Microsoft 365 workloads:

Microsoft 365 workloads includes the services like Exchange Online, SharePoint Online \ OneDrive for Business, Microsoft Teams and few other services like Planner, PowerApps etc. Microsoft 365 E3 & E5 license allows the use of these Microsoft 365 workloads.

Microsoft Exchange Online

On-Premise version of Exchange Server is available as a Cloud Service from Microsoft as Exchange Online service. EXO provides a secure email infrastructure with email, meetings, tasks and book resources.

As part of digital transformation, organizations are migration their data to Cloud environment. Exchange On-Premise infrastructure is being migrated to Exchange Online and enterprise are maintaining a Hybrid Exchange Infrastructure by keeping few of the mailboxes in On-Premise Exchange and most of the mailboxes in Microsoft 365 Exchange Online to minimize the total cost of ownership.

Exchange Online Migration Options:

Migrating the mailboxes to Exchange Online be planned and the IT team should know the migration strategies that are available to migrate their data to Office 365. We should full details about the exchange infrastructure,

Note: Migration approach decided\concluded based on the three things current email system, number of email system and the co-existence requirement.

Below are the Office 365 migration approaches available now

Cutover Exchange Migration: Organizations using Exchange 2003 and above with less than 2000 users can prefer the Cutover Migration. Only mailboxes will be migrated to Exchange Online. Admin has to create the groups manually in EXO.

Cutover Migration Steps:

  1. Admin will verify the email domain in Microsoft 365
  2. Create a migration endpoint type as Outlook Anywhere in EXO
  3. Assign full access permission and receive as permission on all mailbox to the migration account
  4. Migrate the mailboxes to Office 365
  5. Route the emails via EXO by modifying the MX Record. Create the Groups manually in EXO
  6. Assign the license once the mailboxes migrated to Office 365.

Staged Migration: Organizations using Exchange 2003 or Exchange 2007 with more than 2000 mailboxes can use staged migration. EXO migration happens through RPC over HTTP and properly configure it with a third party certificate. Directory Sync required synchronizing objects from On-Premise accounts to Microsoft 365.

Staged Migration Steps:

  1. Verify the On-Premise email domain in Microsoft 365
  2. Sync the Objects to Microsoft 365 Azure AD using AD Connect
  3. Create a CSV (emailaddress,password,changepassword) with mailboxes selected for migration
  4. Create a migration endpoint type as Outlook Anywhere
  5. Migrate the mailbox to Office 365
  6. Migrated users will have two mailboxes, convert the On-Premise mailbox as mail-enabled user
  7. Change the MX record to receive the email through Microsoft 365 and assign the license

Hybrid Configuration: Organization using Exchange 2010 and above with more than 2000 mailbox and prefer to keep mailboxes both in Exchange On-Premise and Exchange Online can use the Hybrid Configuration. We have two types Hybrid Configuration,

Minimal Hybrid, to migrate the mailbox the mailboxes in few weeks and keep the entire mailbox in Office 365.

Full Hybrid, to migrate required mailboxes to Office 365 and stay in a coexistence of Exchange On-Premise and Office 365 in the environment.

Full Hybrid Configuration Migration Steps:

  1. Verify the email domain in Microsoft 365
  2. Synchronize the On-Premise mailbox objects to Microsoft 365
  3. Create an Exchange Remote Migration endpoint in Exchange Online
  4. Enable the MRS Proxy in EWS virtual directory
  5. Migrate the mailbox to Exchange Online from Exchange Online Portal / PowerShell.
  6. Route the emails to Microsoft 365 when required
  7. Assign the license to migrated mailbox accounts

IMAP Migration: If you have environment that supports IMAP like Gmail or organization using Exchange 2000\earlier and want to migrate the mailbox to Office 365, we can use IMAP migration. Only email will be migrated as part of IMAP migration. Things like Contacts, tasks and calendar will not be migrated and user has to manually move those things if required.

Note: Before doing IMAP migration, the mailbox should be created in Exchange online and then the IMAP system mailbox can be migrated.

IMAP Migration Steps:

  1. Create the Users accounts in Microsoft 365
  2. Prepare the IMAP Email System for Office 365 Migration
  3. Verify the email domain in Microsoft 365
  4. Configure the admin credential used for Migration
  5. Create a CSV (emailaddress,password,changepassword) with mailboxes selected for migration
  6. Create a Migration endpoint type as IMAP migration
  7. Migrate the mailbox to Microsoft 365
  8. Route the email to Microsoft 365 by modifying the MX record
  9. Assign the license to migrated mailboxes

PST Migration: Once the user migrated to Exchange online and if they old PST files, the user can directly copy from PST contents and past it in EXO Mailbox or the EXO Archive mailbox. Administrator also can assist the end users by copying the PST into a central location and use the PST import service to copy the PST into respective user’s mailbox\archive.

Third-Party Migration (IBM Domino, Novel GroupWise etc.): We can migrate data from IBM domino and Novel GroupWise to Microsoft 365.

Managing Recipients in Exchange Online

Recipient types available in On-Premise version of Exchange server is available in Microsoft 365 service like

User Mailboxes: Mailbox associated with the user account. It requires an Office 365 license and the User mailbox can have 100 GB size for Primary mailbox and an unlimited Archive Mailbox.

Shared mailboxes: Shared Mailboxes are common mailboxes used by group of users in the Organization. Shared Mailbox does not require license and no license required for this mailbox.

Room mailboxes: Room Mailbox is a special type mailbox to book conference rooms and allocated with 50 GB mailbox size. License not required for Room Mailboxes that you are creating \ migrating to Office 365

Equipment mailboxes: Equipment Mailbox is a special type of mailbox to book equipment like whiteboards and Projectors in the company. 50 GB allocated and no license required

Distribution groups: Distributions Groups used to send emails to groups users who are member of the groups.

Security groups: Security Groups can be mail enabled to receive email and used to assign permission to certain resources for members of that Security Group

Dynamic distribution groups: Dynamic Distribution Group can have members are user or devices. Using certain query, Dynamic Distribution Groups are created.

Office 365 groups: New Type of modern group created directly in Microsoft 365. Office 365 Groups has Groups Expiration Policy. If policy configured as 365 days, it will prompt the owner of the group to recertify whether the group is required or deleted. If user not certifying the group, then it will be deleted after 30 days.

Mail contacts and Mail users: We can create mail contacts for External email users in Office 365 so that they will appear in organization’s global address book.

Mail-enabled Public Folders: Public folders with mail enabled to post content into Public Folders.

As part of managing the recipient in Exchange Online,

Assign full access permission to UserA on a UserB Mailbox:

Add-MailboxPermission –Identity UserB –AccessRights Full Access –User UserA

Assign Send-As Permission to UserA on a UserB Mailbox

Add-RecipientPermission –Identity UserB –AccessRights Send-As –Trustee UserA

Mail Flow Architecture in Exchange Online

Below diagram shows the Exchange Online Protections components. Diagram illustrates how the mail flow occurs in Exchange Online.

Exchange Online Mail Flow Planning and Configuration:

When you verify the email domain, which is going to be used as email address for the migrated mailbox, Microsoft 365 service will ask you to create an MX record like so that, emails to your primary email domain will be routed via Microsoft 365 Exchange Online Protection email gateway. In addition, it will also provide an SPF record that needs to be created to avoid email spoofing for your email domain.

We need to know the options available for mail flow configuration once the data migrated to Exchange online.

Hybrid Mail Flow – Route 1: when MX record and the SPF record created that points to Microsoft 365.

Inbound Mail from Internet sent to a mailbox in Exchange Online, the mail sent to EOP and then email delivered to EXO mailbox. If the Inbound email sent to a mailbox in On-Premise, the email reached EOP and then it will be sent to On-Premise exchange via the outbound connector in Exchange Online.

Outbound email from Exchange Online User to Internet sent to internet through EOP. If On-Premise Users send an email to internet, the mail will be send to Exchange Online using Hybrid Edge Servers in your organization to the Inbound Connector in Exchange Online and that mail sent to Internet through EOP.

Hybrid Mail Flow – Route 2: When MX record and SPF record created that points to Microsoft 365 and Centralized Mail Transport enabled.

On a Hybrid Exchange environment, Organizations having a requirement to do filtering only from On-Premise can enable centralized mail transport. When MX record points to EOP and Centralized Mail Transport enabled, mail flow occurs like below

Inbound email from Internet to an Office 365 Mailbox will reach EOP, EOP route the email to Edge Server in On-Premise environment via Outbound Connector in Exchange Online and Edge will send the email to Transport server. Transport Server will search for the recipient and it sends the email back to Exchange Online as the recipient mailbox is in Exchange Online.

Similar to the above, email from EXO mailbox to Internet sent to On-Premise Transport Server and then the email routed to internet based on the internet email routing configuration.

Hybrid Mail Flow – Route 3: MX record points to On-Premise Email Gateway.

Inbound Emails Sent to On-Premise and Office 365 mailbox sent to the On-Premise email gateway as per the MX record setup and then email gateway routes the email to On-Premise Transport Server. If the recipient is On-Premise mailbox, mail delivered locally and if the recipient is Office 365 mailbox, email sent to Office 365 and delivered there.

Hybrid Mail Flow – Route 4: MX record points to On-Premise Email Gateway and Outbound emails to Internet configured to send through Office 365 Exchange Online Protection.

Inbound Emails Sent to On-Premise and Office 365 mailbox sent to the On-Premise email gateway as per the MX record setup and then email gateway routes the email to On-Premise Transport Server. If the recipient is On-Premise mailbox, mail delivered locally and if the recipient is Office 365 mailbox, email sent to Office 365 and delivered there.

Outbound emails from On-Premise User and Office 365 users email to Internet routed to internet using Office 365 Exchange Online Protection.

Anti-Malware and Anti-Spam Policies in Exchange Online

Exchange Online has several Anti-Spam protections capabilities to protect the email environment. Exchange Online Protection component in Microsoft 365 is the email gateway that performs the email filtering. Below are the filters available in Exchange Online Protection

Connection Filtering: EOP validates the IP reputation and allows the emails from valid IP address only. Connection filtering allows additional options like configuring allowed IP address to mark the IP address as safe IP and Blocked IP address to reject the emails from the blocked IP addresses.

Directory Based Edge Blocking Filtering: DBEB filtering allows email to valid recipients in the organization. Configuring the domain as Accepted Domain automatically enabled this features. On a Hybrid Exchange environment, before enabling DBEB, we need to ensure all the On-Premise email recipients synchronized in Microsoft 365.

Malware Filtering: Configure the Malware filtering policy to perform an action on Malware identified email whether to quarantine or delete the emails. Malware Filter Rule can be configure to app the Malware Policy to specific set of users.

SPAM Filtering: Anti-SPAM agent process the email once the transport rule processing completed. It checks for malicious emails and attachments. Based on the SCL value, we can configure an action to send the email to Junk email folder or the email can be quarantined.

Exchange Online Admin Roles

Admin Role Groups are created with predefined Roles (Group of commands that admin can execute) and the Role Groups are assigned to a User or a group to assign the permission.

Role Based Access Group available in On-Premise version of Exchange supported in Exchange Online to customize the roles and the customized roles assigned to user accounts or Groups.

Below are the default Admin Role Groups Available in Exchange Online.

SharePoint Online

SharePoint Online is a collaboration tool, which helps organizations to manage the contents and to allow users to collaborate effectively with monitoring and auditing capabilities.

SharePoint Online provides below capabilities

  • Hybrid SharePoint Environment
  • Local Site Management
  • Data Encryption
  • Data Loss Prevention
  • Anti-Malware Protection

Hybrid SharePoint Environment

Like Exchange Online Hybrid Exchange environment, SharePoint Online supports Hybrid Sharepoint Environment. Organizations want to migrate their On-Premise SharePoint environment data to SharePoint Online can have Hybrid SharePoint environment that provides staged migration path.

Once the Hybrid Configuration configured, it allows users to access the SharePoint contents from both environment in single place. We can also configure integrated functionality for the features like SharePoint Search and User Profiles.

SharePoint 2013 and above supports the SharePoint Online Hybrid Configuration.

Additional features provided in hybrid scenario includes:

Hybrid OneDrive: Hybrid OneDrive for Business migrated the On-Premise OneDrive account to Online and users automatically redirected to SharePoint Online OneDrive for Business.

Hybrid Sites Features: When Hybrid Team sites enabled, users can follow both On-Premise and Online Site. Team sites followed shown together in SharePoint Online site.

Hybrid App Launcher: This enabled users to access both online and on-premises application from single menu.

Business-to-business (B2B) extranet sites: We can allow external access on required site collections.

Hybrid Auditing: Auditing results from SharePoint Online shows the result for both On-Premise SharePoint Sites and Online SharePoint Site.

Hybrid Search: Users can perform a search and it shows the relevant contents from both environment.

SharePoint Online Local Site Management

SharePoint Online allows for its own independent, intranet site collections

Some of the different styles of sites include:

  • Personal blogs
  • Community
  • Company Feed
  • Site Feed
  • Wikis
  • Team Sites

Permission levels play a major role in creating separate sites, and segregating and restricting access to content.

SharePoint Online Encryption

SharePoint provides encryption for customer data at rest or in-transit based on Rights Management Services

Encryption at rest

  • Encryption at rest provides BitLocker encryption by default
  • Per-file encryption

Encryption of data in-transit

  • Client communication with the server
  • Data movement between datacenters

Sharepoint Online Data Loss Prevention

SharePoint Online has several options to maintain and recover content that has been deleted \ misplaced

Common way to recover deleted content is through the Recycle Bin

There are two types of Recycle Bins in Sharepoint:

  • Local Recycle Bin
  • Site Collection Recycle Bin

You can use versioning to:

  • Track history of a version
  • Restore a previous version
  • View a previous version

Point-in-time recovery is a last resort when trying to restore an item

SharePoint Online Anti-Malware Protection

SharePoint Online provides anti-malware protection for files uploaded and saved to document libraries

The following options help provide anti-malware protection:

  • Layered Defenses Against Malware
  • Real-time Threat Response
  • Fast Anti-Malware Definition Deployment

Microsoft Teams

Make a note: None of the questions related to Microsoft Teams asked in MS-100 exam.

Microsoft Teams is the replacement of Microsoft Skype for Business with additional features. Teams provides Chat conversation, meetings, files and party integrations. Single solutions that helps organizations to form teams for collaborations.

When Microsoft Teams created, it can have different channels to organize specific topic or project. IT Admin or If you have the permission, you can create Microsoft Teams. Teams have two roles, Teams Owner and Teams Member.

Inside Channel, we can create Bots & Tabs, Configure Connector to different apps and store files.

Planning Microsoft Teams

We need to understand the below options for Microsoft Teams Planning and Implementation.

Microsoft Teams Architecture

Microsoft Teams is the next generation collaboration tools for Organization. Services offered in Office 365 combined to provide a better collaboration experience.

When a Microsoft Teams created, in parallel it creates an Office 365 Group, a Shared Mailbox, a SharePoint and an OneDrive Site. Office 365 Groups manages the Teams Owner and the members. Channel Messages are Stores in Shared Mailbox and the Files are stored in SharePoint site. Chat messages are stored in Personal mailboxes of the users. Files shared over the Chat conversation saved in OneDrive site.

Microsoft Teams related data, which was stored in Azure Storage, now moved to CosmosD for reliability and performance improvement. With this move, the chat messages are continue to get stored in Exchange.

Teams provides a meeting experience built on the next generation, cloud-based infrastructure used by Skype for Business.

To bring external contents and Intelligent Interactions in Microsoft Teams, we can use Connectors, Tabs & Bots available as Apps.

Users Authentication and the Access to Microsoft Teams:

Microsoft Teams supports all the available authentication methods like Cloud Identity, Synchronized Identity and Federated Identity.

Access to Microsoft Teams requires a Microsoft 365 E3 or E5 license. Once the license enabled, user will be able to access Microsoft Teams.

Make a note: Microsoft Teams creation enabled by default, User can create a Private Teams or Public Teams. If an admin disable the option to create Office 365 Groups in an organization. End user cannot create Microsoft 365 Teams.

Guest Access & External Access in Microsoft Teams

Guest Access allows the Teams users to collaborate with external partners. Guest Access allowed on all the Subscription and no additional license required enabling Guest Access.

Organizations using Teams can provide external access to teams, documents in channels, resources, chats, and applications to their partners, while maintaining complete control over their own corporate data

Guest Access provides access for an individual user on a Microsoft Teams. External Access provides access to entire domain on Microsoft Teams.

Guest Access by default allow access to Channel discussion and files on a specific Team. Guest Access will not allow the guest to access OneDrive for Business, perform a People search outside of Teams, access to Calendar, Scheduled Meetings, or Meeting Details, PSTN, view Organization chart, Create or revise a team, Browse for a team and Upload files to a person-to-person chat

Note: You can add 5 Guests per each licensed user on a Microsoft Team.

Microsoft Teams Guest Access should be provided from the Azure AD and below diagram shows the flow on how to control the Guest Access.

External Access is equal to configure federation in Skype for Business. External Access will not allow users to access any channel discussion or files on Team; it allows users to chat with external access allowed domains.

Create B2B accounts

Azure AD B2B collaboration lets you securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data.

Administrators can create B2B guest accounts in Azure AD and can send in invitation link for guest users to accept privacy statement.

Non-Administrator users also can B2B accounts by sending an invitation to external user and add them in a Group or share an application to guest users. To make it work, Global Administrator has to enabled self-service management for a group and assign the user as owner of the group and the group added in the application.

Conditional Access can be used to control the organization data.

To create a B2B account

Azure Portal -> Azure AD -> Users -> New Guest User -> email address and the personal message and click on Send Invite.

Guest can accept the invitation and the external user account added as Guest User in Azure AD Tenant.

Create guest accounts

Guest account creation is same as B2B account creation.

Design solutions for external access

We can plan the external access restriction with the below settings.

Navigate to Azure Portal -> Azure AD -> User Settings -> Manage External Collaboration Settings

Guest Users Permissions are Limited

Admins and Users in the guest inviter role can invite

Members can Invite

Guest can Invite

In addition to the above external access settings, we can configure the below collaboration restrictions

MS-100 Configure Application Access

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Configure Application Registration in Azure AD

Registering the application means that your developers can use Azure AD to authenticate users and request access to user resources such as email, calendar, and documents.

Registering an application allows any user to do the following:

  • Get an identity for their application that Azure AD recognizes
  • Get one or more secrets/keys that the application can use to authenticate itself to AD
  • Brand the application in the Azure portal with a custom name, logo, etc.
  • Apply Azure AD authorization features to their app, including:
    • Role-Based Access Control (RBAC)
    • Azure Active Directory as OAuth authorization server (secure an API exposed by the application)

  • Declare required permissions necessary for the application to function as expected, including:
    • App permissions (global administrators only). For example: Role membership in another Azure AD application or role membership relative to an Azure Resource, Resource Group, or Subscription
    • Delegated permissions (any user). For example: Azure AD, Sign-in, and Read Profile

Users can register an application by default. We can control the application registration by users by disabling the App registration option.

Azure Portal -> Azure AD -> User Settings -> App Registrations -> Select No and Save.

In addition to the above, we have the below application registration settings to manage for Enterprise Applications. Choose the required option for your organization.

Configure the app to require user assignment and assign users

By default, users can access applications without being assigned. However, if the application exposes roles or if you want the application to appear on a user’s access panel, you should require user assignment.

Suppress user consent

By default, each user goes through a consent experience to sign in. The consent experience, asking users to grant permissions to an application, can be disconcerting for users who are unfamiliar with making such decisions.

If we are disabling Application Registration option for end users, only Global Administrator can perform Application Registration. To delegate the permission, we have two Azure AD Roles

Application Administrator: Users in this role can add, manage, and configure enterprise applications, app registrations and manage on-premises like app proxy.

Application Developer: Users in this role will continue to be able to register app registrations even if the Global Admin has turned off the tenant level switch for “Users can register apps”.


Configure Azure AD application proxy

Using Azure AD Application Proxy service helps to integrate the On-Premise application with Azure AD. Refer the below link for additional information.


You need to understand the additional settings available for when adding an Enterprise Application and the cookie settings. You can expect one questions from this.


Publish Enterprise Apps in Azure AD

Enterprise Applications Published will be available in Access Panel for end users. We can search for application in the Gallery and publish them for the Users. Below are the default applications published.

Azure Portal -> Azure AD -> Enterprise Application

Publish an Enterprise Application

Click on New Application and Search for the application from the gallery and add it to your organization.

We can modify the settings of an app like SSO / User provisioning once it is added.

MS-100 Implement MFA

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Design an MFA solution

Azure AD P1, P2, EMS E3 & EMS E5 includes the option to enable Azure Multi factor Authentication. As a Microsoft 365 Enterprise Customer, you need to design MFA authentication to protect your organization data access by authenticated users.

Design a solution like below

  • Implement Conditional Access to enable MFA for the required applications.
  • If required, set MFA exception is the application is accessed from Compliant / Hybrid Azure AD Joined / Corporate Trusted Location
  • Irrespective of any application force Users with Admin Roles to challenge MFA
  • In addition, keep the below questions to design your MFA solution
  • Does your company need to protect privileged accounts with MFA?
  • Does your company need to enable MFA for certain application for compliance reasons?
  • Does your company need to enable MFA for all eligible users of these application or only administrators?
  • Do you need have MFA always enabled or only when the users are logged outside of your corporate network?

Configure MFA for Apps or Users

Configured MFA for Apps

Use Azure AD Conditional Access Policies to enable MFA for Azure On-boarded Application.

To create a Conditional Access Policy

Azure Portal -> Azure AD -> Conditional Access -> New CA Policy -> Select the Users -> Select the Application -> review the other settings -> enabled MFA on the Grant section and save

Configured MFA for Users

We can enable MFA on the user level so that whenever user access an Office 365 services or Azure AD Integrated Application, user will be prompted for MFA challenge for second factor authentication.

Azure Portal -> Azure AD -> Users -> Open the Multi-Factor Authentication -> Search for the User -> Enabled MFA

Administer MFA Users

Manage MFA Service Settings:

We can configure below MFA service settings as an administrator for the organization.

App Passwords: Users can use the app password to sign in to non-browser apps. We have the option to allow or restrict.

Verification Options:

If MFA enabled, what are the verification options allowed for users. We can control the options here.

Remember Multi factor Authentication: If a user passed the MFA validation, it will be a annoying prompt every time they access the service. We can control the option on how long to remember the MFA authentication on that device. By default, this is not enabled.

Azure Portal -> Azure AD -> Users -> Open the Multi-Factor Authentication -> Service Settings

And, from Azure AD Portal -> Security -> MFA -> MFA Server -> Activity Report

Mange User Settings

If MFA enabled on an account, we have the below options to administer on the account

Above 3 options are self-explanatory. Please know the available options.

Report MFA utilization

MFA activity reports are available for administrator review.

To monitor MFA usage, we have the option to use the below PowerShell

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Navigate to Azure Portal -> Azure AD -> Security -> MFA -> Manage MFA Server -> Reports -> Activity Reports

Identify users who have registered for MFA using the PowerShell that follows.

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Identify users who have not registered for MFA using the PowerShell that follows.

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName

MS-100 Manage Authentication

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Manage Authentication

To manage the authentication options, we need to know the Authentication Methods available and how that works.

Understanding Authentication Methods:

Below are the authentication options or Sign-In options available for Office 365 / Azure AD.

  • Federation Authentication
  • Password Hash Synchronization Authentication
  • Pass-through Authentication
  • Seamless SSO (enabled when choosing PHS or PTA)

Federated Authentication

Most of the Companies preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication will be configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

How it works

To explain the Federation Sign-in flow, when you access any claims aware application that trusts Azure AD as the STS, the application will redirect you to authenticate with Azure AD, Azure AD prompts you to login with the user name option only and when you enter the user name, the domain validated whether it is a federated domain. Since it is a federated domain, you are redirected to On-Premise ADFS infrastructure with a Token Request from On-Premise AD, (to WAP server if you are in Internet and to ADFS server if you sign-in from Intranet). ADFS receive the SAML request and prompts you to enter the user name and password passed and it authenticates with Active Directory. On successful authentication with AD, ADFS send a Security token with claims to User that will be send back to Azure AD. Azure AD evaluates the token response and if valid response, Azure AD confirms the successful authentication and user will be allowed to access the application.

Note: You need to maintain a ADFS infrastructure to have this federation sign-in option and it is having additional benefits like you use On-Premise MFA server for multifactor authentication.

Password Hash Synchronization Authentication

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

How it works

When Password Hash Synchronization authentication enabled for the tenant, Hash of the password hash is available in Azure AD after Synchronization. If a user access a Azure Integrated application, user redirected to authenticate with Azure AD, Azure AD prompt the user to enter the credential, both user name and the password will be entered in Azure AD authentication dialogue window and it will be validated against the hash Synced in Azure. If successful, user provided with security token to authenticate the service\application. Switching from one application to other prompts the user to validate the credential when this sign-in option used.

Pass-through Authentication

If we use the Pass-through authentication, user name the password gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

How it works

When user access any office 365 application, it will redirect the user to Azure AD for authentication, Azure AD prompt the user to enter both the user and password and it will be sent to AuthN agent server in On-Premise using a securing tunnel established when configuring the AuthN agent. AuthN agent component validate the user name and password with Active Directory using a Win32 API call to Active Directory and the successful authentication will be sent back to Azure AD. Azure AD authentication successful and send a security token to access the application, the user will gain access to Application.

Seamless Single Sign-On Authentication

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

How it works

When Seamless SSO enabled, new computer object created in AD that holds 2 SPN for authentication with Azure AD. Let us take User access a claims aware application, user will be redirected to Azure AD for authentication, Azure AD instructs the client to do an authentication test to find the client is SSO capable and it will send an unauthorized response and to get a token a token from AD. Client requests a Kerberos token ticket from AD and the same will be send it to Azure AD, Azure AD returns a security token which will sent to application and the authentication will be successful.

If Seamless SSO fails, the other enabled option PTA or PHS used for authentication.

Design Authentication Method:

You can choose from below Authentication methods and design your Azure Authentication

  • Cloud Authentication.
  • Federated Authentication
  • Federated Authentication with Password Hash Sync
  • Federated Authentication with Pass-Through Authentication
  • Seamless SSO with Password Hash Sync
  • Seamless SSO with Pass-Through Authentication

Configure Authentication

Enterprise Customers will deploy ADFS for authentication and we will see how to configure Microsoft 365 Authentication using ADFS

ADFS configuration requires

  • Domain Admin Account
  • Publically Trusted Certificate for SSL server authentication
  • ADFS Prerequisites like ADFS Service Name, Service Account, and SQL Database etc.
  • DNS A records for ADFS Service Name in Internal and External DNS
  • Domain going to be federated to added and verified in Azure

Once any of the above authentication method selected, we have the option to Configure Multi factor Authentication for end users.

MFA can be enabled at the account level or it can be enabled per application by using Conditional Access.

ADFS Supports certificate based authentication (smart card certificates)

Implement Authentication Method

Below are the two options available for configuring authentication for Office 365.

Configuring Office 365 / Azure AD Authentication via ADFS

Once the ADFS infrastructure deployed, we need to convert the required domain as federated domain using the below 2 commands

Set-MsolADFSContext -Computer ADFS_Server_FQDN

Convert-MsolDomainToFederated –DomainName

Above command will convert the domain as federated domain and it will create a relying party trust for Office 365 services with default claims required for Authentication.

To covert a domain to standard (Managed) or federated, we can use any of the below PowerShell Commands

  • Set-MsolDomainAuthentication
  • Convert-MsolDomainToStandard or Convert-MsolDomainToFederated

Configuring Office 365 / Azure AD Authentication via Azure AD Connect

While configuring the AD Connect, we will have an option to select the sign in option also the ADFS configuration which will convert the domain and create the relying party trust during the Azure AD Connect configuration.

Make a note, Password Hash Sync and Pass through authentication can be done only from Azure AD Connect.

Manage Authentication

To change the authentication method,

On the AD Connect Configuration Wizard -> Configure -> Configure Sign in Options and select the authentication method required for your organization.

To view the configured authentication method,

MFA can be enabled or disabled from the properties of the User Account or via Conditional Access Policy.

Monitor authentication

Azure AD Sign-In Logs are available for 30 days for review; we can navigate to Azure AD portal to view the Sign-In logs. It requires Azure AD P1 or P2

To view the Sign-In logs: Azure AD -> Sign-Ins

MS-100 Manage User Roles

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Plan User Roles

Below are the admin roles available in Azure AD. We can plan to designate the roles to user who manage the Microsoft 365 Services.

To manage User Settings

From the Azure AD Portal, navigate to Azure Portal -> Azure AD -> User Settings to manage the below options

Plan the Enterprise Application settings required for your organization

Are you going to restrict access to Azure AD Administration Portal?

Allow \ Restrict users to register an application on their own

Manage external Collaboration Setting

Allocate Roles in workloads

By default, Tenant admin \ Global Admin will have full access to all the Microsoft 365 workloads. In addition, Global Admin can designate other users as administrators on specific Microsoft 365 workloads like EXO and SPO

Exchange Online

Below are Roles Available in Exchange Online, we have the RBAC option to define granular permission based on our requirement.

Skype for Business and Microsoft Teams

Below are the default admin roles available for Skype for Business and Microsoft Teams

SharePoint and OneDrive

SharePoint Online and OneDrive for Business Administrator has only one default admin role – SharePoint Administrator. To give granular control we can assign the particular users are Site Collection Administrators.

Configure Administrative Accounts:

We know the below administrative accounts in Azure AD and this can be delegated to respective service administrator.

We can configure below steps to monitor administrative accounts.

  • Configure MFA to protect those accounts
  • Configure Conditional Access Policy to allow the administrator account usage only from Corporate Network
  • Configure Access Reviews for the Administrative Role Groups
  • Configure Identity Protection for Administrative Accounts
  • Use PIM to elevate the permission temporary

Configure RBAC within Azure AD

Delegate admin rights

Manage admin roles

To assign an Azure AD Role,

Open the User properties and assign the above admin roles based on the service that he is managing.

To view the sign in logs, user has to be member of Security Administrator, User Administrator and Compliance Management Role.

Manage role allocations by using Azure AD

Plan security and compliance roles for Microsoft 365

Security and Compliance

We have the below Default Roles Groups available in Security and Compliance. We can customize this based on our requirement with 29 Roles.

  • Reviewer: Use a limited set of the analysis features in Office 365 Advanced eDiscovery. Members of this group can see only the documents that are assigned to them
  • Records Management: Members of this management role group have permissions to manage and dispose record content.
  • Security Administrator: Members has permission like Security Reader + DLP Compliance Management, Device Management and Audit Logs
  • Organization Management: Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group should not be deleted.
  • Supervisory Review: Members can Control policies and permissions for reviewing employee communications.
  • Compliance Administrator: Members can manage settings for device management, data loss prevention, reports, and preservation.
  • Security Reader: Members can View the Alerts, View DLP Compliance Management, View Device Management and Security Reader
  • eDiscovery Manager: Members can Perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations
  • Service Assurance User: Members can review documents related to security, privacy, and compliance in Office 365 to perform risk and assurance reviews for their own organization
  • Mail Flow Administrator: View Only Recipient Role Assigned

MS-100 Manage Azure AD identities

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Plan Azure AD identities

We have the Identity options like Cloud Identity and Federated Identity when deploying Microsoft 365. Planning Azure AD Identity includes

  • Plan to enable SSO for the cloud applications.
  • You may have federated Identity, see if you can move from Federated Identity to Cloud Identity by implementing Password Hash Sync and Seamless SSO.
  • Plan for Self Service Password Reset when you have cloud identity
  • Plan for On-Premise application authentication via cloud using Application Proxy.
  • Plan for providing access to all the cloud application via Access Panel

Implement and manage Azure AD self-service password reset

If we use cloud identity, then we can enable Azure AD Self Service Password Reset so that end users can reset their passwords on their own which helps to reduce the help desk cost.

To Implement and Manage Azure AD SSPR:

  1. Enable SSPR

Azure AD Portal -> Azure AD -> Password Reset -> Select All or based on your requirement -> Select the allowed authentication methods

  1. Enabled Password Writeback

Step 1: On the AD Connect Configuration Wizard -> Configure -> Customize Synchronization Options -> enabled password writeback

Step 2: Azure Portal -> Azure AD -> Password Reset -> On-Premise Integration -> Enabled Writeback passwords to On-Premise Organization

Manage access reviews

Azure AD Access Reviews enable organizations to manage group memberships, access to enterprise applications, and role assignments. User’s access reviewed on a regular basis to make sure only the right people have continued access.

To Onboard or Enable Access Reviews in Azure AD:

Azure Portal -> All Services -> Search for Access Reviews -> Onboard -> Create -> New Access Review based on your requirement like reviewing a group membership or role membership or an application access -> set the reviewers for the selected option.

Tips: Azure AD P2 or EMS E5 license required to use this feature.

Reviewers has the complete the reviews from Azure AD PIM portal. We can manage the reviews from Azure AD PIM Portal

Manage groups

Two type of groups Security and Office 365 created in Azure AD. To create a Group, Azure Portal -> Azure AD -> Groups -> Create a New Group.

Group Types: Security and Office 365 created in Azure AD

Security: Used to manage member and computer access to shared resources for a group of users

Office 365: Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site. Users from external organization can be member of Office groups.

Membership type specified in Azure AD groups as

Assigned: To have unique permission for the members of the group

Dynamic User: Uses dynamic group rules to automatically add and remove members based on user attributes.

Dynamic Device: Uses dynamic group rules to automatically add and remove devices based on device attributes.

Group Owners will have access to manage the members of the group, if a group owner is not specified, the resource owner (administrator) will have owner permission by default.

Tips: Groups Management like New Group creation, deletion, adding / removing members, assigning / removing an owner can be done from the Azure AD Portal -> Group.

Groups either Security group or Dynamic Distribution Group Synchronized from On-Premise AD will be managed from On-Premise AD only.

Manage Passwords

Controlling Passwords:

Organizations using pure Cloud Identity can use the Azure AD Password Protection to restrict the use of users using Global Banned password list or Custom banned password list.

Organization using Hybrid Identity can use the Azure AD Password Protection agent installed in On-Premise AD to validate Global Banned password list or Custom banned password list usage in On-Premise AD.

Managing Password Resets:

Password Reset Policies defined for administrator roles and user accounts based on the controls that we want to implement like, Password Complexity, password reset duration etc.

If SSPR enabled on Hybrid Identity with Password Hash Sync, then set the authentication methods and inform the users to register the method for easier password reset when required.

Require user to register the password reset option when sign in will force the users to register the method selected by administrator.

Tips: Azure AD Premium P1 or P2 is required to use Password Protection feature in Hybrid Identity Method.

To set a custom banned password list, Azure Portal -> Azure AD -> Authentication Methods -> Password Protection -> Create a New Custom list

Manage product licenses

Microsoft 365 includes Windows 10 Enterprise, Office 365 Services E3 / E5 and EMS E3 / E5. You need to have those subscriptions. To view the services status on the subscription

(Get-MsolAccountSku | where {$_.AccountSkuId -eq SuperHybridCloud:ENTERPRISEPACK”}).ServiceStatus

Manage users

You know how to manage Users

Perform bulk user management

No additional information required I believe as this is familiar to you all.

Monitor Azure AD Connect Health

Azure AD Connect health monitoring involves the monitoring for Azure AD Connect Sync, On-Premise AD and ADFS.

View health of the configured services like Sync, ADFS & ADDS on the Azure AD in Azure AD health monitoring portal.

Azure AD Connect Health Sync agents on the AD Connect Server monitors the objects Sync from On-Premise to Azure AD. It will highlight the error\status results for

  • Duplicate Attributes
  • Data Mismatch
  • Data Validation Failure
  • Large Attribute
  • Federate Domain Change
  • Existing Admin Role Conflict and few others

Monitoring & Alerting: To get the health alerts or Sync errors as email, configure the notification settings.

We can navigate to the below path to install the Azure AD Connect Health Agent

To verify the AD Connect Health Agent status, we can run the below command from administrative PowerShell.

Test-AzureADConnectHealthConnectivity -Role ADFS | ADDS | Sync

Go through all the available settings in your environment

Manage Azure AD Connect synchronization

Running the Azure AD Connect Configuration wizard helps to manage below task in AD Connect. You need to know what we can do with the below tasks.

We need to know the Sync Scheduler option to manage the Synchronization Type, Sync Interval etc.

Below management task can be done based on requirement.

  • Enabling Device Write back: If we want to manage any application on boarded through ADFS by configuring a Relying Party Trues and if we have a requirement to allow the application only from managed devices (Conditional Access), then we can enable Device Write Back.

Navigate to Azure AD Connect Configuration -> Device Options

  • Enabling Group Write back: enabling this option will write the Office 365 groups back to On-Premise AD and On-Premise Exchange mailbox can see those group in GAL to send and receive emails.

Navigate to Azure AD Connect Configuration -> Group Writeback

  • Preventing Accidental Deletions: By default, AD Connect will stop the deletion if the count is more than 500. We can get the current configuration using Get-ADSyncExportDeletionThreshold and configure the threshold using Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500


  • Configuring Run Profiles: Run profiles actually do the Synchronization, we need to run profiles involved in the Synchronization
    • Full Import
    • Full Synchronization
    • Delta Import
    • Delta Synchronization
    • Export

Configure object filters

Filtering helps to control which objects appear in Azure Active Directory (Azure AD) from your on-premises directory.

We can select the properties of the connector to change the Group based / Domain based / OU based filters.

Filtering can be applied based on Group, Domain, OU and Attributes.

Attribute filtering based on attributes to require to Synchronize. Apply inbound filtering from Active Directory to the metaverse, and outbound filtering from the metaverse to Azure AD. Microsoft recommend that you apply inbound filtering because that is the easiest to maintain. You should only use outbound filtering if it is required to join objects from more than one forest

Configure password sync

Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premise Active Directory instance to a cloud-based Azure AD instance.

To use password hash synchronization

  • Open Azure AD Connect.
  • Configure directory synchronization
  • Enable password hash synchronization.

We can configure federated SSO and change the authentication method as Cloud authentication if any outage with ADFS infrastructure.

Implement multi-forest AD Connect scenarios

If an organization is having multi forest, then they can use Azure AD Connect to synchronize the objects from different forest to Azure AD.

Azure AD Connect installation wizard offers several options to consolidate users who are represented in multiple forests. The goal is that a user is represented only once in Azure AD

The default configuration in Azure AD Connect sync assumes:

  • Each user has only one enabled account, and the forest where this account is located is used to authenticate the user. This assumption is for password hash sync, pass-through authentication and federation. UserPrincipalName and sourceAnchor/immutableID come from this forest.
  • Each user has only one mailbox.
  • The forest that hosts the mailbox for a user has the best data quality for attributes visible in the Exchange Global Address List (GAL). If there is no mailbox for the user, any forest can be used to contribute these attribute values.
  • If you have a linked mailbox, there is also an account in a different forest used for sign-in.

Tips: Multi forest with Multi AD connect deployment to synchronize the objects to single Azure AD tenant not supported.

Design directory synchronization

Understand your current Infrastructure and Plan for Synchronizing Identities to Azure AD using AD Connect. If you have more than 5000 employees and an On-Premise AD, then go for Azure AD connect with ADFS servers.

Things like Attribute Filtering, AD Connect Staging Server for High Availability, HA for ADFS and WAP server and the Writeback options considered based on your requirement.

If you have multi forest environment, then deploy one AD Connect Server and Synchronize the Object from all the forest and have the settings like below

Implement directory synchronization with directory services, federation services, and Azure endpoints

Prerequisites for Implementing Directory Synchronization:

  • Azure AD Subscription
  • Enterprise Admin in On-Premise AD & Global Admin in Azure AD
  • Outbound Connectivity to Azure IP addresses
  • Windows 2008 R2 or later for Password Hash Sync and Password writeback
  • SQL Server Instance
  • Certificate that has the federation service name
  • DNS Record for ADFS federation service name – both for internal and public.
  • Add the federation service name in intranet zone for Windows Integrated Authentication to work for browser application from Intranet.
  • Add the Federated Domain UPN Suffix

Tips: For the intranet DNS record, ensure that you use A records and not CNAME records. This is required for windows authentication to work correctly from your domain joined machine.

The minimum requirements for computers running AD FS or Web Application Servers is the following:

  • CPU: Dual core 1.6 GHz or higher
  • MEMORY: 2 GB or higher

Implementing ADFS / Federated Identity

  • Install the ADFS Server Role
  • Configure the ADFS server Role
    • Certification should match the ADFS Federation Service Name
    • WID / SQL can be used based on your requirement
    • ADFS service account
  • Install and Configure the WAP Proxy
    • Configure the SSL certification
    • Make sure WAP server is able to resolve the ADFS service name –
    • Public DNS record of ADFS service name to be point to WAP server
  • Configure Federation Trust with Office 365
    • Connect to Microsoft Online Service connect-msolservice
    • Set the MSOL ADFS context server Set-MsolADFSContext –Computer ADFSServerName.SuperHybridCloud.Com
    • Convert the domain to Federated Domain – Convert-MsolDomainToFederated –DomainName
    • Verify the federation – Get-MsolFederationProperty –DomainName
    • Enable the idpinitatedSignOn Page for further verification – Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

MS-100 Design Identity Strategy

May 25th, 2019 | Posted by admin in Exchange - (0 Comments)

Evaluate requirements and solution for synchronization

Directory synchronization is the Identity provisioning choice for enterprise customers moving to Office 365. Directory synchronization allows identities managed in the on-premises AD and all updates to that identity synchronized to Office 365.

Azure AD connect is solution to Synchronize the On-Premise Objects to Azure AD.

As part of Directory preparation, you need to know how to configure these parameters.

Attribute updates – Know the attributes that are going to Sync to Azure AD. It is recommended to leave the default selection when configuring the Azure AD Connect for Directory Synchronization with Azure AD. You should know how to stop a Sync of an attribute or an object to Azure AD.

Domain controller placement – It is obvious to keep the Directory Sync server on the site, which has the DC.

Determining the permissions required – Azure AD Connect requirement the below accounts

For Synchronization:

  • AD DS Connector account: used to read/write information to Windows Server Active Directory
  • ADSync service account: used to run the synchronization service and access the SQL database
  • Azure AD Connector account: used to write information to Azure AD

For Installation and Configuration:

  • Local Administrator Permission
  • AD Enterprise Administrator
  • Azure AD Global Administrator
  • SQL delegation to configure the DB

Planning for multi-forest/directory scenarios – Microsoft recommends to consolidate the multi forest into single forest before migrating o Office 365.

Capacity planning for Directory Sync – We need a server with decent configuration for directory Synchronization and normal hardware for SQL installation.

Two-way synchronization – You to understand the write back options available and required for your organization.

By default, Hybrid exchange will write back below attributes from Azure AD to On-Premise AD.

In addition, AD connect has an option of Group Write Back, Device write back and Password write back options.

Evaluate requirements and solution for identity management

Two identity models are available as Cloud Identity & Federated Identity.

Cloud Identity: Identities created directly in Azure AD and Authentication and Authorization done at Azure AD only. We can create objects using PowerShell or from Office 365 Admin Portal.


Federated Identity: Source of Authority will be in On-Premise AD and the On-Premise AD objects Synced to Azure AD using Azure AD Connect to enable the Microsoft 365 services by assigning a license. When a user tries to access Microsoft 365 service, Azure AD redirects the user to get an authentication token from On-Premise AD through web application proxy and ADFS server and with the valid token from On-Premise AD to Azure AD, the services allowed for user.

We need to Plan and understand the requirements for Azure AD connect deployment and ADFS servers

Evaluate requirements and solution for authentication

When it comes to Authentication, like Identity methods we have cloud Authentication and Federated Authentication methods.

Cloud Authentication: Identity will be in On-Premise or Azure AD but the authentication happens at Azure AD.


Cloud Authentication: Users created in Azure AD and the Authentication and Authorization will happen at Azure AD itself.


Password Hash Sync with Seamless SSO: User management will be in On-Premise and you Synchronize objects and Password Hash to Azure AD.


Pass through authentication with Seamless SSO: User management will be in On-Premise and you Synchronize objects. Authentication done by Azure AD Authentication Services by running a small agent in On-Premise to validate the User identity with On-Premise AD. A max of 12 Pass-Through Authentication agents installed, 1 Primary and 11 standalones.


Federated Authentication:

On-premises directory objects synchronized with Office 365 and users accounts are managed on-premises. When a user access an Office 365 services, he will be redirected to On-Premise AD via ADFS servers. Below are the options available for planning based on your requirement.