Author Archives: admin

How you will run the Hybrid Configuration Wizard?

We can download the HCW tool from ECP console or from Microsoft website https://aka.ms/HybridWizard we need to Exchange Org Admin credential and Office 365 Global Admin account to run the Hybrid Configuration Wizard.

What are the Exchange Hybrid Configuration features?

Below are the Hybrid Configuration feature

  • Free/Busy Sharing: Free/Busy sharing enables calendar sharing between on-premise and Exchange Online users.
  • MailTips: Both On-Premise and Exchange online senders can adjust messages they are composing to avoid NDR between organization.
  • Online Archiving: Exchange Online organization hosts archive mailbox for both on-premise and Exchange Online users
  • Outlook on the web redirection: Outlook on the web redirection provides single, common URL to access both on-premise and Exchange online mailboxes.
  • Exchange Active Sync Redirection: Exchange ActiveSync clients will automatically have reconfigured when mailbox moved to Exchange online.
  • Secure Mail: Secure mail enabled secure message delivery between the on-premise and Exchange Online organization via TLS protocol. On-Premise Exchange and Exchange Online mutually authentication through digital certificate subjects and email headers.
  • Message Tracking to understand the mail flow
  • Mailbox on boarding to Office 365 and off boarding to On-premise Exchange.

Where you will find the Hybrid Configuration Wizard logs?

Hybrid Configuration Wizard writes many information about the existing On-Premise Exchange Configuration and the changes done to implement the Hybrid Deployment. You can find the logs at this location %UserProfile%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration from which Server the Hybrid Configuration Wizard was configured.

What are the benefits of Hybrid Configuration?

  • Exchange On-Premise and Exchange Online users can share the free/busy information
  • Secure Mail flow using Hybrid Configuration where the email routes via Exchange Online Protection

You can answer all the points under this question – What are the Exchange Hybrid Configuration features?

What is Hybrid Exchange Environment?

Hybrid Exchange Environment is the Cross forest Exchange deployment having mailboxes in On-Premise Exchange Infrastructure and also in Office 365 but both the users appear to have Same Email domain alias and other Exchange functionality.

What is the use of OAuth Authentication between Exchange and Exchange Online?

OAuth is an Authentication Protocol enables MRM, Exchange In-Place Discovery and Exchange In-Place Archiving on Cross Exchange Forest like Exchange Hybrid Environment. Hybrid Configuration Wizard will configure OAuth only when the environment is having Exchange 2013 Alone. On a mixed environment, HCW will not prompt for OAuth configuration but we can follow a series of steps to implement it manually.

How the free/busy sharing working between Exchange On-Premise and Exchange Online?

Implementing Federated sharing allow users in Exchange On-Premise to see the free/busy information for the user in Exchange Online. Running the Hybrid Configuration Wizard will configure the Organization Relationship with Exchange Online which helps the free/busy sharing working between On-Premise Exchange & Office 36.

What is federated sharing and federated delegation? – Low Priority

Federated Sharing (Organization Relationship) in Exchange 2013 allows users in Exchange 2013 or later organization to share free/busy information with other Exchange Organization. It provides granular control on the calendar sharing.

Federated Delegation formally known as Federated sharing in Exchange 2010. Federated delegation uses the Microsoft Federation Gateway, a cloud-based service offered by Microsoft, as the trust broker between your on-premises Exchange 2010 organization and other federated Exchange 2010 organizations.

How to Configure Federated Sharing and Federated Delegation? – Low Priority

If we want to enable free busy sharing between Exchange 2013 organizations, then configuring Federated Sharing helps to achieve it.

  1. Create a Federation Trust (between a Microsoft Exchange 2013 organization and the Azure Active Directory authentication system)
  2. Creation an Organization Relationship
  3. Create a Sharing Policy
  4. Create Autodiscover Public DNS Record

If we want to enable Free Busy sharing between an Exchange 2013 and Exchange 2010 Organization, Federated Sharing enabled at Exchange 2013 Organization and Federated Delegation to be done at Exchange 2010 SP2 side. Below the Federated Delegation steps done on Exchange 2010 Organization

  1. Create a Federation Trust (between a Microsoft Exchange 2010 organization and the Microsoft Federation Gateway)
  2. Create TXT records for Federated Delegation
  3. Configure the domain for Federation Delegation
  4. Create CNAME record for Autodiscover
  5. Create an Organization Relationship

How Azure AD Connect work?

Azure AD Connect by default is a one-way Sync which synchronize the On-Premise AD objects to Azure AD.

Management AgentsQuestion can be asked like what is Management Agent in AD Connect?

Management Agents in Azure AD Connect control the data flow between a connected data source and the Meta directory. DirSync or Azure AD Connect uses two management agents.

  • Active Directory Connector management agent
  • Microsoft Azure Active Directory management agent

DirSync or Azure AD Connect stores the information in two places: Question can be asked like what is Connector Space & Metaverse

  1. Connector Space

Connect Space has the Replica of the managed objects in the AD DS and each management agent or connector has its own connector space

  1. Metaverse

Aggregate information about a managed object (that is, User, Group, etc.)

Azure AD Connect Synchronization data flow:

  1. User object is imported from On-Premise AD into the Active Directory Connector space
  2. User object is projected to the Metaverse
  3. User object is provisioned to the Microsoft Azure Active Directory Connector space
  4. User object exported to the Office 365 Admin Web Service

What is Azure Active Directory, what we can do with Azure AD?

Azure AD is a multi-tenant service that provides enterprise-level identity and access management for Microsoft Cloud. Build to support global scale, reliability and availability. Azure AD is backed by a 99.99% SLA for Azure AD Premium or Basic.

Used to manage users and access to cloud resources. On-premise AD extended to cloud using Azure AD. It provided SSO across your cloud applications. MFA and Conditional Access in Azure AD enabled to reduce risk.

What is the Active Directory Federation Service?

Active Directory Federation Services provides access control and single sign on across a wide variety of applications including Office 365, cloud based SaaS applications, and applications on the corporate network.

For the IT organization, it enables you to provide sign on and access control to both modern and legacy applications based on the same set of credentials and policies.

For the user, it provides seamless sign on using the same credentials.

For the developer, it provides an easy way to authenticate users whose identities live in the organizational directory so that you can focus your efforts on your application, not authentication or identity.

What is new in ADFS in Windows Server 2016?

  • Eliminate Passwords from Extranet – three new options for sign on without passwords, enabling organizations to avoid risk of network compromise from phished, leaked or stolen passwords.
  • Sign-in with Azure MFA
  • Password-less Access from Compliant Devices
  • Moving from AD FS in Windows Server 2012 R2 to AD FS in Windows Server 2016 is easier
  • Streamlined auditing for easier administrative management
  • Customize sign in experience for AD FS applications
  • Enable sign on with non-AD LDAP directories
  • Configure access control policies without having to know claim rules language

What are the requirement to deploy ADFS 2016?

  • AD FS requires Domain controllers running Windows Server 2008 or later
  • Domain functional level has to Windows 2003 or later
  • If client certificate authentication planned, then Windows 2008 functional level or higher require.
  • If it is a new ADFS 2016 deployment, AD 2016 schema is required.
  • Any standard account can be used as a service account
  • Group Managed Service accounts required windows 2012 or higher
  • For Kerberos Authentication, service principal name must be registered on the ADFS service account
  • SSL Certificate for ADFS and Web Application Proxy from 3rd party certificate provider
  • Token Signing and Token encrypting/decrypting certificate can be self-signed

What are the mailbox migration options available for Office 365 migration?

Cutover Migration – Migrate all mailboxes at once. We can use this type of migration if you’re customer is running Exchange 2003, Exchange 2007, Exchange 2010, or Exchange 2013

Staged Migration – Migrate mailboxes in batches. Staged migration can be used with Exchange 2003 or Exchange 2007 customers

Hybrid Migration – Migrate mailbox using an integrated Exchange Server and Office 365 environment. Hybrid migration is used when you need to maintain both on-premises and online mailboxes for your customer while you gradually migrate users and email to Office 365

IMAP Migration – IMAP migration used to migrate email from Gmail, Exchange, and other email systems that support IMAP migration. When you migrate the user’s email by using IMAP migration, only the items in the users’ inbox or other mail folders are migrated. Contacts, calendar items, and tasks can’t be migrated with IMAP, but they can be by a user.

IMAP migration also doesn’t create mailboxes in Office 365. We need to create a mailbox for each user before you migrate their email.

What is the different between Staged Migration and Hybrid Migration?

Staged migration is used when using Exchange 2007 or Exchange 2010, we will not get full Hybrid experience when we do staged migrations for example Out Of Office set on a mailbox and if migrated to Office 365, it will not carry forward the OOO settings. Outlook Anywhere is used to migrated the mailbox migration from Exchange On-Premise to Office 365.

Hybrid Migration provides full hybrid experience. It uses MRS Proxy Migration endpoints (EWS) for migration.

What is a Hybrid Configuration?

Hybrid Configuration deployment offers organizations the ability to extend the on-premise exchange experience and administrative control they have with their existing on-premise exchange organization to the cloud. Hybrid deployment provides seems look and feel of a single Exchange organization between an on-premises Exchange organization and Exchange Online in Office 365. Hybrid configuration serve as an intermediate step to move completely to an Exchange Online Organization.

You are an IT administrator for a company with On-Premise Exchange deployment, your manager asked you to implement Hybrid Exchange Infrastructure, and you need to keep half the mailbox in Exchange Online. What are the prerequisites to have Hybrid Exchange Deployment and in which order you deploy those prerequisites? – Important Question.

  • On-Premise exchange organization prepared so that we have supported version of Exchange server for Hybrid Configuration. If we Exchange 2007 then we need to run the Hybrid Configuration from an Exchange 2013 Server, though it is supported in Exchange 2010. Latest Cumulative update or N (latest update)-1 update to be installed in Exchange Server.
  • All the default Roles to be available in the Exchange Organization, for example if it is Exchange 2010, Mailbox, Hub Transport and Client Access and If Exchange 2013, Mailbox and Client Access Role to be installed on the same server.
  • Office 365 Subscription that supports Directory Synchronization required.
  • All the custom domains used in your On-Premise added and verified in Office 365.
  • Install and configure Azure AD Connect and enable the Directory Synchronization. In parallel, configure ADFS and ADFS Proxy servers to have Single Sign On Experience.
  • Validate the Autodiscover record points to On-Premise Exchange 2013 client access server.
  • Add the Office 365 organization in the On-Premise Exchange Admin center.
  • Install and assign Exchange service to a valid digital certificate from a third party provider.
  • Deploy edge server for Hybrid Secure Mail flow and configure Edge Sync, which is necessary.
  • Run the Hybrid Configuration Wizard
  • Do a pilot mailbox move and validate all the functionalities are working before the mass rollout.
  • You have UM enabled mailbox in your Exchange environment and want to migrate them to Office 365. What you will do to move UM enabled mailboxes to Office 365?
  • In addition to Exchange Hybrid deployment, Lync 2013 or Skype for Business Server 2015 integrated with on-premise telephony system, Skype for Business Online integrated with your on-premise telephony system, or a traditional on-premise PBX or IP-PBX solution is required. UM mailbox policy created in Exchange Online should mirror the Exchange On-Premise UM mailbox policy.

What are the identity models available in Office 365?

Office 365 uses cloud-based user authentication service Azure Active Directory to manage user accounts. There are three identity models to setup and manage user accounts.

  • Cloud Identity: User management will be only in Office 365 (Azure AD). No On-Premise servers required to manage users. All the user management like creation done only in Cloud.
  • Synchronized Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Passwords can be synched so that users have the same password on-premises and in the cloud. Users has to sign in on both On-Premise and Office 365, no single sign on experience.
  • Federated Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Users have same password on-premise and in cloud no need to sign in again to use Office 365. Also known as single sign-on.

How to integrate On-Premise environment with Office 365?

To integrate On-Premise services like Exchange, Skype for Business and SharePoint with Office 365,

  1. Synchronize On-Premise directory with Office 365 (Azure Active Directory) using DirSync or Azure AD Sync or Azure AD Connect.
  2. Once the directory sync completed, SSO implementation required so that users can log on both environments with their on-premises credential. It can be implemented using ADFS / ADFS Proxy combination or we can use Azure AD connect.
  3. Create hybrid environment to migrate users from On-Premise to cloud by running the Hybrid Configuration Wizard in Exchange Server. You can keep few of the users in Cloud and others in On-Premise based on our requirement.

What kind of Identity Model you are using in your company?

If your environment is purely in Office 365 and don’t have an On-Premise AD, then you can inform the interviewer that it is a Cloud Identity and you are managing every object creation in Azure AD.

If you are Using AD Connect and ADFS then you will be using Federated Identity. Object management will be done in On-Premise Active Directory.

What Identity Model you prefer and why companies prefer to use Federated Identity Model?

Though it is complex to setup Federated Identity Model, I prefer Federated Identity. With Federated Identity Model, Object creation and authentication will happen in On-Premise AD for the services enabled for a user in Office 365.

Companies prefer to manage their objects in their On-Premise AD and also the Authentication via ADFS infrastructure.

What is DirSync, Azure AD Sync and Azure AD connect?

DirSync, Azure AD Sync and Azure AD connect used to synchronized On-Premise AD objects to Office 365 (Azure Active Directory) which is required for Federated Identity.

DirSync is the commonly known product to synchronize on-premise directory to azure active directory. DirSync does not support Multi forest directory synchronization.

Azure AD Sync is the next version of DirSync, it supports multi-forest directory synchronization and Password write back.

Azure AD Connect is the latest version of Directory Synchronization software from Microsoft. Azure AD Connect recommended for larger organization with large number objects and it is having additional features like SSO and group write back feature.

Why we need to Sync AD objects to Azure AD?

To have a Single Sign On experience and to enable the services like Exchange Online \ SharePoint Online by assigning a license on account, we need an Object in Azure. Once the objects are Synced license will be assigned on the respective user account to enabled the Office 365 services. When user access the office 365 services like Exchange online \ SharePoint online, the user account will be validated for license and based on the Identity model used, authentication will be validated and the services will be allowed.

How you will ensure the On-Premises active directory objects can be Synced to Azure AD?

Before the AD Objects Sync to Azure AD, it is better to validate whether the objects are ready to be Synced with Azure AD. We can run the ID FIX tool before the AD connect Installation to validate whether the AD objects are good to Synchronize from On-Premise to Azure.

ID FIX tool helps to validate whether any duplicate object entries or any duplicate SIP address etc.

What are the prerequisites to Deploy Azure AD Connect? Or prerequisite for Integrating On-Premise Exchange environment with Office 365?

To integrate On-Premise Exchange, we need to Sync the On-Premise Objects to Azure AD to enable the licenses on the access which allows the user to access the required services. Once the AD connect configuration completed and the Sync started, we need to deploy ADFS for Authentication.

Below the prerequisites to consider before the Azure AD Connect installation which synchronize On-Premise directory to Office 365 (Azure Active Directory)

  • Azure subscription is required; if you register for Office 365 subscription then in the backend, you have Azure AD for directory services.
  • Add and verify the domain yourcompany.com from which you are going to synchronize the objects to Azure AD. If office 365, yourcompany.onmicrosoft.com is going to be default domain when you get the Office 365 subscription, along with that your On-Premise AD domain name to be added and verified.
  • We can run IdFix tool to find errors like duplicates and formatting problems in your directory. Errors highlighted using IDFix be fixed so that objects can synchronize with Azure AD
  • AD Schema version and forest functional level must be Windows Server 2003 or later. Password writes is supported on Windows Server 2008 Service pack or later and apply KB2386717. Writable DC is required and RODC is not supportable. Enable AD recycle bin.
  • Group Managed Service account is supported on Windows 2012 or later.
  • If ADFS feature is going to be enabled in Azure AD Connect, then the ADFS or Web Application Proxy are installed on Windows 2012 R2 or later.
  • Azure AD Connect requires a SQL Server Database to store Identity Data. Default installation of SQL express supports only 10 GB and a Max of 100K Objects only. Select an SQL server based on your requirement.
  • Global Admin account from Azure AD and Enterprise Administrator account from On-Premise is required to setup Azure AD Connect
  • .NET Framework 4.5.1 and Windows Management Framework 4.0 required for Azure AD Connect installation.
  • Internet access required from Azure AD Connect Server to On-Premise AD and Azure AD.

What is the limit of objects that can be Synced to Azure AD?

Default limit is 50K when we get the Office 365 Subscription. In addition, 300K Objects can be Synchronized to Azure AD. If there is a requirement to Sync more than 300K Object, we can contact Microsoft to increase the limit. I know a company who is allowed to Sync 1500K objects to Azure AD.

Why we need to add and verify the domains in Office 365?

On-Premise Active Directory domain to be added and verified in Azure AD for the directory synchronization to occur and adding the domain will increase the default 50K Objects limit to 300K Objects.

On-Premise exchange will have email address like xyz.com, we need to add the domain in Office 365 to get the same email address for Exchange Online users. If we want to add an Additional external email addresses in On-Premise Exchange, we need to add and verified so that Office 365 create that domain as accepted domain in Exchange online.