks the availability and functionality of Exchange Web Services resources in the Office 365 deployment. ■■ Service Account Access (Developers) Checks the ability for a service account to access an Office 365 mailbox, create and delete items in the mailbox, and access the mailbox through Exchange Impersonation.
ADFS Meeting network requirements
■■ TCP/IP connectivity must exist between the Internet and the Web Application Proxy servers on the perimeter network. This enables communication between Microsoft Office 365 servers and the computers hosting the Web Application Proxy role. ■■ For external clients, the fully qualified domain name of the AD FS service must resolve to the public IP address of the Web Application Proxy server For example, if the AD FS service name is adfs.adatum346er.net, then this address must resolve to the public IP address of the Web Application Proxy server. If you've configured load balancing for the Web Application Proxy servers, then this address will need to resolve to the public IP address of the load balancer.
SharePoint
■■ Tenant storage metrics - Shows the storage space used by the entirety of the Office 365 subscription. ■■ Team sites deployed - Shows the number of active and inactive team sites deployed across the Office 365 subscription. ■■ Team site storage - Displays the storage space used for team sites across the entire Office 365 subscription
Rules reports
■■ Top rule matches for mail - This report allows you to view the number of messages based on sent and received transport rule matches. ■■ Rule matches for mail - This report shows all rule matches for received and sent email.
Protection reports
■■ Top senders and recipients - This report allows you to view the top mail senders, the top mail recipients, the top spam recipients, and the top malware recipients across the Office 365 subscription. ■■ Top malware for mail - This report shows the amount of malware received through email for the reporting period. ■■ Malware detections - This report shows the amount of malware sent and received through the Office 365 subscription for the reporting period. ■■ Spam detections - This report shows the amount of spam on the basis of the content being filtered or the original sending host being blocked. ■■ Sent and received mail -This report shows the amount of sent and received mail categorized by good mail, malware, spam, and messages dealt with by rules.
Mail Flow Configuration
■■ Verify Service Delivery Test -Checks delivery from Office 365 by sending service-generated messages to a specified IP address. ■■ Verify MX Record and Outbound Connector Test -Verifies MX record configuration and that Office 365 is configured to enable mail delivery on the basis of this record. ■■ Free/Busy Test - Checks that an Office 365 mailbox is able to access free/busy information of an on-premises mailbox. Also checks that an on-premises mailbox is able to access the free/busy information of an Office 365 mailbox.
DirSync can be installed on these computers:
■■ Windows Server 2003 with Service Pack 1 (x86 and x64) ■■ Windows Server 2003 R2 (x86 and x64) ■■ Windows Server 2008 (x86 and x64) ■■ Windows Server 2008 R2 (x64) ■■ Windows Server 2012 (x64) ■■ Windows Server 2012 R2 (x64) Prior to attempting to install DirSync, you must ensure that you have installed the following software prerequisites: ■■ Microsoft .NET Framework 3.5 SP1 ■■ Microsoft .NET Framework 4.0 ■■ Azure Active Directory module for Windows PowerShell The computer that hosts DirSync must be a member of a domain in the forest that you want to synchronize and must have connectivity to a writable domain controller in each domain of the forest you want to synchronize on the following ports: ■■ DNS: TCP/UDP Port 53 ■■ Kerberos: TCP/UDP Port 88 ■■ RPC: TCP Port 135 ■■ LDAP: TCP/UDP Port 389 ■■ SSL: TCP Port 443 ■■ SMB: TCP 445