MS-100 Plan a Microsoft 365 implementation

May 25th, 2019 | Posted by admin in Exchange

Planning a Microsoft 365 Implement covers preparing the On-Premise and Microsoft 365 Infrastructure for enabling Microsoft 365 workloads.

  • Plan for Microsoft 365 on-premises Infrastructure
  • Plan identity and authentication solution

Plan for Microsoft 365 on-premises Infrastructure

This is an important topic; make a note that the title says Planning Microsoft 365 for On-Premise Infrastructure. Planning should include

  • Networking
  • Identity
  • Windows 10 enterprise
  • Office 365 Pro Plus
  • Office 365 Workloads like EXO, SPO, OD4BO, Teams
  • Mobile Device Management
  • Information Protection.

Networking: Before enabling Microsoft 365 Services, you need to do a Network Validation to avoid latencies when accessing the Microsoft 365 services.

  • We need to ensure users are having Internet Bandwidth to access the services. To ensure no issues with connectivity and performance issues due to network limitation
  • Check the connectivity from each office, use Ping, TraceRT, PSPING & Telnet command to check the connectivity and validate the network performance
  • Ensure users are connecting to Office 365 egress endpoints on their region. Ping command to respective service urls can help you identify it. For example – Ping for Exchange Online.
  • Ensure the Network Service Provider has a direct peering relationship with the Microsoft Global Network in close proximity to that location. Also, validate there is no latency because of network hairpin by having Cloud Access Broker solution etc.
  • Validate whether proxy is required for Office 365 services and see the Office 365 traffic can be bypassed from proxy or configure the proxy servers to support Microsoft 365.
  • Do a tweak at Client side like TCP Windows Scaling, Idle Time, Maximum Send Size and Selectivity Acknowledgement to increase the client side performance.

Identity: Planning an Identity is required provide secure access to Office 365 Services. This includes,

  • Synchronizing User accounts to Office 365
  • Designating Admin Roles
  • Protecting Global Admin Accounts enabling MFA to Users
  • Monitoring Identity Synchronizing Health
  • Licensing
  • Monitoring Tenant license
  • Sign-In Activity logs.

We will see above items in detail under Plan identity and authentication solution

Windows 10 Enterprise: Deploying Windows 10 Enterprise to endpoints

To prepare Windows 10 Enterprise, Microsoft recommends adding and verifying the domain that your users going to use to access Office 365 service could be UPN or primary email address domain. User addition to Office 365 & assigning license is optional at this time and install Office 365 Pro Plus.

Do an in place upgrade for Windows 7 and 8.1 using SCCM and for the new devices use Windows Auto Pilot Deployment.

Monitor the device health and ensure it is secure by having Windows Defender.

Office 365 Pro Plus: Office 365 Pro plus deployment can be done via SCCM or Office Deployment Tool, we need to consider office updates channels and the frequency.

Deployment can be through SCCM, ODT from Cloud, ODT from local Source or directly from Office Portal.

Office 365 Pro Plus Update channel to be planned. Below are the details of available update channels

If we deploy Office 365 Pro Plus using Office Deployment Tools, it requires Setup file and the configuration information xml like below to control what needs to be installed on the computers.


  • Channel=”Monthly” – Monthly update channel
  • Channel=”Broad” – Semi Annual (Jan & July)
  • Channel=”Targeted” – Semi Annual Targeted (March and September)

AllowCdnFallback set as true will fall back to refer Office 365 as the installation source instead of local share when the specified language pack is not available.

Mobile Device Management:

Mobile device manage is required to secure Organization resources by Using Microsoft Intune.

Plan how to control mobile devices using MDM & the application management on the managed devices using MAM.

MDM: When user enroll their device, they are managed devices, and can receive any policies, rules, and settings used by the organization.

MAM: MAM policies will control the application from a non-managed device by forcing the user to enter a PIN to secure the application access by an authorized user.

To setup Microsoft Intune

  1. Prerequisites – Intune Subscription, Office 365 Subscription, Azure AD Premium, MDM Push certificate for IOS are required.
  2. Setup Intune – Check whether the devices are Supported -> Ensure the domain verification completed -> Sign in to Intune -> enable Device Management -> Add Users.
  3. Device Enrollment-> Users have to enroll their devices to make it Intune Managed. As part of device enrollment, configure device enrollment restrictions and policies for users and devices.
  4. Deploy the apps required on the management mobile devices
  5. Create Compliance Policies and Conditional Access Policies like only managed devices can access the office 365 services.

Tips: Allowing only the Intune managed devices to access the Microsoft 365 services by configuring the Conditional Access will add additional security to organization’s data.

Information Protection: Information protection is a set of policies and technologies that define how you transmit, store, and process sensitive information.

Information Protection Includes Data Loss Prevention, Office 365 Labels and Azure Information Protection labelling and classification, Threat Management Policies, Sharing Policies in SharePoint, Office 365 Secure Score, Office 365 Cloud App Security and PIM for just-in-time access for task-based activities.

Plan identity and authentication solution

Planning Identity: Planning an Identity is required to provide secure access to Office 365 Services. This includes, Synchronizing User accounts to Office 365, Designating Admin Roles, Protecting Global Admin Accounts, enabling MFA to Users, Monitoring Identity Synchronizing Health, licensing, Monitoring Tenant, license and Sign-In Activity logs.

Planning Steps: Consider Security in mind and do the Identity Planning.

  1. Ensure Users are created or Synchronized from On-Premise AD using AD Connect

Learn How to install and configure AD Connect to Synchronize objects to Azure AD. Download Azure AD Connect from Microsoft Download center.

  1. Verify only the designated administrators are member of Global Admin Role

Get-AzureADDirectoryRole | where { $_.DisplayName -eq “Company Administrator” } | Get-AzureADDirectoryRoleMember | Ft DisplayName

  1. Enable Multi factor Authentication for users

We can enable MFA at the user level so that it will prompt MFA whenever an Office 365 accessed or we can trigger MFA when certain application accessed by creating Conditional Access Policies.

  1. Monitor Identity Synchronization using Azure AD Health Agents

We can download Azure AD Health Agent from Azure AD Portal and Install in AD Connect servers to monitor the health of AD objects Synchronization to Azure.

  1. Enable Group based licensing if planned

We can automate the license enablement and disablement by assigning the license to a Group. If a user removed from the group, then the license will be removed. If user is member of many groups with the same license enabled, then the license will be used once.

Azure AD Portal -> License -> Select the license and Click on Assign to a User or group.

  1. Enabling Azure AD Identity Protection provides
  • Consolidated view of flagged users and risk events detected using machine learning algorithms
  • Set risk-based Conditional Access policies to automatically protect your users
  • Improve security by acting on vulnerabilities

To enable Identity Protection:

Search for Azure AD Identity Protection in Azure Portal and click on Create to configure the Azure AD Identity protection.

Azure AD Identity Protection allows you to configure

MFA Registration Policy – This is an option to enforce user to configure MFA for a secure sign in experience.

Sign-In Risk Policy – Azure AD analyzes each sign-in of a user to detect suspicious actions. Like, sign in from an un-familiar location. We can block the access if the sign in is from un-familiar location.

User Risk Policy – Azure AD analyzes each sign-in of a user to detect suspicious actions. Like, sign in from an un-impossible travel.

  1. Configure Privileged Identity Management to support on-demand assignment of the global administrator role
  2. We can continue to use federated authentication If we are already using Federation with ADFS authentication,
  3. You can create a dynamic group for devices or for users, but you cannot create a rule that contains both users and devices. You cannot create a device group based on the device owners’ attributes. Device membership rules can only reference device attributes.
  4. Self Service Group Management and Password resets. Configuring the Group Management and the Password Reset options to reduce the administrator efforts.

Planning Authentication:

Below are the authentication options Available. Microsoft will focus on Seamless SSO.

Federation Authentication with ADFS

Large organizations preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

Note: You need to maintain an ADFS infrastructure to have this federation sign-in option and it is having additional benefits where, you use On-Premise MFA server or Azure MFA for multifactor authentication.

Authentication Flow:

When a Microsoft 365 application like Exchange accessed, it will redirect the user to authenticate with Azure AD, Azure AD do a home realm discovery from the user name and if the domain is federated, users will be redirected to get an access token from ADFS servers. ADFS server asks for User Name and Password and it validate the credential with On-Premise AD. On-Premise AD validates the credentials and if credentials are valid, it will send a Security Token along with user claims and ADFS share the details to Users. User shares the security token with Azure AD and Azure AD configured to accept tokens from ADFS and Azure AD provides and Access Token and a Refresh Token to User. User sends the Access Token to Exchange and the access provided to User.

Password Hash Synchronization Authentication

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

Pass-through Authentication

If we use the Pass-through authentication, user name the password gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

Azure AD Seamless SSO (enabled when choosing PHS or PTA)

Azure AD Seamless SSO allow users to sign in to services that use Azure AD user accounts without having to type in their passwords, and in many cases their usernames alone required.

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

Tips: To configure a Sign in method, Azure AD Connect -> User Sign-In to select the preferred authentication.

If Seamless SSO fails, the other enabled option PTA or PHS will be used for authentication and If Seamless SSO configured, it is recommended that you periodically roll over these Kerberos decryption keys – at least once every 30 days.

Azure AD Domain Join is not required when using Seamless SSO, but Azure AD Domain Join and Seamless SSO can be combined. If combined, Azure AD Domain join takes preference.

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply