What is Conditional Access Policies in Office 365 / Azure AD?
Azure AD conditional access provides added security when needed. We can set few conditions like when accessing a particular cloud application like Exchange Online, allow the access from Azure AD Domain Joined machines or block the access etc. Conditional access policies are enforced after the first-factor authentication has been completed. We can enable second factor authentication (MFA) for certain users alone or for particular application alone and when the application is accessed from web browser alone. Many conditions can be applied using Azure Conditional Access Policies based on our requirement. It requires EMS E3 license.
You have a requirement to enable MFA for On-Premise Exchange OWA and ECP. How you will achieve?
ADFS 2016 supports configuring Azure MFA as an additional authentication option. We can configure Exchange Server ECP & OWA URL to use ADFS authentication and create a relying party trust for ECP & OWA and a Claim Rule configure MFA for On-Premise Exchange.
You have configured MFA for On-Premise Exchange. Explain how the MFA authentication flow works?
If all the configuration done to enable MFA for On-Premise Exchange, then the authentication flow works like below
Users access OWA \ ECP URL -> It hits Exchange Virtual Directory and the authentication option set as ADFS -> User redirected to login ADFS page and user login with AD credential -> Once Authentication Successful, it redirects the users to Azure AD for MFA setup -> Once MFA setup done -> user will be challenged for MFA and then access will be available to user.
How to troubleshoot Outlook slowness for an Office 365 mailbox?
What is the use of a Migration endpoint / MRS Proxy endpoint?
To migrate a mailbox from On-Premise Exchange Server to Exchange Online or off boarding the mailbox from Exchange Online to On-Premise requires a migration endpoint which we need to specify during the migration. The migration endpoint contains the connection settings for an on-premises Exchange server that is running the MRS proxy service, which is required to perform remote move migrations to and from Exchange Online.
Also called as MRS Proxy endpoint – Mailbox Replication Service proxy endpoint is required for mailbox moves and it will be enabled in the EWS Virtual Directory settings.
How to check retention policy tags in mails (not at mailbox level)?
We can use MFAMAPI Tool to check the retention policy settings on an email.
We can verify if a Retention Policy was applied to an email using the MFCMapi tool: after logging to the user’s mailbox, right click the folder like Inbox -> Open associated contents table -> Message class: IPM_Configuration_MRM -> PR_ROAMING_XMLSTREAM, and look for the associated policy applied
You have mailbox in Office 365 applied with the 30 day’s retention policy to archive the emails. But mails are not moving to archive mailbox, how you will troubleshoot?
First I will check the mailbox settings to validate the policy assigned properly, then I will check whether the mailbox is assigned with retention policy using MFC MAPI Tool. If Policy assigned, I will run the start-managedfolderassistance against the mailbox and wait for some time for retention action to takes place.
If nothing works, I will raise a support case with Microsoft.
You have initiated a mailbox migration batch with 100 mailboxes to Office 365. But half of the mailbox migrations failed. How you will check it?
Get-MigrationBatch command will help us to get the below status.
- Status of the migration batch
- Total number of mailboxes being migrated
- Number of successfully completed migrations
- Migration errors
- Date and time when the migration was started
You are assigned with a task to add full access permission for Senior User in your company on the common mailbox. But that user is unable to expand additional mailbox in outlook, having full access already, how will you troubleshoot further?
To make sure the full access permission available on the common mailbox, I will run the get-mailbox permission command to check the full access permission.
I will validate the access using OWA to open additional mailbox, If it is successful, then
I will check the test email auto configuration tool to validate the XML result is populating the common mailbox under the AlternateMailbox results.
If it is not showing up, I will wait for some time so that Auto discover picks the mailbox permission.
A user mailbox is in Office 365 and he is trying to access his mailbox from Internet. Explain the authentication flow for the mailbox access?
User access Office 365 service like EXO to outlook.office365.com -> EXO redirects the client to authenticate with Azure AD -> Client will reach Azure AD and Azure AD will prompt for user name and the Azure AD authentication end point deduct the UPN of the domain is federated and redirect the User to STS which is the ADFS proxy -> ADFS proxy will proxy the request to ADFS and ADFS will ask the client to authenticate (If client is internal to network, it will take Windows Integrated Authentication to authenticate with AD) -> Once authentication successful in AD, it will send user claims to ADFS -> ADFS will send the SAML token along with user claims to Client -> Client sends the token to Azure AD and it validates \ Trusts the token received from AD and the authentication will be successful -> On successful Authentication, Azure AD will provide an access token and refresh token to Client -> Client will send the access token to EXO and user will be allowed to access the service. Every one hour, refresh token will be presented to EXO to get a new access token.
What will happen to On-Premise Objects when the mailbox migrated to Office 365 and how the On-Premise mailboxes will look in Office 365 \ Exchange Online?
On a Hybrid Exchange environment,
In On-Premise Exchange, User having a Mailbox in On-Premise will appear as Mailbox and the mailbox migrated from On-Premise to Office 365 will be converted remote mailbox object with a remote routing address as firstname.lastname@example.org
In Office 365 / Exchange Online, mailbox migrate from On-Premise to Office 365 will appear as a mailbox object and the user’s mailbox in On-Premise exchange will appear as Mail User object once the directory synchronization completed using Azure AD Connect.
A user in On-Premise is trying to see the free busy information of a mailbox in Office 365 and user can see the free busy information. Explain how the free busy information works in both directions.
On-Premise mailbox looking for Free Busy Information of an Office 365 Mailbox (Remote Mailbox object)
On-Premise User starts the free busy query for remote mailbox -> Exchange will see if any intra org connector created that connects to Azure cloud for the remote mailbox remote routing address domain (domainname.mail.onmicrosoft.com) -> Exchange gets a delegation token from Azure -> Exchange initiates a request to Target domains Autodiscover service -> On successful discovery, it initiates a request to EWS -> If EWS request successful, On-Premise Exchange will send the token to EXO to get the user’s free busy information.
Office 365 mailbox looking for Free Busy Information of an On-Premise Mailbox (Mail User object)
Office 365 User starts the free busy query for On-Premise mailbox where the On-Premise mailbox is available as a mail user object in Office 365 -> Office 365 will understand that mailbox not available but has an email domain like office 365 mailbox and it knows it is a On-Premise and the EXO Availability service look if any intra org connector created for that domain -> it will available points to Azure and it connects to Azure Authentication System -> Office 365\Exchange Online gets a delegation token from Azure which will be accepted by On-Premise Exchange -> Office 365\EXO initiates a request to On-Premise Exchange Autodiscover service -> On successful discovery, it initiates a request to EWS -> If EWS request successful -> EXO presents the token to On-Premise Exchange to get the free busy information.
What is Advanced Threat Protection?
Office 365 Advanced Threat Protection helps to prevent the organization from Malicious Attack by have a features like ATP Safe Link and ATP Safe Attachment scanning.
ATP Safe Links can help protect organization by providing time-of-click verification of web addresses (URLs) in email messages. All the URLs in email will be embedded with Microsoft ATP URL. When user click the links, it will be validated whether it is safe and the access will be allowed to the link.
The ATP Safe Attachments feature checks to see if email attachments are malicious, and then takes action to protect your organization when the mail is in transit. All the emails with the attachments will be validated for malicious content and if not malicious then the mail will be delivered to user. There can be 5 to 30 min delay if an email with attachments are scanned for malicious contents.
What is Dynamic Delivery in ATP?
They will be an email delay when the emails with attachments are scanned for malicious contents. Dynamic Delivery eliminates email delays by sending the body of an email message through to the recipient with a placeholder for each email attachment. The placeholder remains until a copy of the attachment is scanned and determined to be safe and it will be updated with the attachment. If malicious, it will be updated as malicious.
Give a short explanation on SPF, DKIM & DMARC?
SPF, DKIM & DMARC are industry standard email authentication protocol to email spoofing.
SPF (Sender Policy Framework) is a DNS text entry (TXT Record) which shows a list of servers considered or allowed to send mail as their domain name.
DKIM (DomainKeys Identified Mail) is a method to verify that the messages’ content are trustworthy, meaning that they weren’t changed from the moment the message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process.
DMARC (Domain-based Message Authentication, Reporting and Conformance) An e-mail authentication system that helps determining what to do when messages fail SPF or DKIM checks by setting a policy.
What are the Tags available in a SPF Record?
We have below 3 tags to control the authenticated email servers to send emails.
-all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected).
~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked as SPF failed).
+all Not recommended, this tag allows any server to send email from your domain.
What are the email protection options available or you implemented in your organization?
- Anti-Spam and Anti-Malware Protection
- Advance Threat Protection (Safe Link and Safe Attachment)
- Anti-Phishing protection to prevent User and Domain Impersonation attacks
- Anti-Spoof Protection
Share your experience or things that was done by you during the office 365 Migration?
Note: You can share your own experience or something similar to below.
We have started the migration after doing a POC on everything was normal and we started to migrate the mailbox in batches. We are comfortable with the migration and started to increase the mailbox count for migration and we started to see a delay of migration takes long time to complete the Suspend When Ready to Complete stage. We reviewed the EWS throttling policy on the remote moves and we increased the concurrent move to 50 and the server performance was analyzed and later we increased to 100 simultaneous moves (MaxConcurrentMigrations on the Migration Endpoint which is 20 by default) and we are ok with it. Similar to this, we made many analyses to improve the performance of the migration as well as error free migration.
You are assigned with the task to migrate 500 mailboxes to Office 365. Tell me the command that you use to migrate a mailbox to Office 365?
I will check wither the office 365 email domain address (Username@domainname.mail.onmicrosoft.com) added to the exchange On-Premise mailbox that are to be migrated and run the below command to migrate the mailbox.
New-MoveRequest <UserID> -Remote -RemoteHostName “usmail.cognizant.com” -RemoteCredential $Cred -BadItemLimit 20 -TargetDeliveryDomain “domainname.mail.onmicrosoft.com”
$Cred is the account that has permission to move the mailbox to office 365 – Recipient Management Role in On-Premise exchange can move the mailbox.
How will you get to the know the migration status, what you will do if a mailbox migration status showing as CompletedWithWarning?
Get-MoveRequest command can be used to check the migration status and Get-MoveRequestStatistics will provide complete details on migration, like what the migration % completed etc.
If a mailbox migration shows the status as “CompletedWithWarning”, we need to clear the attributes homeMDB, homeMTA, msExchHomeServerName in AD and also the targeting address attribute to be replaced Usersprimarysmtpaddress@domainname.mail.onmicrosoft.com.
How you will validate the ADFS health and Directory Sync status?
Directory Sync Status can be validated by login into AD Connect Server and we can check the Sync Service tool or we can login to portal.azure.com-> Azure AD -> Azure AD Connect -> Azure AD Connect Health status.
ADFS health can be validated by checking the IDP Initiated Sign On page – https://<ServerName>/adfs/ls/IdpInitiatedSignOn.aspx
Explain few limitations in Office 365?
- ActiveSync(OMA), Blackberry Internet Service(BIS) and Blackberry Enterprise Server (BES) are not available
- Office 365 users cannot manage Group membership from outlook or Outlook WebApp
- Mailbox in On-premises cannot be accessed from Office 365 Outlook WebApp
- Mailbox Folder/Calendar Level Permission cannot be provided for Office 365 Users
- Send-AS Permission to be manually assigned once the migration completed.
How you will assign Send-AS Permission in Office 365 mailbox?
By default, only the full access mailbox permission will be migrated when a mailbox migrated from On-Premise to Office 365.
Send-AS Permission will be not be migrated automatically and we need to assign the permission once the mailbox migration completed by running the below command
Add-RecipientPermission <Identity> -Trustee <UserID> -AccessRights SendAs
What is Shared SIP Address Space Functionality?
Shared SIP Address Space or Split Domain in Skype for Business is like having one domain name xyz.com as sip address in Skype for Business On-Premise and Skype for Business Online.
- Azure Active Directory Connect will be used to synchronize on-premises object to Office 365.
- Users homed on premises interact with on-premises Skype for Business servers.
- Users homed online may interact with Skype for Business Online.
- Users from both environments can communicate with each other.
- On-premises Active Directory is authoritative. All users should be created in the on-premises Active Directory first, and then synchronized to Azure AD
You are assigned a task to validate whether a user accessed his mailbox yesterday. What you will do?
Azure AD Sign-In Logs will have the sign-in information for the last 30 days. Checking the log will show the required information. On the Azure AD Portal, select the user and then navigate to sign-in logs.
What you know about Azure AD Self Service Password Reset?
Azure AD SSPR allows the user in Hybrid Exchange environment to reset their password from Azure AD Login page, where the password will be changed in Azure AD and using the AD connect Password Writeback feature, the changed password will be written back to On-Premise AD.
What is Multi factor authentication and Password less authentication?
Multi-factor authentication (MFA) is a great way to secure your organization by revalidating the authenticating credential using SMS code or a call. With MFA users get frustrated with the additional layer on top of having to remember their passwords.
Password less authentication methods are more convenient because the password removed and replaced with something you have (Phone or Security Key) plus something you are or something you know (Biometric or PIN)