Author Archives: admin

MS-100 Manage Authentication

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Manage Authentication

To manage the authentication options, we need to know the Authentication Methods available and how that works.

Understanding Authentication Methods:

Below are the authentication options or Sign-In options available for Office 365 / Azure AD.

  • Federation Authentication
  • Password Hash Synchronization Authentication
  • Pass-through Authentication
  • Seamless SSO (enabled when choosing PHS or PTA)

Federated Authentication

Most of the Companies preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication will be configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

How it works

To explain the Federation Sign-in flow, when you access any claims aware application that trusts Azure AD as the STS, the application will redirect you to authenticate with Azure AD, Azure AD prompts you to login with the user name option only and when you enter the user name, the domain validated whether it is a federated domain. Since it is a federated domain, you are redirected to On-Premise ADFS infrastructure with a Token Request from On-Premise AD, (to WAP server if you are in Internet and to ADFS server if you sign-in from Intranet). ADFS receive the SAML request and prompts you to enter the user name and password passed and it authenticates with Active Directory. On successful authentication with AD, ADFS send a Security token with claims to User that will be send back to Azure AD. Azure AD evaluates the token response and if valid response, Azure AD confirms the successful authentication and user will be allowed to access the application.

Note: You need to maintain a ADFS infrastructure to have this federation sign-in option and it is having additional benefits like you use On-Premise MFA server for multifactor authentication.

Password Hash Synchronization Authentication

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

How it works

When Password Hash Synchronization authentication enabled for the tenant, Hash of the password hash is available in Azure AD after Synchronization. If a user access a Azure Integrated application, user redirected to authenticate with Azure AD, Azure AD prompt the user to enter the credential, both user name and the password will be entered in Azure AD authentication dialogue window and it will be validated against the hash Synced in Azure. If successful, user provided with security token to authenticate the service\application. Switching from one application to other prompts the user to validate the credential when this sign-in option used.

Pass-through Authentication

If we use the Pass-through authentication, user name the password gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

How it works

When user access any office 365 application, it will redirect the user to Azure AD for authentication, Azure AD prompt the user to enter both the user and password and it will be sent to AuthN agent server in On-Premise using a securing tunnel established when configuring the AuthN agent. AuthN agent component validate the user name and password with Active Directory using a Win32 API call to Active Directory and the successful authentication will be sent back to Azure AD. Azure AD authentication successful and send a security token to access the application, the user will gain access to Application.

Seamless Single Sign-On Authentication

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

How it works

When Seamless SSO enabled, new computer object created in AD that holds 2 SPN for authentication with Azure AD. Let us take User access a claims aware application, user will be redirected to Azure AD for authentication, Azure AD instructs the client to do an authentication test to find the client is SSO capable and it will send an unauthorized response and to get a token a token from AD. Client requests a Kerberos token ticket from AD and the same will be send it to Azure AD, Azure AD returns a security token which will sent to application and the authentication will be successful.

If Seamless SSO fails, the other enabled option PTA or PHS used for authentication.

Design Authentication Method:

You can choose from below Authentication methods and design your Azure Authentication

  • Cloud Authentication.
  • Federated Authentication
  • Federated Authentication with Password Hash Sync
  • Federated Authentication with Pass-Through Authentication
  • Seamless SSO with Password Hash Sync
  • Seamless SSO with Pass-Through Authentication

Configure Authentication

Enterprise Customers will deploy ADFS for authentication and we will see how to configure Microsoft 365 Authentication using ADFS

ADFS configuration requires

  • Domain Admin Account
  • Publically Trusted Certificate for SSL server authentication
  • ADFS Prerequisites like ADFS Service Name, Service Account, and SQL Database etc.
  • DNS A records for ADFS Service Name in Internal and External DNS
  • Domain going to be federated to added and verified in Azure

Once any of the above authentication method selected, we have the option to Configure Multi factor Authentication for end users.

MFA can be enabled at the account level or it can be enabled per application by using Conditional Access.

ADFS Supports certificate based authentication (smart card certificates)

Implement Authentication Method

Below are the two options available for configuring authentication for Office 365.

Configuring Office 365 / Azure AD Authentication via ADFS

Once the ADFS infrastructure deployed, we need to convert the required domain as federated domain using the below 2 commands

Set-MsolADFSContext -Computer ADFS_Server_FQDN

Convert-MsolDomainToFederated –DomainName

Above command will convert the domain as federated domain and it will create a relying party trust for Office 365 services with default claims required for Authentication.

To covert a domain to standard (Managed) or federated, we can use any of the below PowerShell Commands

  • Set-MsolDomainAuthentication
  • Convert-MsolDomainToStandard or Convert-MsolDomainToFederated

Configuring Office 365 / Azure AD Authentication via Azure AD Connect

While configuring the AD Connect, we will have an option to select the sign in option also the ADFS configuration which will convert the domain and create the relying party trust during the Azure AD Connect configuration.

Make a note, Password Hash Sync and Pass through authentication can be done only from Azure AD Connect.

Manage Authentication

To change the authentication method,

On the AD Connect Configuration Wizard -> Configure -> Configure Sign in Options and select the authentication method required for your organization.

To view the configured authentication method,

MFA can be enabled or disabled from the properties of the User Account or via Conditional Access Policy.

Monitor authentication

Azure AD Sign-In Logs are available for 30 days for review; we can navigate to Azure AD portal to view the Sign-In logs. It requires Azure AD P1 or P2

To view the Sign-In logs: Azure AD -> Sign-Ins

MS-100 Manage User Roles

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Plan User Roles

Below are the admin roles available in Azure AD. We can plan to designate the roles to user who manage the Microsoft 365 Services.

To manage User Settings

From the Azure AD Portal, navigate to Azure Portal -> Azure AD -> User Settings to manage the below options

Plan the Enterprise Application settings required for your organization

Are you going to restrict access to Azure AD Administration Portal?

Allow \ Restrict users to register an application on their own

Manage external Collaboration Setting

Allocate Roles in workloads

By default, Tenant admin \ Global Admin will have full access to all the Microsoft 365 workloads. In addition, Global Admin can designate other users as administrators on specific Microsoft 365 workloads like EXO and SPO

Exchange Online

Below are Roles Available in Exchange Online, we have the RBAC option to define granular permission based on our requirement.

Skype for Business and Microsoft Teams

Below are the default admin roles available for Skype for Business and Microsoft Teams

SharePoint and OneDrive

SharePoint Online and OneDrive for Business Administrator has only one default admin role – SharePoint Administrator. To give granular control we can assign the particular users are Site Collection Administrators.

Configure Administrative Accounts:

We know the below administrative accounts in Azure AD and this can be delegated to respective service administrator.

We can configure below steps to monitor administrative accounts.

  • Configure MFA to protect those accounts
  • Configure Conditional Access Policy to allow the administrator account usage only from Corporate Network
  • Configure Access Reviews for the Administrative Role Groups
  • Configure Identity Protection for Administrative Accounts
  • Use PIM to elevate the permission temporary

Configure RBAC within Azure AD

Delegate admin rights

Manage admin roles

To assign an Azure AD Role,

Open the User properties and assign the above admin roles based on the service that he is managing.

To view the sign in logs, user has to be member of Security Administrator, User Administrator and Compliance Management Role.

Manage role allocations by using Azure AD

Plan security and compliance roles for Microsoft 365

Security and Compliance

We have the below Default Roles Groups available in Security and Compliance. We can customize this based on our requirement with 29 Roles.

  • Reviewer: Use a limited set of the analysis features in Office 365 Advanced eDiscovery. Members of this group can see only the documents that are assigned to them
  • Records Management: Members of this management role group have permissions to manage and dispose record content.
  • Security Administrator: Members has permission like Security Reader + DLP Compliance Management, Device Management and Audit Logs
  • Organization Management: Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group should not be deleted.
  • Supervisory Review: Members can Control policies and permissions for reviewing employee communications.
  • Compliance Administrator: Members can manage settings for device management, data loss prevention, reports, and preservation.
  • Security Reader: Members can View the Alerts, View DLP Compliance Management, View Device Management and Security Reader
  • eDiscovery Manager: Members can Perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations
  • Service Assurance User: Members can review documents related to security, privacy, and compliance in Office 365 to perform risk and assurance reviews for their own organization
  • Mail Flow Administrator: View Only Recipient Role Assigned

MS-100 Manage Azure AD identities

May 31st, 2019 | Posted by admin in Exchange - (0 Comments)

Plan Azure AD identities

We have the Identity options like Cloud Identity and Federated Identity when deploying Microsoft 365. Planning Azure AD Identity includes

  • Plan to enable SSO for the cloud applications.
  • You may have federated Identity, see if you can move from Federated Identity to Cloud Identity by implementing Password Hash Sync and Seamless SSO.
  • Plan for Self Service Password Reset when you have cloud identity
  • Plan for On-Premise application authentication via cloud using Application Proxy.
  • Plan for providing access to all the cloud application via Access Panel

Implement and manage Azure AD self-service password reset

If we use cloud identity, then we can enable Azure AD Self Service Password Reset so that end users can reset their passwords on their own which helps to reduce the help desk cost.

To Implement and Manage Azure AD SSPR:

  1. Enable SSPR

Azure AD Portal -> Azure AD -> Password Reset -> Select All or based on your requirement -> Select the allowed authentication methods

  1. Enabled Password Writeback

Step 1: On the AD Connect Configuration Wizard -> Configure -> Customize Synchronization Options -> enabled password writeback

Step 2: Azure Portal -> Azure AD -> Password Reset -> On-Premise Integration -> Enabled Writeback passwords to On-Premise Organization

Manage access reviews

Azure AD Access Reviews enable organizations to manage group memberships, access to enterprise applications, and role assignments. User’s access reviewed on a regular basis to make sure only the right people have continued access.

To Onboard or Enable Access Reviews in Azure AD:

Azure Portal -> All Services -> Search for Access Reviews -> Onboard -> Create -> New Access Review based on your requirement like reviewing a group membership or role membership or an application access -> set the reviewers for the selected option.

Tips: Azure AD P2 or EMS E5 license required to use this feature.

Reviewers has the complete the reviews from Azure AD PIM portal. We can manage the reviews from Azure AD PIM Portal

Manage groups

Two type of groups Security and Office 365 created in Azure AD. To create a Group, Azure Portal -> Azure AD -> Groups -> Create a New Group.

Group Types: Security and Office 365 created in Azure AD

Security: Used to manage member and computer access to shared resources for a group of users

Office 365: Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site. Users from external organization can be member of Office groups.

Membership type specified in Azure AD groups as

Assigned: To have unique permission for the members of the group

Dynamic User: Uses dynamic group rules to automatically add and remove members based on user attributes.

Dynamic Device: Uses dynamic group rules to automatically add and remove devices based on device attributes.

Group Owners will have access to manage the members of the group, if a group owner is not specified, the resource owner (administrator) will have owner permission by default.

Tips: Groups Management like New Group creation, deletion, adding / removing members, assigning / removing an owner can be done from the Azure AD Portal -> Group.

Groups either Security group or Dynamic Distribution Group Synchronized from On-Premise AD will be managed from On-Premise AD only.

Manage Passwords

Controlling Passwords:

Organizations using pure Cloud Identity can use the Azure AD Password Protection to restrict the use of users using Global Banned password list or Custom banned password list.

Organization using Hybrid Identity can use the Azure AD Password Protection agent installed in On-Premise AD to validate Global Banned password list or Custom banned password list usage in On-Premise AD.

Managing Password Resets:

Password Reset Policies defined for administrator roles and user accounts based on the controls that we want to implement like, Password Complexity, password reset duration etc.

If SSPR enabled on Hybrid Identity with Password Hash Sync, then set the authentication methods and inform the users to register the method for easier password reset when required.

Require user to register the password reset option when sign in will force the users to register the method selected by administrator.

Tips: Azure AD Premium P1 or P2 is required to use Password Protection feature in Hybrid Identity Method.

To set a custom banned password list, Azure Portal -> Azure AD -> Authentication Methods -> Password Protection -> Create a New Custom list

Manage product licenses

Microsoft 365 includes Windows 10 Enterprise, Office 365 Services E3 / E5 and EMS E3 / E5. You need to have those subscriptions. To view the services status on the subscription

(Get-MsolAccountSku | where {$_.AccountSkuId -eq SuperHybridCloud:ENTERPRISEPACK”}).ServiceStatus

Manage users

You know how to manage Users

Perform bulk user management

No additional information required I believe as this is familiar to you all.

Monitor Azure AD Connect Health

Azure AD Connect health monitoring involves the monitoring for Azure AD Connect Sync, On-Premise AD and ADFS.

View health of the configured services like Sync, ADFS & ADDS on the Azure AD in Azure AD health monitoring portal.

Azure AD Connect Health Sync agents on the AD Connect Server monitors the objects Sync from On-Premise to Azure AD. It will highlight the error\status results for

  • Duplicate Attributes
  • Data Mismatch
  • Data Validation Failure
  • Large Attribute
  • Federate Domain Change
  • Existing Admin Role Conflict and few others

Monitoring & Alerting: To get the health alerts or Sync errors as email, configure the notification settings.

We can navigate to the below path to install the Azure AD Connect Health Agent

To verify the AD Connect Health Agent status, we can run the below command from administrative PowerShell.

Test-AzureADConnectHealthConnectivity -Role ADFS | ADDS | Sync

Go through all the available settings in your environment

Manage Azure AD Connect synchronization

Running the Azure AD Connect Configuration wizard helps to manage below task in AD Connect. You need to know what we can do with the below tasks.

We need to know the Sync Scheduler option to manage the Synchronization Type, Sync Interval etc.

Below management task can be done based on requirement.

  • Enabling Device Write back: If we want to manage any application on boarded through ADFS by configuring a Relying Party Trues and if we have a requirement to allow the application only from managed devices (Conditional Access), then we can enable Device Write Back.

Navigate to Azure AD Connect Configuration -> Device Options

  • Enabling Group Write back: enabling this option will write the Office 365 groups back to On-Premise AD and On-Premise Exchange mailbox can see those group in GAL to send and receive emails.

Navigate to Azure AD Connect Configuration -> Group Writeback

  • Preventing Accidental Deletions: By default, AD Connect will stop the deletion if the count is more than 500. We can get the current configuration using Get-ADSyncExportDeletionThreshold and configure the threshold using Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500


  • Configuring Run Profiles: Run profiles actually do the Synchronization, we need to run profiles involved in the Synchronization
    • Full Import
    • Full Synchronization
    • Delta Import
    • Delta Synchronization
    • Export

Configure object filters

Filtering helps to control which objects appear in Azure Active Directory (Azure AD) from your on-premises directory.

We can select the properties of the connector to change the Group based / Domain based / OU based filters.

Filtering can be applied based on Group, Domain, OU and Attributes.

Attribute filtering based on attributes to require to Synchronize. Apply inbound filtering from Active Directory to the metaverse, and outbound filtering from the metaverse to Azure AD. Microsoft recommend that you apply inbound filtering because that is the easiest to maintain. You should only use outbound filtering if it is required to join objects from more than one forest

Configure password sync

Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premise Active Directory instance to a cloud-based Azure AD instance.

To use password hash synchronization

  • Open Azure AD Connect.
  • Configure directory synchronization
  • Enable password hash synchronization.

We can configure federated SSO and change the authentication method as Cloud authentication if any outage with ADFS infrastructure.

Implement multi-forest AD Connect scenarios

If an organization is having multi forest, then they can use Azure AD Connect to synchronize the objects from different forest to Azure AD.

Azure AD Connect installation wizard offers several options to consolidate users who are represented in multiple forests. The goal is that a user is represented only once in Azure AD

The default configuration in Azure AD Connect sync assumes:

  • Each user has only one enabled account, and the forest where this account is located is used to authenticate the user. This assumption is for password hash sync, pass-through authentication and federation. UserPrincipalName and sourceAnchor/immutableID come from this forest.
  • Each user has only one mailbox.
  • The forest that hosts the mailbox for a user has the best data quality for attributes visible in the Exchange Global Address List (GAL). If there is no mailbox for the user, any forest can be used to contribute these attribute values.
  • If you have a linked mailbox, there is also an account in a different forest used for sign-in.

Tips: Multi forest with Multi AD connect deployment to synchronize the objects to single Azure AD tenant not supported.

MS-100 Plan Identity Sync using AD Connect

May 25th, 2019 | Posted by admin in Exchange - (0 Comments)

Design directory synchronization

Understand your current Infrastructure and Plan for Synchronizing Identities to Azure AD using AD Connect. If you have more than 5000 employees and an On-Premise AD, then go for Azure AD connect with ADFS servers.

Things like Attribute Filtering, AD Connect Staging Server for High Availability, HA for ADFS and WAP server and the Writeback options considered based on your requirement.

If you have multi forest environment, then deploy one AD Connect Server and Synchronize the Object from all the forest and have the settings like below

Implement directory synchronization with directory services, federation services, and Azure endpoints

Prerequisites for Implementing Directory Synchronization:

  • Azure AD Subscription
  • Enterprise Admin in On-Premise AD & Global Admin in Azure AD
  • Outbound Connectivity to Azure IP addresses
  • Windows 2008 R2 or later for Password Hash Sync and Password writeback
  • SQL Server Instance
  • Certificate that has the federation service name
  • DNS Record for ADFS federation service name – both for internal and public.
  • Add the federation service name in intranet zone for Windows Integrated Authentication to work for browser application from Intranet.
  • Add the Federated Domain UPN Suffix

Tips: For the intranet DNS record, ensure that you use A records and not CNAME records. This is required for windows authentication to work correctly from your domain joined machine.

The minimum requirements for computers running AD FS or Web Application Servers is the following:

  • CPU: Dual core 1.6 GHz or higher
  • MEMORY: 2 GB or higher

Implementing ADFS / Federated Identity

  • Install the ADFS Server Role
  • Configure the ADFS server Role
    • Certification should match the ADFS Federation Service Name
    • WID / SQL can be used based on your requirement
    • ADFS service account
  • Install and Configure the WAP Proxy
    • Configure the SSL certification
    • Make sure WAP server is able to resolve the ADFS service name –
    • Public DNS record of ADFS service name to be point to WAP server
  • Configure Federation Trust with Office 365
    • Connect to Microsoft Online Service connect-msolservice
    • Set the MSOL ADFS context server Set-MsolADFSContext –Computer ADFSServerName.SuperHybridCloud.Com
    • Convert the domain to Federated Domain – Convert-MsolDomainToFederated –DomainName
    • Verify the federation – Get-MsolFederationProperty –DomainName
    • Enable the idpinitatedSignOn Page for further verification – Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

MS-100 Design Identity Strategy

May 25th, 2019 | Posted by admin in Exchange - (0 Comments)

Evaluate requirements and solution for synchronization

Directory synchronization is the Identity provisioning choice for enterprise customers moving to Office 365. Directory synchronization allows identities managed in the on-premises AD and all updates to that identity synchronized to Office 365.

Azure AD connect is solution to Synchronize the On-Premise Objects to Azure AD.

As part of Directory preparation, you need to know how to configure these parameters.

Attribute updates – Know the attributes that are going to Sync to Azure AD. It is recommended to leave the default selection when configuring the Azure AD Connect for Directory Synchronization with Azure AD. You should know how to stop a Sync of an attribute or an object to Azure AD.

Domain controller placement – It is obvious to keep the Directory Sync server on the site, which has the DC.

Determining the permissions required – Azure AD Connect requirement the below accounts

For Synchronization:

  • AD DS Connector account: used to read/write information to Windows Server Active Directory
  • ADSync service account: used to run the synchronization service and access the SQL database
  • Azure AD Connector account: used to write information to Azure AD

For Installation and Configuration:

  • Local Administrator Permission
  • AD Enterprise Administrator
  • Azure AD Global Administrator
  • SQL delegation to configure the DB

Planning for multi-forest/directory scenarios – Microsoft recommends to consolidate the multi forest into single forest before migrating o Office 365.

Capacity planning for Directory Sync – We need a server with decent configuration for directory Synchronization and normal hardware for SQL installation.

Two-way synchronization – You to understand the write back options available and required for your organization.

By default, Hybrid exchange will write back below attributes from Azure AD to On-Premise AD.

In addition, AD connect has an option of Group Write Back, Device write back and Password write back options.

Evaluate requirements and solution for identity management

Two identity models are available as Cloud Identity & Federated Identity.

Cloud Identity: Identities created directly in Azure AD and Authentication and Authorization done at Azure AD only. We can create objects using PowerShell or from Office 365 Admin Portal.


Federated Identity: Source of Authority will be in On-Premise AD and the On-Premise AD objects Synced to Azure AD using Azure AD Connect to enable the Microsoft 365 services by assigning a license. When a user tries to access Microsoft 365 service, Azure AD redirects the user to get an authentication token from On-Premise AD through web application proxy and ADFS server and with the valid token from On-Premise AD to Azure AD, the services allowed for user.

We need to Plan and understand the requirements for Azure AD connect deployment and ADFS servers

Evaluate requirements and solution for authentication

When it comes to Authentication, like Identity methods we have cloud Authentication and Federated Authentication methods.

Cloud Authentication: Identity will be in On-Premise or Azure AD but the authentication happens at Azure AD.


Cloud Authentication: Users created in Azure AD and the Authentication and Authorization will happen at Azure AD itself.


Password Hash Sync with Seamless SSO: User management will be in On-Premise and you Synchronize objects and Password Hash to Azure AD.


Pass through authentication with Seamless SSO: User management will be in On-Premise and you Synchronize objects. Authentication done by Azure AD Authentication Services by running a small agent in On-Premise to validate the User identity with On-Premise AD. A max of 12 Pass-Through Authentication agents installed, 1 Primary and 11 standalones.


Federated Authentication:

On-premises directory objects synchronized with Office 365 and users accounts are managed on-premises. When a user access an Office 365 services, he will be redirected to On-Premise AD via ADFS servers. Below are the options available for planning based on your requirement.

MS-100 Plan Migration of Users and Data

May 25th, 2019 | Posted by admin in Exchange - (0 Comments)

We need to plan users and data migration options to Microsoft 365. User migration means migration of Skype for Business users to Skype for Business online and Data Migration includes mailbox migration and files migration by setting up a hybrid infrastructure for respective service.

Identify data to be migrated and method

We need to understand from where the data is going to be migrated to Microsoft 365. Below are the data migration options available

If Exchange On-Premise – Administrator can setup Hybrid Exchange infrastructure for seamless mailbox migration to Exchange Online.

  • Mailbox Move Request
  • PST Import Tool

If SharePoint / OneDrive for Business -> Administrator can move the files to SharePoint online by

  • SharePoint Migration Tool
  • Users can manually move the data once they get access to SharePoint Online site.
  • OneDrive Sync client can be used to move the data

Identify users and mailboxes to be migrated and method

User identification is to find which email systems user is using for example, if exchange On-Premise, we can setup Hybrid Exchange Infrastructure and can migrate the mailbox. If it is a Gmail system, we have the option to migrate the email from Gmail to Office 365. We need to identify the existing email system and do a planning with the available data migration options.

Plan migration of on-premise users and groups

User migration, in other words synchronizing the users to Azure AD / Office 365 can be done via Azure AD Connect. In addition, we need plan the identity model that we are going to use and the authentication method to be planned.

Import PST Files

We can use the Import service to move email (PST files) from your organization’s servers to Office 365. We can ship the files to Microsoft or can upload the file over internet by creating an Import Job to upload PST to Azure blob storage and can map (User Mapping File) each PST file to respective user’s Primary or Archive mailbox.

Navigate to -> Data Governance -> Import -> Create a New Import Job to import the PST into a mailbox.

As a Microsoft 365 administrator, you need to know how to monitor and manage service health alerts, creating service requests, view the reports to understand the license / service usage.

Manage service health alerts

We can use Office 365 Admin App / Office 365 Management Pack / Office 365 Service Communication API to view the service statues.

Office 365 Service Health can be viewed from Office 365 Admin Portal -> Health -> Service health.

Tips: Minimum of User Management Role permission is required to view Service Health Alerts.

Create & manage service requests

We can raise a Service request to get assistance from Microsoft support on the issues that users facing in your organization.

Tips: Support Requests can be raised from Office 365 Admin Portal -> Support -> New Service Request.

Minimum of Service Administrator Permission is required to raise Support Request.

Create internal service health response plan

This is an internal process to monitor the announcement of Planned Outages in Office 365 Message Center, respective team has to announce the management and coordinate with your Microsoft Technical Account Manager for additional details.

Office 365 Admin Portal -> Health -> Message Center

If it is a Service Incident, Team has to raise service request to follow up from Microsoft support on the existing issues.

Monitor service health

Office 365 Service Health can be viewed from Office 365 Admin Portal -> Health -> Service health.

Configure and review reports, including BI, OMS, and Microsoft 365 reporting

To view the Office 365 Reports

Office 365 report can be viewed from Office 365 Admin Portal -> Reports -> You can drill down to the available reports for additional information.

Reports also available in Security and Compliance Portal -> Reports -> view the available Security and Compliance based reports

Office 365 reports can be viewed from Power BI content packs (Office 365 Adoption Content Pack). Login to PowerBI using Global Admin account and open the Office 365 Adoption content pack.

OMS – Operation Management Suite / Solution for Office 365 used to monitor User/ Admin activities and it helps to detect and investigate unwanted user behavior. We can also configure alerts like if a user deleted more than 100 files an alert can be send to administrator.

Schedule and review security and compliance reports

Reports related to security and compliance can be viewed at -> Reports. We can configure \ manage the schedules for these reports.

Schedule and review usage metrics

Available Reports can be scheduled and have a best practice to periodically review the reports to ensure the security and you are using only the purchased license. In addition, the usage reports like license, services usage can be viewed from Microsoft 365 usage analytics portal from Power BI. We need to enable this from Microsoft Power BI by a Global Admin account or any other Service Administrator Role like EXO Admin / SPO admin.

To enable Microsoft 365 usage analytics – Office 365 Admin Portal -> Reports -> Usage -> navigate to Microsoft 365 usage analytics and turn ON the option. -> Login to Power BI portal -> Get Data, then under more ways to create your own content choose Service Content Packs and select Microsoft 365 usage analytics

We will see how to setup Microsoft 365 Tenant. Office 365 is a cloud-based service from Microsoft that offers access to Office applications like word excel and other productivity tools like Skype Online, Exchange Online and One Drive for Business online. Office 365 includes plans for use at home and business. Services available or enabled to you based on the subscription plan that you are choosing from Microsoft.

If you are already using Windows 10 Enterprise, Office 365 E3 and Enterprise Mobility + Security E3 / E5 then you can skip this as you are already using the M365 workloads.

This topic is all about setting up the Office 365 tenant and Subscriptions.

Configure subscription and tenant roles and workload settings

  • Configure subscription and tenant roles includes the process of Sign up for Microsoft 365 Enterprise and managing the Roles for the Microsoft 365 Tenant Roles.
  • Microsoft 365 Enterprise Tenant is nothing but having Windows 10 Enterprise, Office 365 & Enterprise Mobile + Security.
  • You can be an existing customer already having the above M365 workload enabled in different forms. If you are new organization migrating to Office 365, you can approach Microsoft / Partner to subscribe for Microsoft 365 Enterprise tenant.
  • M365 subscription is like Signing up for the E3 or E5 trial and enable the services that is required for your tenant.
  • Tenant Roles management is required where you designate respective users are Global Administrator and others as designated administrator like Exchange Online Admin / SharePoint administrator.
  • M365 workload setting is enabling \ deploying the services like Windows 10 Enterprise, Office 365 (EXO, SPO \ OD4B & Teams) & Enterprise Mobile + Security to end users.

Microsoft 365 Subscription:

For home, we have three products as Office 365 home, Office 365 Personal and Office Home & Student 2016 for PC

For Business, Microsoft has three products as Office 365 Business, Office 365 Business Premium and Office 365 Business Essentials

For Enterprise, Microsoft has four products as Office 365 Pro Plus, Office 365 Enterprise E1, Office 365 Enterprise E3 and Office 365 Enterprise E5.

Microsoft 365 Enterprise E3 Subscription:

Most of the companies normally prefer Office 365 Enterprise E3 Plan because that has the required services that can operate an enterprise Organizations. Below services are included in Office 365 Enterprise E3 Plan

You can run the below command to check the service status.

(Get-MsolAccountSku | where {$_.AccountSkuId -eq ‘TenantName:ENTERPRISEPACK’}).ServiceStatus

Microsoft 365 Enterprise E5 Subscription:

Office 365 Enterprise E5 Plans includes all the servers available in Enterprise E3 Plans plus

Customer Lockbox, Advanced Data Governance and Security, Office 365 Cloud App Security, Power Bi Pro, Audio Video Conferencing and Fast Track deployment support.

Enterprise Mobility and Security Subscriptions:

Enterprise Mobility and Security E3 Subscription:

  • Azure Active Directory Premium P1 – AAD Premium P1 provides a secure single sign on to cloud and on-premise apps. MFA, Conditional access and advanced security reporting.
  • Microsoft Intune: Intune provides mobile device and app management to protect corporate apps and data on any device.
  • Azure Information Protection Premium P1: AIP Premium P1 provide encryption for all files and emails across cloud and on premises storage location. Cloud based files tracking can be achieved.
  • Microsoft Advanced Threat Analytics: ATA provides protection from advanced targeted attacks by using user behavioral analytics

Enterprise Mobility and Security E5 Subscription:

  • Azure Active Directory Premium P2: AAD Premium P2 provides AAD Premium P1 features + Identity and Access Management with advanced protection for users and privileged identities.
  • Azure information Protection Premium P2: AIP Premium P2 provides AIP Premium P1 features + intelligent classification and encryption for files and emails shared inside and outside organization.
  • Microsoft Cloud App Security: CAS provides enterprise grade visibility, control and protection for your cloud applications.

Microsoft 365 Tenant Roles:

Below Azure AD Tenant Roles available and we can designate respective admins roles for each service.

Tips: For existing Office 365 customers, if you are already using Windows 10 Enterprise, Office 365 & Enterprise Mobile + Security then you are already using Microsoft 365 Subscription.

Evaluate Microsoft 365 for organization

If you are new to Microsoft 365 Enterprise or to a specific product or feature, one of the best ways to gain understanding is to build it out yourself.

Existing customers may already setup those workloads and you know how to setup services. Microsoft 365 Services evaluation available for 30 days free retail. You can approach Microsoft to extend the trial to a max of 6 months.

Plan and create tenant

Understand the Microsoft 365 enterprise workloads and plan to enable the services required for your organization. Approach Microsoft or Partner to get the required subscriptions.

Start by registering the tenant with Office 365 Trial and add other workloads that is under Microsoft 365.

Creating Tenant is the same process that you sign up for the Office 365 Trial and Microsoft will assist you on adding the subscription to your tenant when you subscribe for a trail or purchase the subscription.

Upgrade existing subscriptions to Microsoft 365

Customer already using Office 365 like EXO and SPO can approach Microsoft / Partners to upgrade their existing services to Microsoft 365.

Approaching Microsoft or Microsoft Partner is the only available option to upgrade existing Office 365 subscription to Microsoft 365.

Monitor license allocations

License will be assigned on the individual account and we have an option to use group based licensing where assigning the license on a Group will assign the license to all the members of the group.

Group can be Security group or an Azure AD Dynamic Group. Dynamic Groups in Azure AD run rules against user object attributes to automatically add and remove users from groups

Azure AD Audit logs can be used to monitor who changed the license on the Group enabled with license.

To assign license using PowerShell

Set-AzureADUserLicense -ObjectId “” -AssignedLicenses $licenses

Tips: Azure AD PIM required Azure AD P2 License / EMS E5 license, which includes Azure AD P2

Conditional Access Policies included in Azure AD P1 / EMS E3, which includes Azure AD P1

MS-100 Plan a Microsoft 365 implementation

May 25th, 2019 | Posted by admin in Exchange - (0 Comments)

Planning a Microsoft 365 Implement covers preparing the On-Premise and Microsoft 365 Infrastructure for enabling Microsoft 365 workloads.

  • Plan for Microsoft 365 on-premises Infrastructure
  • Plan identity and authentication solution

Plan for Microsoft 365 on-premises Infrastructure

This is an important topic; make a note that the title says Planning Microsoft 365 for On-Premise Infrastructure. Planning should include

  • Networking
  • Identity
  • Windows 10 enterprise
  • Office 365 Pro Plus
  • Office 365 Workloads like EXO, SPO, OD4BO, Teams
  • Mobile Device Management
  • Information Protection.

Networking: Before enabling Microsoft 365 Services, you need to do a Network Validation to avoid latencies when accessing the Microsoft 365 services.

  • We need to ensure users are having Internet Bandwidth to access the services. To ensure no issues with connectivity and performance issues due to network limitation
  • Check the connectivity from each office, use Ping, TraceRT, PSPING & Telnet command to check the connectivity and validate the network performance
  • Ensure users are connecting to Office 365 egress endpoints on their region. Ping command to respective service urls can help you identify it. For example – Ping for Exchange Online.
  • Ensure the Network Service Provider has a direct peering relationship with the Microsoft Global Network in close proximity to that location. Also, validate there is no latency because of network hairpin by having Cloud Access Broker solution etc.
  • Validate whether proxy is required for Office 365 services and see the Office 365 traffic can be bypassed from proxy or configure the proxy servers to support Microsoft 365.
  • Do a tweak at Client side like TCP Windows Scaling, Idle Time, Maximum Send Size and Selectivity Acknowledgement to increase the client side performance.

Identity: Planning an Identity is required provide secure access to Office 365 Services. This includes,

  • Synchronizing User accounts to Office 365
  • Designating Admin Roles
  • Protecting Global Admin Accounts enabling MFA to Users
  • Monitoring Identity Synchronizing Health
  • Licensing
  • Monitoring Tenant license
  • Sign-In Activity logs.

We will see above items in detail under Plan identity and authentication solution

Windows 10 Enterprise: Deploying Windows 10 Enterprise to endpoints

To prepare Windows 10 Enterprise, Microsoft recommends adding and verifying the domain that your users going to use to access Office 365 service could be UPN or primary email address domain. User addition to Office 365 & assigning license is optional at this time and install Office 365 Pro Plus.

Do an in place upgrade for Windows 7 and 8.1 using SCCM and for the new devices use Windows Auto Pilot Deployment.

Monitor the device health and ensure it is secure by having Windows Defender.

Office 365 Pro Plus: Office 365 Pro plus deployment can be done via SCCM or Office Deployment Tool, we need to consider office updates channels and the frequency.

Deployment can be through SCCM, ODT from Cloud, ODT from local Source or directly from Office Portal.

Office 365 Pro Plus Update channel to be planned. Below are the details of available update channels

If we deploy Office 365 Pro Plus using Office Deployment Tools, it requires Setup file and the configuration information xml like below to control what needs to be installed on the computers.


  • Channel=”Monthly” – Monthly update channel
  • Channel=”Broad” – Semi Annual (Jan & July)
  • Channel=”Targeted” – Semi Annual Targeted (March and September)

AllowCdnFallback set as true will fall back to refer Office 365 as the installation source instead of local share when the specified language pack is not available.

Mobile Device Management:

Mobile device manage is required to secure Organization resources by Using Microsoft Intune.

Plan how to control mobile devices using MDM & the application management on the managed devices using MAM.

MDM: When user enroll their device, they are managed devices, and can receive any policies, rules, and settings used by the organization.

MAM: MAM policies will control the application from a non-managed device by forcing the user to enter a PIN to secure the application access by an authorized user.

To setup Microsoft Intune

  1. Prerequisites – Intune Subscription, Office 365 Subscription, Azure AD Premium, MDM Push certificate for IOS are required.
  2. Setup Intune – Check whether the devices are Supported -> Ensure the domain verification completed -> Sign in to Intune -> enable Device Management -> Add Users.
  3. Device Enrollment-> Users have to enroll their devices to make it Intune Managed. As part of device enrollment, configure device enrollment restrictions and policies for users and devices.
  4. Deploy the apps required on the management mobile devices
  5. Create Compliance Policies and Conditional Access Policies like only managed devices can access the office 365 services.

Tips: Allowing only the Intune managed devices to access the Microsoft 365 services by configuring the Conditional Access will add additional security to organization’s data.

Information Protection: Information protection is a set of policies and technologies that define how you transmit, store, and process sensitive information.

Information Protection Includes Data Loss Prevention, Office 365 Labels and Azure Information Protection labelling and classification, Threat Management Policies, Sharing Policies in SharePoint, Office 365 Secure Score, Office 365 Cloud App Security and PIM for just-in-time access for task-based activities.

Plan identity and authentication solution

Planning Identity: Planning an Identity is required to provide secure access to Office 365 Services. This includes, Synchronizing User accounts to Office 365, Designating Admin Roles, Protecting Global Admin Accounts, enabling MFA to Users, Monitoring Identity Synchronizing Health, licensing, Monitoring Tenant, license and Sign-In Activity logs.

Planning Steps: Consider Security in mind and do the Identity Planning.

  1. Ensure Users are created or Synchronized from On-Premise AD using AD Connect

Learn How to install and configure AD Connect to Synchronize objects to Azure AD. Download Azure AD Connect from Microsoft Download center.

  1. Verify only the designated administrators are member of Global Admin Role

Get-AzureADDirectoryRole | where { $_.DisplayName -eq “Company Administrator” } | Get-AzureADDirectoryRoleMember | Ft DisplayName

  1. Enable Multi factor Authentication for users

We can enable MFA at the user level so that it will prompt MFA whenever an Office 365 accessed or we can trigger MFA when certain application accessed by creating Conditional Access Policies.

  1. Monitor Identity Synchronization using Azure AD Health Agents

We can download Azure AD Health Agent from Azure AD Portal and Install in AD Connect servers to monitor the health of AD objects Synchronization to Azure.

  1. Enable Group based licensing if planned

We can automate the license enablement and disablement by assigning the license to a Group. If a user removed from the group, then the license will be removed. If user is member of many groups with the same license enabled, then the license will be used once.

Azure AD Portal -> License -> Select the license and Click on Assign to a User or group.

  1. Enabling Azure AD Identity Protection provides
  • Consolidated view of flagged users and risk events detected using machine learning algorithms
  • Set risk-based Conditional Access policies to automatically protect your users
  • Improve security by acting on vulnerabilities

To enable Identity Protection:

Search for Azure AD Identity Protection in Azure Portal and click on Create to configure the Azure AD Identity protection.

Azure AD Identity Protection allows you to configure

MFA Registration Policy – This is an option to enforce user to configure MFA for a secure sign in experience.

Sign-In Risk Policy – Azure AD analyzes each sign-in of a user to detect suspicious actions. Like, sign in from an un-familiar location. We can block the access if the sign in is from un-familiar location.

User Risk Policy – Azure AD analyzes each sign-in of a user to detect suspicious actions. Like, sign in from an un-impossible travel.

  1. Configure Privileged Identity Management to support on-demand assignment of the global administrator role
  2. We can continue to use federated authentication If we are already using Federation with ADFS authentication,
  3. You can create a dynamic group for devices or for users, but you cannot create a rule that contains both users and devices. You cannot create a device group based on the device owners’ attributes. Device membership rules can only reference device attributes.
  4. Self Service Group Management and Password resets. Configuring the Group Management and the Password Reset options to reduce the administrator efforts.

Planning Authentication:

Below are the authentication options Available. Microsoft will focus on Seamless SSO.

Federation Authentication with ADFS

Large organizations preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

Note: You need to maintain an ADFS infrastructure to have this federation sign-in option and it is having additional benefits where, you use On-Premise MFA server or Azure MFA for multifactor authentication.

Authentication Flow:

When a Microsoft 365 application like Exchange accessed, it will redirect the user to authenticate with Azure AD, Azure AD do a home realm discovery from the user name and if the domain is federated, users will be redirected to get an access token from ADFS servers. ADFS server asks for User Name and Password and it validate the credential with On-Premise AD. On-Premise AD validates the credentials and if credentials are valid, it will send a Security Token along with user claims and ADFS share the details to Users. User shares the security token with Azure AD and Azure AD configured to accept tokens from ADFS and Azure AD provides and Access Token and a Refresh Token to User. User sends the Access Token to Exchange and the access provided to User.

Password Hash Synchronization Authentication

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

Pass-through Authentication

If we use the Pass-through authentication, user name the password gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

Azure AD Seamless SSO (enabled when choosing PHS or PTA)

Azure AD Seamless SSO allow users to sign in to services that use Azure AD user accounts without having to type in their passwords, and in many cases their usernames alone required.

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

Tips: To configure a Sign in method, Azure AD Connect -> User Sign-In to select the preferred authentication.

If Seamless SSO fails, the other enabled option PTA or PHS will be used for authentication and If Seamless SSO configured, it is recommended that you periodically roll over these Kerberos decryption keys – at least once every 30 days.

Azure AD Domain Join is not required when using Seamless SSO, but Azure AD Domain Join and Seamless SSO can be combined. If combined, Azure AD Domain join takes preference.