MS-100

Join this Study Group to prepare for the exam Managing Identity and Services Exam Code MS-100.

This page designed to help you preparing for MS-100 Managing Identity and Services exam. This is equal to referring to MS-100 Exam Dumps.

I have consolidated the important information on each topic and posted in my blog and added the respective links for easy navigation. If you have a question on MS-100 exam topic or if you want add any information, please post your comments on that topic.

Design and Implement Microsoft 365 Services (25-30%)

      Below are the Topics under Design and Implement Microsoft 365 Services

      Manage Domains

      Manage domains

      You should have complete understanding on managing domains in Office 365 which includes planning and configuring domain, Identity and authentication methods. Microsoft highlighted below sub topics under manage domains.

      Add and configure additional domains

      When you sign up of for Office 365, it includes a default domain name like domainname.onmicrosoft.com. Adding a Domain in Office 365 will help you to have your domain name in your email address instead of default domain. You need to prove that you are the owner of your domain.

      To add, login to O365 Admin Portal https://portal.office.com/adminportal/home -> Setup -> Domains -> Add a Domain -> enter your domain name -> Verify the domain by creating a TXT record -> Setup Online Services -> Update the DNS records.

      Tips:

      • To verify the domain, Office 365 will show an option where if domain register under GoDaddy, Office 365 will verify the domain on your behalf or you can create TXT record.
      • If we choose the option to create a TXT record, a TXT record or an MX record can be created to show the proof of domain ownership.
      • If you create a MX record, make sure you are ok to receive emails through Office 365 as your email gateway.

      Configure user identities for new domain name

      You need to Know the below Identity models available.

      Cloud Identity: User Identity management will be only in Office 365 (Azure AD). No On-Premise servers required to manage users. All the objects management done only in Cloud.

      Synchronized Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Passwords can be synched so that users have the same password on-premises and in the cloud. On-Premise and Office 365 will have same identity but Users has to sign in every time when accessing On-Premise and Office 365 application, no single sign on experience.

      Federated Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Identities Synced to Azure AD will be used to enable the Office 365 services. Users will be authenticated in on-premise AD to access a cloud application via Federated Authentication via ADFS for Single Sign On.

      Tips: Authentication method can be changed from Azure AD connect configuration and we can see the current authentication method at Azure AD Portal -> Azure AD Connect

      Configure workloads for new domain name

      When we add and verify the domain, after verification, it will give an option to enable the workloads like Exchange, Skype for Business, Teams, SharePoint\OneDrive & Mobile Device Management for Office 365, we need to plan the services that we are going to be enable and it will show the DNS records that is required for those services which will point to Office 365.

      Tips:

      • Office 365 can register TXT records on your behalf or you can manually create the TXT records required for the enabled services.
      • Based on the workload selection, Office 365 will prompt you to create the below records. Other Office 365 workloads like Planner, Forms do not require a DNS record.

      In addition to the above, we need to know how to enable the services and do the initial configuration for the below Microsoft 365 workloads

      • Windows 10 Enterprise
      • Office 365 (EXO, SPO, OD4B, Teams)
      • Enterprise Mobility + Security

      Design domain name configuration

      Designing Domain Name includes, adding a custom domain (superhybridcloud.com), sub domain (support.superhybridcloud.com) and multiple domains (learnexchangeserver.com, learnHybridCloud.com) to your Office 365 Subscription.

      We can add up to 900 domains in Office 365 domain settings. But you need to verify the proof ownership for each domain.

      Tips:

      • If you are using Cloud Identity, sub domain addition will be automatically verified. But the DNS records required for the enabled services to be created by you.
      • If you have a requirement to add a sub domain, do not setup Microsoft to manage your DNS by creating NS records.
      • If the parent domain is federated identity, sub domains can be added only from the ADFS servers. You need enable the services once the sub domain added from ADFS server.

      PowerShell: New-MsolFederatedDomain -DomainName support.superhybridcloud.com

      Set primary domain name

      If we add multiple domains in Office 365, we have an options to set one domain as Primary Domain.

      To Set the Primary Domain, login to O365 Admin Portal https://portal.office.com/adminportal/home -> Setup -> Domains -> Select the domain -> Set as Default.

      Tips:

      • If we create user objects in Azure AD, the UPN or the email address will be stamped with the default domain name. This is applicable for Cloud Identity only or when the objects created directly in Office 365.
      • Deploying Windows 10 Enterprise and Intune Setup has a prerequisite to validate the primary domain.

      Verify custom domain

      We need to verify the custom domains (in other words, proving that you are the owner of that domain to Microsoft) and create the DNS records for each Office 365 workloads. Custom domain is nothing but the email addresses that you want on the email addresses.

      To Set the Custom Domain, login to O365 Admin Portal https://portal.office.com/adminportal/home -> Setup -> Domains -> Add the domain -> verify the domain by creating the TXT record provided by Microsoft.

      Please post your comment if you want to add any information which can help others in clearing their exam.

      Plan a Microsoft 365 implementation

      This covers preparing the On-Premise Infrastructure for Microsoft 365 workloads

      Plan for Microsoft 365 on-premises Infrastructure

      This is an important topic, make a note that the title says Planning Microsoft 365 for On-Premise Infrastructure. Planning should include

      • Networking
      • Identity
      • Windows 10 enterprise
      • Office 365 Pro Plus
      • Office 365 Workloads like EXO, SPO, OD4BO, Teams
      • Mobile Device Management
      • Information Protection.

      Networking: Before enabling Office 365 Services, you need to do a Network Validation to avoid latencies

      • You are going to allow the users to access the office 365 services. We need to ensure users are having Internet Bandwidth to access the services. To ensure no issues with connectivity and performance issues due to network limitation
      • Check the connectivity from each office, use Ping, TraceRT, PSPING & Telnet command to check the connectivity and network performance
      • Ensure users are connecting to Office 365 egress endpoints on their region. Ping command to respective service urls can help you identify it. For example – Ping Outlook.Office365.com for Exchange Online.
      • Ensure the Network Service Provider has a direct peering relationship with the Microsoft Global Network in close proximity to that location. Also, validate there is no latency because of network hairpin by having Cloud Access Broker solution etc.
      • Validate whether proxy is required for Office 365 services and see the Office 365 traffic can be bypassed from proxy
      • Do a tweak at Client side like TCP Windows Scaling, Idle Time, Maximum Send Size and Selectivity Acknowledgement to increase the client side performance when accessing Office 365 Service.
      • Identity: Planning an Identity is required provide secure access to Office 365 Services. This includes, Synchronizing User accounts to Office 365, Designating Admin Roles, Protecting Global Admin Accounts, enabling MFA to Users, Monitoring Identity Synchronizing Health, licensing, Monitoring Tenant, license and Sign-In Activity logs. We will see in detail under Plan identity and authentication solution

      Windows 10 Enterprise: Deploying Windows 10 Enterprise to endpoints

      To prepare Windows 10 Enterprise, Microsoft recommends to add and verify the domain that your users going to use to access Office 365 service, could be UPN or primary email address domain. User addition to Office 365 & assigning license is optional at this time and install Office 365 Pro Plus.

      Do an in place upgrade for Windows 7 and 8.1 using SCCM and for the new devices use Windows Auto Pilot Deployment.

      Monitor the device health and ensure it is secure by having Windows Defender.

      Office 365 Pro Plus: Office 365 Pro plus deployment can be done either via SCCM or Office Deployment Tool, we need to consider office updates channels and the frequency.

      Deployment can be through SCCM, ODT from Cloud, ODT from local Source or directly from Office Portal.

      Mobile Device Management:

      Mobile device manage is required to secure Organization resources by Using Microsoft Intune.

      1. Planning – Plan how to control mobile devices using MDM & the application management on the managed devices using MAM.

      MDM: When user enroll their device, they are managed devices, and can receive any policies, rules, and settings used by your organization.

      MAM: MAM policies will control the application from a non-managed device by forcing the user enter a PIN to secure the application access by an authorized user.

      1. Prerequisites – Intune Subscription, Office 365 Subscription, Azure AD Premium, MDM Push certificate for IOS are required.
      2. Setup Intune – Check whether the devices are Supported -> Ensure the domain verification completed -> Sign in to Intune -> enable Device Management -> Add Users.
      3. Enroll Devices -> Users have to enroll their devices to make it Intune Managed. Set up enrollment restrictions and policies for users and devices.
      4. Deploy the apps
      5. Create Compliance Policies and Conditional Access Policies like only managed devices can access the office 365 services.

      Tips: Allowing only the Intune managed devices will add additional security to organization’s data.

      Information Protection: Information protection is a set of policies and technologies that define how you transmit, store, and process sensitive information.

      Information Protection Includes Data Loss Prevention, Office 365 Labels and Azure Information Protection labelling and classification, Threat Management Policies, Sharing Policies in SharePoint, Office 365 Secure Score, Office 365 Cloud App Security and PAIM for just-in-time access for task-based activities.

      Plan identity and authentication solution

      Planning Identity: Planning an Identity is required provide secure access to Office 365 Services. This includes, Synchronizing User accounts to Office 365, Designating Admin Roles, Protecting Global Admin Accounts, enabling MFA to Users, Monitoring Identity Synchronizing Health, licensing, Monitoring Tenant, license and Sign-In Activity logs.

      Planning Steps: Consider Security in mind and do the Identity Planning.

      1. Ensure Users are created or Synchronized from On-Premise AD using AD Connect

      Learn How to install and configure AD Connect to Synchronize objects to Azure AD. It can be downloaded from Microsoft Download center.

      1. Verify only the designated administrators are member of Global Admin Role

      Get-AzureADDirectoryRole | where { $_.DisplayName -eq “Company Administrator” } | Get-AzureADDirectoryRoleMember | Ft DisplayName

      1. Enable Multi factor Authentication for users

      We can enable MFA at the user level so that it will prompt MFA whenever an Office 365 is accessed or we can trigger MFA when certain application is accessed by creating Conditional Access Policies.

      1. Identity Synchronization Monitoring using Azure AD Health Agents

      We can download Azure AD Health Agent from Azure AD Portal and Install in AD Connect servers to monitor the health of AD objects Synchronization to Azure.

      1. Enable Group based licensing if planned

      We can automate the license enablement and disablement by assigning the license to a Group. If a user is removed, then the license will be removed. If user is member of many groups with the same license enabled, then the license will be used once.

      Azure AD Portal -> License -> Select the license and Click on Assign to a User or group.

      1. Enable Azure AD Identity Protection provides
      • Get a consolidated view of flagged users and risk events detected using machine learning algorithms
      • Set risk-based Conditional Access policies to automatically protect your users
      • Improve security posture by acting on vulnerabilities

      We can search for Azure AD Identity Protection in Azure Portal and click on Create to configure the Azure AD Identity protection.

      1. Configure Privileged Identity Management to support on-demand assignment of the global administrator role

         

      2. Simply User Sign in by configuring Azure Active Directory Seamless Single Sign-On

      We can continue to federated authentication If we are already using Federation with ADFS authentication,

      1. Dynamic Group Membership Rules for a Group in Azure AD

      You can create a dynamic group for devices or for users, but you can’t create a rule that contains both users and devices.

      You can’t create a device group based on the device owners’ attributes. Device membership rules can only reference device attributes.

      1. Self Service Group Management and Password resets

      Planning Authentication:

      Below are the authentication options Available. Microsoft will focus on Seamless SSO.

      Federation Authentication with ADFS

      Most of the Companies preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication will be configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

      How it works

      To explain the Federation Sign-in flow, when you access any claims aware application that trusts Azure AD as the STS, the application will redirect you to authenticate with Azure AD, Azure AD prompts you to login with the user name option only and when you enter the user name, the domain validated whether it is a federated domain. Since it is a federated domain, you are redirected to On-Premise ADFS infrastructure, (to WAP server if you are in Internet and to ADFS server if you sign-in from Intranet). ADFS prompts you to enter the user name and password passed and it authenticates with Active Directory. On successful authentication with AD, ADFS send a Security token to User that will be send back to Azure AD for successful authentication.

      Note: You need to maintain a ADFS infrastructure to have this federation sign-in option and it is having additional benefits like you use On-Premise MFA server for multifactor authentication.

      Password Hash Synchronization Authentication

      No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

      How it works

      When Password Hash Synchronization authentication enabled for the tenant, Hash of the password hash is available in Azure AD after Synchronization. If a user access a Azure Integrated application, user redirected to authenticate with Azure AD, Azure AD prompt the user to enter the credential, both user name and the password will be entered in Azure AD authentication dialogue window and it will be validated against the hash Synced in Azure. If successful, user will be provided security toke to the authenticate the service\application. Switching from one application to other, prompts the user to validate the credential when this sign-in option used.

      Pass-through Authentication

      If we use the Pass-through authentication, user name the password will be gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

      How it works

      When user access any office 365 application, it will redirect the user to Azure AD for authentication, Azure AD prompt the user to enter both the user and password and it will be sent to AuthN agent server in On-Premise using a securing tunnel established when configuring the AuthN agent. AuthN agent component validate the user name and password with Active Directory using a Win32 API call to Active Directory and the successful authentication will be sent back to Azure AD. Azure AD authentication successful and send a security token to access the application, the user will gain access to Application.

      Azure AD Seamless SSO (enabled when choosing PHS or PTA)

      Azure AD Seamless SSO allow users to sign in to services that use Azure AD user accounts without having to type in their passwords, and in many cases their usernames alone required.

      Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

      How it works?

      When Seamless SSO enabled and the additional configurations are deployed, a new computer object created in AD that holds 2 SPN for authentication with Azure AD. Let us assume as User access a claims aware application, user will be redirected to Azure AD for authentication, Azure AD instructs the client to do an authentication test to find the client is SSO capable and it will send a unauthorized response and to get a token a token from AD. Client requests a Kerberos token ticket from AD and the same will be send it to Azure AD, Azure AD returns a security token which will be sent to application and the authentication will be successful.

      Tips: To configure a Sign in method, Azure AD Connect -> User Sign-In to select the preferred authentication.

      If Seamless SSO fails, the other enabled option PTA or PHS will be used for authentication and If Seamless SSO configured, it is recommended that you periodically roll over these Kerberos decryption keys – at least once every 30 days.

      Azure AD Domain Join is not required when using Seamless SSO, but Azure AD Domain Join and Seamless SSO can be combined, if combined, Azure AD Domain join takes preference.

      Please add your comments if you want to highlight something.

      Setup Microsoft 365 tenancy and subscription

      If you are already using Windows 10 Enterprise, Office 365 E3 and Enterprise Mobility + Security E3 / E5 then you can skip this as you are already using the M365 workloads.

      This topic is all about setting up the Office 365 tenant and Azure Subscriptions.

      Configure subscription and tenant roles and workload settings

      • Configure subscription and tenant roles includes the process of Sign up for Microsoft 365 Enterprise and managing the Roles for the Microsoft 365 Tenant Roles.
      • Microsoft 365 Enterprise Tenant is nothing but having Windows 10 Enterprise, Office 365 & Enterprise Mobile + Security.
      • You can be an existing customer already having the above M365 workload enabled in different forms. If you are new organization migrating to Office 365, you can approach Microsoft / Partner to subscribe for Microsoft 365 Enterprise tenant.
      • M365 subscription is like Signing up for the E3 or E5 trial and enable the services that is required for your tenant.
      • Tenant Roles management is required where you designate respective users are Global Administrator and others as designated administrator like Exchange Online Admin / SharePoint administrator.
      • M365 workload setting is enabling \ deploying the services like Windows 10 Enterprise, Office 365 (EXO, SPO \ OD4B & Teams) & Enterprise Mobile + Security to end users.

      Below Azure AD Tenant Roles are available and we can designate respective admins for each service associated with the roles. Tips: For existing Office 365 customers, if you are already using Windows 10 Enterprise, Office 365 & Enterprise Mobile + Security then you are M365 customer.

      Evaluate Microsoft 365 for organization

      If you’re new to Microsoft 365 Enterprise or to a specific product or feature, one of the best ways to gain understanding is to build it out yourself

      Reference – https://docs.microsoft.com/en-us/microsoft-365/enterprise/m365-enterprise-test-lab-guides

      Existing customers may already setup those workloads and you know how to setup services.

      Plan and create tenant

      Understand Office 365 and Microsoft 365 enterprise workloads and plan for the services that is required for your organization approach Microsoft to get the subscription.

      • Start by registering the tenant with Office 365 Trial and add other workloads that is under Microsoft 365.
      • Creating Tenant is the same process that you sign up for the Office 365 Trial and Microsoft will assist you on adding the subscription to your tenant.

      Upgrade existing subscriptions to Microsoft 365

      • Customer already using Office 365 like EXO and SPO can approach Microsoft / Partners to upgrade their existing services to Microsoft 365.
      • Approaching Microsoft or Microsoft Partner is the only available option to upgrade existing Office 365 subscription to Microsoft 365.

      Monitor license allocations

      • License will be assigned on the individual account and we have an option to use group based licensing where the assigning the license on a Group will assign the enabled license to all the members of the group.
      • Group can be Security group or an Azure AD Dynamic Group. Dynamic groups run rules against user object attributes to automatically add and remove users from groups
      • Azure AD Audit logs can be used to monitor who changed the license on the Group enabled with license.

      Manage Microsoft 365 subscription and tenant health

      As a Microsoft 365 administrator, you need to know how to monitor and manage service health alerts, creating service requests, view the reports to understand the license / service usage.

      Manage service health alerts

      We can use Office 365 Admin App / Office 365 Management Pack / Office 365 Service Communication API to view the service statues.

      Office 365 Service Health can be viewed from Office 365 Admin Portal -> Health -> Service health.

      Tips: Minimum of User Management Role permission is required to view Service Health Alerts.

      Create & manage service requests

      We can raise a Service request to get assistance from Microsoft support on the issues that users is facin in your organization.

      Tips:

      • Support Requests can be raised from Office 365 Admin Portal -> Support -> New Service Request.
      • Minimum of Service Administrator Permission is required to raise Support Request.

      Create internal service health response plan

      This is an internal process to monitor the announcement of Planned Outages in Office 365 Message Center, respective team has to announce the management and also in coordination with TAM for additional details.

      Office 365 Admin Portal -> Health -> Message Center

      If it is a Service Incident, Team has a raise service request to follow up from Microsoft support on the existing issues.

      Monitor service health

      Office 365 Service Health can be viewed from Office 365 Admin Portal -> Health -> Service health.

      Configure and review reports, including BI, OMS, and Microsoft 365 reporting

      To view the Office 365 Reports

      Office 365 report can be viewed from Office 365 Admin Portal -> Reports -> You can drill down to the available reports for additional information.

      Reports also available in Security and Compliance Portal Protection.office.com -> Reports -> view the available Security and Compliance based reports

      Office 365 reports can be viewed from Power BI content packs (Office 365 Adoption Content Pack).

      OMS – Operation Management Suite / Solution for Office 365 is used to monitor User/ Admin activities and also it helps to detect and investigate unwanted user behavior. We can also configure alerts like if a user deleted more than 100 files an alert can be send to administrator.

      Schedule and review security and compliance reports

      Reports related to security and compliance can be viewed at protection.office.com -> Reports. We can configure \ manage the schedules for these reports.

      Schedule and review usage metrics

      Available Reports can be scheduled and we need to review the data to ensure the usage is allowed. In addition, the usage reports like license, services usage can be viewed from Microsoft 365 usage analytics portal from Power BI. We need to enable this from Microsoft Power BI by a Global Admin account or any other Service Administrator Role like EXO Admin / SPO admin.

      To enable Microsoft 365 usage analytics – Office 365 Admin Portal -> Reports -> Usage -> navigate to Microsoft 365 usage analytics and turn ON the option. -> Login to Power BI portal -> Get Data, then under More ways to create your own content choose Service Content Packs and select Microsoft 365 usage analytics

      Plan migration of users and data

      We need to plan users and data migration options to Microsoft 365. Users migration means migration Skype for Business users to Skype for Business online and Data Migration includes mailbox migration and files migration by setting up a hybrid infrastructure for respective service.

      Identify data to be migrated and method

      We need to understand from where the data is going to get migrated to Microsoft 365. Below are the data migration options available

      If Exchange On-Premise – Administrator can setup Hybrid Exchange infrastructure for seamless mailbox migration to Exchange Online.

      • Mailbox Move Request
      • PST Import Tool

      If SharePoint / OneDrive for Business -> Administrator can move the files to SharePoint online by

      • SharePoint Migration Tool
      • Users can manually move the data once they get access to SharePoint Online site.
      • OneDrive Sync client can be used to move the data

      Identify users and mailboxes to be migrated and method

      User identification is to find which email systems user is using for example, if exchange On-Premise, we can setup Hybrid Exchange Infrastructure and can migrate the mailbox. If it is a Gmail system, we have the option to migrate the email from Gmail to Office 365. We need to identify the existing email system and do a planning with the available data migration options.

      Plan migration of on-premise users and groups

      User migration, in other words Synchronizing the users to Azure AD / Office 365 can be done via Azure AD Connect. In addition, we need plan the identity model that we are going to use and the authentication method to be planned.

      Import PST Files

      We can use the Import service to move email (PST files) from your organization’s servers to Office 365. We can ship the files to Microsoft or can upload the file over internet by creating an Import Job to upload PST to Azure blob storage and can map (Using Mapping File) each PST file to respective user’s Primary or Archive mailbox.

      Navigate to Protection.Office.com -> Data Governance -> Import -> Create a New Import Job to import the PST into a mailbox.

      Other Topics are on my E-Book.

      Reach me superhybrid.cloud@yahoo.com for an E-Book (for a low fee) on MS-100 exam questions and answers.

    4 Responses



    Leave a Reply

    Your email address will not be published. Required fields are marked *