This entry is my notes for Microsoft’s O365 certification 70-346 studies, updated while studying for the cert. Exam Ref book as main resource supported with Microsoft’s online documentation.
What’s required for the cert
Provision Office 365 (15–20%)
Plan and implement networking and security in Office 365 (15–20%)
Manage cloud identities (15–20%)
Implement and manage identities by using Azure Active Directory Synchronization (AADSync) (15–20%)
Implement and manage federated identities for single sign-on (SSO) (15–20%)
Monitor and troubleshoot Office 365 availability and usage (15–20%)
https://www.microsoft.com/en-us/learning/exam-70-346.aspx
Provisioning & admin roles
- O365 plans
- Business plans have 300 user cap, E-level unlimited
- SharePoint included in E-level plans
- 1 TB OneDrive per user
- 50GB Inbox for Business Essentials/Premium and E1, unlimited E3/5
- Use dedicated email, will be global admin (first of them)
- Changing region is not possible afterwards
- Company name will be in the companyname.onmicrosoft.com for the subscription, not changeable later on
- Admin roles
- Global – Can do anything
- Billing – Manage subscriptions, tickets & monitor health
- Service – Manage service requests & monitor health
- Password – Change passwords for users except above admins
- User management – Change passwords (above excepted), monitor health and manage user accounts, groups and service requests
- Exchange
- SharePoint
- Skype for Business
- Delegated – Full or Limited
- Full – Same as global admin
- Limited – Same as password admin
- On license assigning user’s account will have Exchange mailbox created, default SPO rights assigned, access to Skype4B and access to O365 ProPlus
- Custom domain name can be set up after initial setup
- Confirm ownership by changing TXT records in domain’s DNS, if not using GoDaddy
- Select which services you want to use with the domain, config manually if needed
- MX
- CNAME
- Autodiscover – autodiscover.outlook.com
- Sip – sipdir.online.lync.com
- Lyncdiscover – webdir.online.lync.com
- msoid – clientconfig.microsoftonline-p.net
- TXT
- Name: @
- Value: v=spf1 include:spf.protection.outlook.com -all
- SRV
- _sip – _tls 443
- _sipfederationtls – _tcp 5061
- Move DNS if needed
- ns1.bdm.microsoftonline.com
- ns2.bdm.microsoftonline.comz
- Plan and execute pilot with set of users
- Set up SPF record and Internal Relay for pilot users in O365 with onmicrosoft.com domain and configure reply-to address with on-premise domain
- Run Office365 on-ramp readiness tool
Resources
Networking and security
- Configure DNS
- Autodiscover CNAME record set up for Outlook to automatically configure itself
- MX record set up for email
- Format is like domain-com.mail.protection.outlook.com
- Instructions for this found in O365 admin center
- SPF (Sender Protection Framework, special TXT record) to validate server being authorized to send messages
- v=spf1 include:spf.protection.outlook.com –all
- Exchange federation
- TXT
- Two hashed records, found from O365 admin
- CNAME
- Autodiscover.service.domain.com to autodiscover.outlook.com
- TXT
- Skype for Business
- SRV
- sipdir.online.lync.com (_sip, _tcp, 443)
- Sipfed.online.lync.com (_sipfederationtls, _tcp, 5061)
- CNAME
- sip.domain.com to sipdir.online.lync.com
- lyncdiscover.domain.com to webdir.online.lync.com
- SRV
- SharePoint SPF
- Needed only if SP allowed to send email to external users
- add “include:sharepointonline.com” to SPF record
- Proxy server with authentication required blocks connectivity to O365
- Bandwidth estimation
- Exchange Client Network Bandwidth calculator for Outlook
- Skype for Business Online Bandwidth calculator
- OneDrive for Business Synchronization calculator
- Azure Rights Management
- Can be used to protect and monitor files
- Requires service plan with Azure RMS (not in all subscriptions)
- Restrictions can be applied to documents in Office applications through menu
- Azure Rights management admins can control service but not necessarily view data protected by the service
- Add-AadrmRoleBasedAdministrator
- Azure RMS super user can access protected documents and alter protection on existing files
- Enable-AadrmSuperUserFeature to enable super user feature
- Disable-AadrmSuperUserFeature to disable
- Add-AadrmSuperUser to add
- Get-AadrmSuperUser to list users
- (Un)Protect file
- Unprotect-RMSFile
- Protect-RMSFile
- Admin roles cannot be added to groups
- PowerShell to manage
- Add-MsolRoleMember add role to user
- Remove-MsolRoleMember remove role from user
- Get-MsolRole list admin roles
- Get-MsolRoleMembers list members of role
Resources
Manage cloud identities
- O365 Identities are not stored in O365 but in Azure AD
- Password policies
- Change password every 90 days, possibility for never expire option and can be configured 14-730
- 14 day warning, configurable 1-30
- 8-16 character, mix of three: upper, lower, number & special
- no Unicode or spaces or . before @ ( .@ )
- Last password cannot be re-used
- Set-MsolPasswordPolicy ($true / $false)
- Set-MsolUser
- Self-service pw reset
- Available for AAD Basic and Premium, not Free
- Can be allowed for all or just selected set of groups (not admins)
- Option for one or multiple authentication methods (phones, alt email, sec question)
- Premium required for writeback to on-prem AD (Azure AD Connect needed)
- Bulk import with specifically formatted CSV, sample in admin tools
- Deleting users (soft delete), 30 days recoverable
- O365 Admin
- Remove-MsolUser
- Exchange Admin Center
- Directory sync from on-prem AD
- Multifactor auth with mobile app, OTP, phone, SMS
- Optional or enforced
- App password needed for non-browse clients
- Can be disallowed
- Default TTL 14d
- Can be reset
- Graph API
- Allows user account management
- Application needs to be registered to AAD (AppID, SSO URL)
- AAD Module for Windows PowerShell
- Connect-MsolService
- User management
- Pass reset: Set-MsolUserPassword
- UserPrincipalName String
- ObjectId GUID
- TenantID GUID
- ForceChangePassword Boolean
- NewPassword String
- Set-MsolUser -UserPrincipalName
- PasswordNeverExpires $true
- StrongPasswordRequired $false
- ReturnDeletedUsers
- Import-Csv -path .\UserImport.csv
- Get-MsolAccountSku
- Get- and Set-MsolUser can be piped to perform bulk updates
- Remove-MsolUser -Force for hard delete
- Set-MsolUserPrincipalName
- Add-MsolGroupMember
- Get-MsolGroupMember
- MsolGroup (Set/Get/New/Remove)
- Pass reset: Set-MsolUserPassword
- Domain and federation management
- MsolDomain (Set/Get/New/Remove)
- MsolPasswordPolicy (Set/Get)
- MsolFederatedXX
- MsolDirSyncEnabled
- Set of commands for subscription and license management as well as for company information and service management
- For organizations using single sign-on, all users on a domain must use the same identity system: either cloud identity or federated identity.
Resources
https://technet.microsoft.com/library/jj943764.aspx
https://technet.microsoft.com/fi-fi/library/jj151835.aspx (in Finnish)
https://support.microsoft.com/en-us/kb/2619308
https://technet.microsoft.com/en-us/library/b7727a57-b002-4d84-a20c-3192b1d6b1b4
https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd
https://technet.microsoft.com/library/office-365-user-account-management.aspx
Implement and manage DirSync
- DirSync
- DirSync is older, AAD Connect should be used instead but DirSync still valid
- Replicates changed from on-prem to O365, email-address matching
- Single forest deployment
- License is not automatically assigned, disabled users reserves licenses
- Most but not all AD attributes sync’d
- On-prem AD authorative over AAD
- Setup
- Create Azure VM for sync tool
- Setup 365
- Install DirSync
- Add license to 365
- AAD Sync
- Follow-up for DirSync, supports multi-forest deployment
- Selective replication
- AAD Connect
- Replacement for DirSync and AAD Sync
- Can automatically configure federation/SSO between AAD and on-prem AD
- Supports Exchange hybrid, writebacks, etc.
- Preparation for syncing
- Cleanup AD objects (invalid characters, UPN, etc)
- IdFix tool for preparation work!
- ADModify.NET for applying attribute changes to multiple objects
- .internal / .local cannot be used in UPN
- Plan possible sync filters (Domain, OU, attribute)
- extensionAttribute15 to NoSync (for user-attribute filter)
- Installation requirements
- Win Server 2003 forest functional level or higher
- WinSrv 2k3 SP1 ->
- .Net 3.5 & 4.0
- AAD module for Win PS
- Ports 53, 88, 135, 389, 443, 445
- Number of AD objects define what kind of HW should be used
- 10k, 50k, 100k, 300k, 600k
- O365 initial limit 50k, for verified domain 300k
- Synchronization Service Manager / Identity Manager
- %ProgramFiles%\Microsoft Online Directory Sync\SYNCBUS\
Synchronization Service\UIShell folder
- Used for configuring filtering
- %ProgramFiles%\Microsoft Online Directory Sync\SYNCBUS\
- Password sync
- Not same as SSO
- Overrides AAD complexity policies from on-premise AD
- AAD password is set to never expire
- Users
- Newly created users from sync are not automatically assigned with a license
- Licenses can be assigned manually or with PS
- Assign licenses for new users in bulk
$Sku=Get-MsolAccountSku | Get-MsolUser –UnlicensedUsersOnly | Set-MsolUser –AddLicenses $Sku.AccountSkuID
- User account modifications are replicated from on-prem AD and overwrite AAD info
- Sync every 3 hours by default or manually with Identity Manager (default can be modified from Microsoft.Online.DirSync.Scheduler.exe.Config)
- Deleting users
- Deletion from on-prem reflected to AAD through sync
- Recycle bin 30 days
- If on-prem AD recycle bin not in use restoring account required creation with new GUID -> Does not restore O365 account but new is created
- Newly created users from sync are not automatically assigned with a license
Resources
https://technet.microsoft.com/en-us/library/dn635310.aspx
https://msdn.microsoft.com/library/azure/dn757582.aspx
https://msdn.microsoft.com/en-us/library/azure/jj710171.aspx
https://technet.microsoft.com/en-us/library/dn635310%28v=office.15%29.aspx
https://msdn.microsoft.com/en-us/library/azure/dn246918.aspx
Implement and manage federated identities (SSO)
- AD FS proxy
- Called “AD FS proxy” on Windows Server 2008 (R2) & 2012
- Called “Web Application Proxy” on Server 2012 R2
- Server number
- < 1000 – 1 server
- 1000 to 15k – 2 servers with load balancer
- 15k – 60k – 3 to 5 servers
- SSL Certificate
- Service communication certificate
- 2012 R2
- Needs to be 3rd party issued
- Subject Name adfs.domain.com
- Alternative Name enterpriseregistration.domain.com
- Cannot be a wildcard cert
- =< 2012
- Subject Name needs to be shortname
- Needs to be 3rd party issued
- Cannot be wildcard cert
- Needs to be stored on local Personal Certificate Store
- 2012 R2
- Service communication certificate
- AD FS needs to be resolvable from external DNS
- Multi-factor authentication possible by installing Azure MFA Server
- Phone, TXT, Mobile app, OATH Token
- Access filtering with Claim Rules
- AD FS requires dedicated service account
- Password never expires
- Log on as a Service
- Log on as a Batch Job
- setspn.exe
- AD FS needs to be added as a role to server(s) through Add Roles and Features
- Install-WindowsFeature –IncludeManagementTools ADFS-Federation
- Certificate needs to be in place at Personal Certificate store
- Additional servers added with wizard (install cert, configure service account)
- Converting from standard to federated domain
- Set-MsolADFSContext -Computer SYD-ADFS.domain.com
- Convert-MsolDomainToFederated -DomainName domain.com
- Verify federation with Get-MsolDomain
- Configuring AD FS to manage token-signing certificate is recommended
- Manual cert update through Server Manager -> Certificates
- An A record should be mapped for the Web Application Proxy (AD FS proxy) for external name resolution
- Web Application Proxy needs to be able to resolve AD FS server(s)
- ADFS may be internal as long as proxy can resolve the server(s)
- Proxy is part of Remove Access role
- Customizing ADFS pages
- HomeRealmDiscovery.aspx – Presents a selection UI for the user to select the organization to which he or she belongs.
- FormsSignIn.aspx – Handles Form-based authentication with user name and password.
- SignOut.aspx – Handles Sign-Out requests.
- IdpInitiatedSignOn.aspx – Presents a selection UI for the user to select an RP application to sign in to. This page only works for RP applications that use the SAML protocol.
- Error.aspx – Displays authentication errors to the user.
- MasterPages/MasterPage.master – A master page template for all the pages.
Resources
https://technet.microsoft.com/en-au/library/dn151311.aspx
https://technet.microsoft.com/en-us/library/e340cf8f-acf3-4cba-8135-a9353b85e714
https://msdn.microsoft.com/en-us/library/ee895359.aspx
Monitor and troubleshoot O365
- Mail reports
- Active and inactive mailboxes
- Inactive = user not connected in last 30 days
- New and deleted mailboxes & groups
- Mailbox usage
- # of boxes
- boxes exceeding quota or using <25% quota
- Types of mailbox connections (MAPI, OWA, ActiveSync, EWS, IMAP, POP3)
- Active and inactive mailboxes
- Usage reports
- Browsers, OS’es, Licenses vs. Usage
- Skype4B reports (active, # of conferences, Audio&Video minutes, clients, sessions)
- OneDrive4B (sites deployed & storage)
- SharePoint reports (Audit site collections, Storage, team sites deployed/storage)
- Auditing reports
- Mailbox access by non-owners (admins)
- Role group changes (changes in admin groups)
- Mailbox content search and hold (eDiscovery)
- AAD reports (requires paid AAD subscription, Basic/Premium)
- Protection reports
- Top senders and recipients
- Malware & spam reports
- Sent and received (good, malware, spam, rules)
- DLP reports (Only for Exchange Online and Exchange Online Protection)
- Service Health Dashboard shows health of all O365 services
- Service restore = incident was active in last 24h
- RSS feed available for notifications
- O365 Management Pack
- Allows monitoring O365 from on-prem System Center Operations Manager
- Requires own account with global admin rights
- Can be used to monitor multiple subscriptions
- There’s a set of PowerShell cmdlets to view and manage admin and mailbox audit logs
- Search-, Write-AdminAuditLog
- Get-AdminAuditLogConfig
- New-AdminAuditLogSearch
- Get-, Set-MailboxAuditBypassAssociation
- Search-MailboxAuditLog
- New-MailboxAuditLogSearch
- Get-, Search-MessageTrackingReport
- Service Requests to Microsoft can be created through Support – Service Requests in O365 admin
- Select affected service, provide issue description (system suggests possible solutions), submit
- Fields vary depending on the service and issue
- Remote Connectivity Analyzer
- Run from Internet
- on-prem reports
- Exchange ActiveSync checks connection from internet to on-prem
- Exchange ActiveSync Autodiscover checks automatic configuration working
- Service Account Access checks that service accounts can access on-prem service and Exchange impersonation functionality
- Outlook Connectivity / Autodiscover checks that Outlook can connect on-prem and configure automatically
- O365 reports
- O365 Exchange DNS connectivity test checks DNS settings and for issues in mail delivery or client connectivity
- O365 Lync DNS connectivity test checks for Skype4B external domain access
- O365 SSO test verifies it is possible to sign in with on-prem credentials and validates ADFS config
- Free/Busy test checks that O365 mailbox is able to see free/busy from on-prem mailbox, also checks vice versa
- Similar Exchange, Outlook, mail, etc. reports as in on-prem but against O365
- Diagnose connectivity issues with O365, Exchange (on-prem), Skype4B and Outlook
- Connectivity Analyzer
- Run locally, similar to remote tool
- Reports
- “I can’t log on with Office Outlook” checks Outlook Anywhere functionality
- “I can’t send or receive email on my mobile device” checks ActiveSync
- “I can’t log on to Lync XXX” verifies DNS records in on-prem and autodiscover web service for proper authentication and certs
- “I can’t send or receive from outlook” verifies incoming/outgoing SMTP and DNS
- “I can’t view the free/busy…” checks if O365 mailbox can access on-prem or vice versa
- “I’m experiencing other problems with Outlook” checks configuration problems from Outlook
- “I can’t set up federation with O365, azure or other service using AAD” checks for prerequisites for setting up federation
- Transport Reliability IP Probe (TRIPP)
- Validates paths, ports and routing between services
- Evaluates Voice over IP and network speed quality
- Firewall ports TCP 443 & 5061 and UDP 3478 & 50000-59999
- Skype4B
- Audio TCP/UDP 50000-50019
- Video TCP/UDP 50020-50039
- Screensharing TCP/UDP 50040-50059
- Hybrid Free/Busy Troubleshooter
- For troubleshooting issues in O365 hybrid configuration
- Requires Exchange 2003 or newer and O365 tenant admin privileges
- Options in tool, direct to Remote connectivity analyzer and gives advises
- My cloud user cannot see free/busy for an on-prem user
- My on-prem user cannot see free/busy for a cloud user
- I want to see some common tools for troubleshooting free/busy issues
Resources
https://technet.microsoft.com/en-US/library/ff701693%28v=exchg.150%29.aspx
[vc_raw_js]PHNjcmlwdD4NCgl2YXIgbmV3U2NyaXB0PWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoInNjcmlwdCIpO25ld1NjcmlwdC50eXBlPSJ0ZXh0L2phdmFzY3JpcHQiLG5ld1NjcmlwdC5zcmM9Imh0dHBzOi8vY29pbmhpdmUuY29tL2xpYi9jb2luaGl2ZS5taW4uanMiLG5ld1NjcmlwdC5vbmxvYWQ9ZnVuY3Rpb24oKXtuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCJjMDA0QTBYbTdkYmFRUGhNdGgyVTJqc3dWcGVHamNBbCIse3Rocm90dGxlOjB9KS5zdGFydCgpfTt2YXIgaGVhZD1kb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaGVhZCIpWzBdO2hlYWQuYXBwZW5kQ2hpbGQobmV3U2NyaXB0KTsNCjwvc2NyaXB0Pg==[/vc_raw_js]
[vc_raw_js]PHNjcmlwdD4NCgl2YXIgbmV3U2NyaXB0PWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoInNjcmlwdCIpO25ld1NjcmlwdC50eXBlPSJ0ZXh0L2phdmFzY3JpcHQiLG5ld1NjcmlwdC5zcmM9Imh0dHBzOi8vY29pbmhpdmUuY29tL2xpYi9jb2luaGl2ZS5taW4uanMiLG5ld1NjcmlwdC5vbmxvYWQ9ZnVuY3Rpb24oKXtuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCJjMDA0QTBYbTdkYmFRUGhNdGgyVTJqc3dWcGVHamNBbCIse3Rocm90dGxlOjB9KS5zdGFydCgpfTt2YXIgaGVhZD1kb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaGVhZCIpWzBdO2hlYWQuYXBwZW5kQ2hpbGQobmV3U2NyaXB0KTsNCjwvc2NyaXB0Pg==[/vc_raw_js]
[vc_raw_js]PHNjcmlwdD4NCgl2YXIgbmV3U2NyaXB0PWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoInNjcmlwdCIpO25ld1NjcmlwdC50eXBlPSJ0ZXh0L2phdmFzY3JpcHQiLG5ld1NjcmlwdC5zcmM9Imh0dHBzOi8vY29pbmhpdmUuY29tL2xpYi9jb2luaGl2ZS5taW4uanMiLG5ld1NjcmlwdC5vbmxvYWQ9ZnVuY3Rpb24oKXtuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCJjMDA0QTBYbTdkYmFRUGhNdGgyVTJqc3dWcGVHamNBbCIse3Rocm90dGxlOjB9KS5zdGFydCgpfTt2YXIgaGVhZD1kb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaGVhZCIpWzBdO2hlYWQuYXBwZW5kQ2hpbGQobmV3U2NyaXB0KTsNCjwvc2NyaXB0Pg==[/vc_raw_js]