We need to plan users and data migration options to Microsoft 365. User migration means migration of Skype for Business users to Skype for Business online and Data Migration includes mailbox migration and files migration by setting up a hybrid infrastructure for respective service.

Identify data to be migrated and method

We need to understand from where the data is going to be migrated to Microsoft 365. Below are the data migration options available

If Exchange On-Premise – Administrator can setup Hybrid Exchange infrastructure for seamless mailbox migration to Exchange Online.

  • Mailbox Move Request
  • PST Import Tool

If SharePoint / OneDrive for Business -> Administrator can move the files to SharePoint online by

  • SharePoint Migration Tool
  • Users can manually move the data once they get access to SharePoint Online site.
  • OneDrive Sync client can be used to move the data

Identify users and mailboxes to be migrated and method

User identification is to find which email systems user is using for example, if exchange On-Premise, we can setup Hybrid Exchange Infrastructure and can migrate the mailbox. If it is a Gmail system, we have the option to migrate the email from Gmail to Office 365. We need to identify the existing email system and do a planning with the available data migration options.

Plan migration of on-premise users and groups

User migration, in other words synchronizing the users to Azure AD / Office 365 can be done via Azure AD Connect. In addition, we need plan the identity model that we are going to use and the authentication method to be planned.

Import PST Files

We can use the Import service to move email (PST files) from your organization’s servers to Office 365. We can ship the files to Microsoft or can upload the file over internet by creating an Import Job to upload PST to Azure blob storage and can map (User Mapping File) each PST file to respective user’s Primary or Archive mailbox.

Navigate to protection.office.com -> Data Governance -> Import -> Create a New Import Job to import the PST into a mailbox.

As a Microsoft 365 administrator, you need to know how to monitor and manage service health alerts, creating service requests, view the reports to understand the license / service usage.

Manage service health alerts

We can use Office 365 Admin App / Office 365 Management Pack / Office 365 Service Communication API to view the service statues.

Office 365 Service Health can be viewed from Office 365 Admin Portal -> Health -> Service health.

Tips: Minimum of User Management Role permission is required to view Service Health Alerts.

Create & manage service requests

We can raise a Service request to get assistance from Microsoft support on the issues that users facing in your organization.

Tips: Support Requests can be raised from Office 365 Admin Portal -> Support -> New Service Request.

Minimum of Service Administrator Permission is required to raise Support Request.

Create internal service health response plan

This is an internal process to monitor the announcement of Planned Outages in Office 365 Message Center, respective team has to announce the management and coordinate with your Microsoft Technical Account Manager for additional details.

Office 365 Admin Portal -> Health -> Message Center

If it is a Service Incident, Team has to raise service request to follow up from Microsoft support on the existing issues.

Monitor service health

Office 365 Service Health can be viewed from Office 365 Admin Portal -> Health -> Service health.

Configure and review reports, including BI, OMS, and Microsoft 365 reporting

To view the Office 365 Reports

Office 365 report can be viewed from Office 365 Admin Portal -> Reports -> You can drill down to the available reports for additional information.

Reports also available in Security and Compliance Portal Protection.office.com -> Reports -> view the available Security and Compliance based reports

Office 365 reports can be viewed from Power BI content packs (Office 365 Adoption Content Pack). Login to PowerBI using Global Admin account and open the Office 365 Adoption content pack.

OMS – Operation Management Suite / Solution for Office 365 used to monitor User/ Admin activities and it helps to detect and investigate unwanted user behavior. We can also configure alerts like if a user deleted more than 100 files an alert can be send to administrator.

Schedule and review security and compliance reports

Reports related to security and compliance can be viewed at protection.office.com -> Reports. We can configure \ manage the schedules for these reports.

Schedule and review usage metrics

Available Reports can be scheduled and have a best practice to periodically review the reports to ensure the security and you are using only the purchased license. In addition, the usage reports like license, services usage can be viewed from Microsoft 365 usage analytics portal from Power BI. We need to enable this from Microsoft Power BI by a Global Admin account or any other Service Administrator Role like EXO Admin / SPO admin.

To enable Microsoft 365 usage analytics – Office 365 Admin Portal -> Reports -> Usage -> navigate to Microsoft 365 usage analytics and turn ON the option. -> Login to Power BI portal -> Get Data, then under more ways to create your own content choose Service Content Packs and select Microsoft 365 usage analytics

We will see how to setup Microsoft 365 Tenant. Office 365 is a cloud-based service from Microsoft that offers access to Office applications like word excel and other productivity tools like Skype Online, Exchange Online and One Drive for Business online. Office 365 includes plans for use at home and business. Services available or enabled to you based on the subscription plan that you are choosing from Microsoft.

If you are already using Windows 10 Enterprise, Office 365 E3 and Enterprise Mobility + Security E3 / E5 then you can skip this as you are already using the M365 workloads.

This topic is all about setting up the Office 365 tenant and Subscriptions.

Configure subscription and tenant roles and workload settings

  • Configure subscription and tenant roles includes the process of Sign up for Microsoft 365 Enterprise and managing the Roles for the Microsoft 365 Tenant Roles.
  • Microsoft 365 Enterprise Tenant is nothing but having Windows 10 Enterprise, Office 365 & Enterprise Mobile + Security.
  • You can be an existing customer already having the above M365 workload enabled in different forms. If you are new organization migrating to Office 365, you can approach Microsoft / Partner to subscribe for Microsoft 365 Enterprise tenant.
  • M365 subscription is like Signing up for the E3 or E5 trial and enable the services that is required for your tenant.
  • Tenant Roles management is required where you designate respective users are Global Administrator and others as designated administrator like Exchange Online Admin / SharePoint administrator.
  • M365 workload setting is enabling \ deploying the services like Windows 10 Enterprise, Office 365 (EXO, SPO \ OD4B & Teams) & Enterprise Mobile + Security to end users.

Microsoft 365 Subscription:

For home, we have three products as Office 365 home, Office 365 Personal and Office Home & Student 2016 for PC

For Business, Microsoft has three products as Office 365 Business, Office 365 Business Premium and Office 365 Business Essentials

For Enterprise, Microsoft has four products as Office 365 Pro Plus, Office 365 Enterprise E1, Office 365 Enterprise E3 and Office 365 Enterprise E5.

Microsoft 365 Enterprise E3 Subscription:

Most of the companies normally prefer Office 365 Enterprise E3 Plan because that has the required services that can operate an enterprise Organizations. Below services are included in Office 365 Enterprise E3 Plan

You can run the below command to check the service status.

(Get-MsolAccountSku | where {$_.AccountSkuId -eq ‘TenantName:ENTERPRISEPACK’}).ServiceStatus

Microsoft 365 Enterprise E5 Subscription:

Office 365 Enterprise E5 Plans includes all the servers available in Enterprise E3 Plans plus

Customer Lockbox, Advanced Data Governance and Security, Office 365 Cloud App Security, Power Bi Pro, Audio Video Conferencing and Fast Track deployment support.

Enterprise Mobility and Security Subscriptions:

Enterprise Mobility and Security E3 Subscription:

  • Azure Active Directory Premium P1 – AAD Premium P1 provides a secure single sign on to cloud and on-premise apps. MFA, Conditional access and advanced security reporting.
  • Microsoft Intune: Intune provides mobile device and app management to protect corporate apps and data on any device.
  • Azure Information Protection Premium P1: AIP Premium P1 provide encryption for all files and emails across cloud and on premises storage location. Cloud based files tracking can be achieved.
  • Microsoft Advanced Threat Analytics: ATA provides protection from advanced targeted attacks by using user behavioral analytics

Enterprise Mobility and Security E5 Subscription:

  • Azure Active Directory Premium P2: AAD Premium P2 provides AAD Premium P1 features + Identity and Access Management with advanced protection for users and privileged identities.
  • Azure information Protection Premium P2: AIP Premium P2 provides AIP Premium P1 features + intelligent classification and encryption for files and emails shared inside and outside organization.
  • Microsoft Cloud App Security: CAS provides enterprise grade visibility, control and protection for your cloud applications.

Microsoft 365 Tenant Roles:

Below Azure AD Tenant Roles available and we can designate respective admins roles for each service.

Tips: For existing Office 365 customers, if you are already using Windows 10 Enterprise, Office 365 & Enterprise Mobile + Security then you are already using Microsoft 365 Subscription.

Evaluate Microsoft 365 for organization

If you are new to Microsoft 365 Enterprise or to a specific product or feature, one of the best ways to gain understanding is to build it out yourself.

Existing customers may already setup those workloads and you know how to setup services. Microsoft 365 Services evaluation available for 30 days free retail. You can approach Microsoft to extend the trial to a max of 6 months.

Plan and create tenant

Understand the Microsoft 365 enterprise workloads and plan to enable the services required for your organization. Approach Microsoft or Partner to get the required subscriptions.

Start by registering the tenant with Office 365 Trial and add other workloads that is under Microsoft 365.

Creating Tenant is the same process that you sign up for the Office 365 Trial and Microsoft will assist you on adding the subscription to your tenant when you subscribe for a trail or purchase the subscription.

Upgrade existing subscriptions to Microsoft 365

Customer already using Office 365 like EXO and SPO can approach Microsoft / Partners to upgrade their existing services to Microsoft 365.

Approaching Microsoft or Microsoft Partner is the only available option to upgrade existing Office 365 subscription to Microsoft 365.

Monitor license allocations

License will be assigned on the individual account and we have an option to use group based licensing where assigning the license on a Group will assign the license to all the members of the group.

Group can be Security group or an Azure AD Dynamic Group. Dynamic Groups in Azure AD run rules against user object attributes to automatically add and remove users from groups

Azure AD Audit logs can be used to monitor who changed the license on the Group enabled with license.

To assign license using PowerShell

Set-AzureADUserLicense -ObjectId “Raj@superhybridcloud.onmicrosoft.com” -AssignedLicenses $licenses

Tips: Azure AD PIM required Azure AD P2 License / EMS E5 license, which includes Azure AD P2

Conditional Access Policies included in Azure AD P1 / EMS E3, which includes Azure AD P1

Planning a Microsoft 365 Implement covers preparing the On-Premise and Microsoft 365 Infrastructure for enabling Microsoft 365 workloads.

  • Plan for Microsoft 365 on-premises Infrastructure
  • Plan identity and authentication solution

Plan for Microsoft 365 on-premises Infrastructure

This is an important topic; make a note that the title says Planning Microsoft 365 for On-Premise Infrastructure. Planning should include

  • Networking
  • Identity
  • Windows 10 enterprise
  • Office 365 Pro Plus
  • Office 365 Workloads like EXO, SPO, OD4BO, Teams
  • Mobile Device Management
  • Information Protection.

Networking: Before enabling Microsoft 365 Services, you need to do a Network Validation to avoid latencies when accessing the Microsoft 365 services.

  • We need to ensure users are having Internet Bandwidth to access the services. To ensure no issues with connectivity and performance issues due to network limitation
  • Check the connectivity from each office, use Ping, TraceRT, PSPING & Telnet command to check the connectivity and validate the network performance
  • Ensure users are connecting to Office 365 egress endpoints on their region. Ping command to respective service urls can help you identify it. For example – Ping Outlook.Office365.com for Exchange Online.
  • Ensure the Network Service Provider has a direct peering relationship with the Microsoft Global Network in close proximity to that location. Also, validate there is no latency because of network hairpin by having Cloud Access Broker solution etc.
  • Validate whether proxy is required for Office 365 services and see the Office 365 traffic can be bypassed from proxy or configure the proxy servers to support Microsoft 365.
  • Do a tweak at Client side like TCP Windows Scaling, Idle Time, Maximum Send Size and Selectivity Acknowledgement to increase the client side performance.

Identity: Planning an Identity is required provide secure access to Office 365 Services. This includes,

  • Synchronizing User accounts to Office 365
  • Designating Admin Roles
  • Protecting Global Admin Accounts enabling MFA to Users
  • Monitoring Identity Synchronizing Health
  • Licensing
  • Monitoring Tenant license
  • Sign-In Activity logs.

We will see above items in detail under Plan identity and authentication solution

Windows 10 Enterprise: Deploying Windows 10 Enterprise to endpoints

To prepare Windows 10 Enterprise, Microsoft recommends adding and verifying the domain that your users going to use to access Office 365 service could be UPN or primary email address domain. User addition to Office 365 & assigning license is optional at this time and install Office 365 Pro Plus.

Do an in place upgrade for Windows 7 and 8.1 using SCCM and for the new devices use Windows Auto Pilot Deployment.

Monitor the device health and ensure it is secure by having Windows Defender.

Office 365 Pro Plus: Office 365 Pro plus deployment can be done via SCCM or Office Deployment Tool, we need to consider office updates channels and the frequency.

Deployment can be through SCCM, ODT from Cloud, ODT from local Source or directly from Office Portal.

Office 365 Pro Plus Update channel to be planned. Below are the details of available update channels

If we deploy Office 365 Pro Plus using Office Deployment Tools, it requires Setup file and the configuration information xml like below to control what needs to be installed on the computers.


Tips:

  • Channel=”Monthly” – Monthly update channel
  • Channel=”Broad” – Semi Annual (Jan & July)
  • Channel=”Targeted” – Semi Annual Targeted (March and September)

AllowCdnFallback set as true will fall back to refer Office 365 as the installation source instead of local share when the specified language pack is not available.

Mobile Device Management:

Mobile device manage is required to secure Organization resources by Using Microsoft Intune.

Plan how to control mobile devices using MDM & the application management on the managed devices using MAM.

MDM: When user enroll their device, they are managed devices, and can receive any policies, rules, and settings used by the organization.

MAM: MAM policies will control the application from a non-managed device by forcing the user to enter a PIN to secure the application access by an authorized user.

To setup Microsoft Intune

  1. Prerequisites – Intune Subscription, Office 365 Subscription, Azure AD Premium, MDM Push certificate for IOS are required.
  2. Setup Intune – Check whether the devices are Supported -> Ensure the domain verification completed -> Sign in to Intune -> enable Device Management -> Add Users.
  3. Device Enrollment-> Users have to enroll their devices to make it Intune Managed. As part of device enrollment, configure device enrollment restrictions and policies for users and devices.
  4. Deploy the apps required on the management mobile devices
  5. Create Compliance Policies and Conditional Access Policies like only managed devices can access the office 365 services.

Tips: Allowing only the Intune managed devices to access the Microsoft 365 services by configuring the Conditional Access will add additional security to organization’s data.

Information Protection: Information protection is a set of policies and technologies that define how you transmit, store, and process sensitive information.

Information Protection Includes Data Loss Prevention, Office 365 Labels and Azure Information Protection labelling and classification, Threat Management Policies, Sharing Policies in SharePoint, Office 365 Secure Score, Office 365 Cloud App Security and PIM for just-in-time access for task-based activities.

Plan identity and authentication solution

Planning Identity: Planning an Identity is required to provide secure access to Office 365 Services. This includes, Synchronizing User accounts to Office 365, Designating Admin Roles, Protecting Global Admin Accounts, enabling MFA to Users, Monitoring Identity Synchronizing Health, licensing, Monitoring Tenant, license and Sign-In Activity logs.

Planning Steps: Consider Security in mind and do the Identity Planning.

  1. Ensure Users are created or Synchronized from On-Premise AD using AD Connect

Learn How to install and configure AD Connect to Synchronize objects to Azure AD. Download Azure AD Connect from Microsoft Download center.

  1. Verify only the designated administrators are member of Global Admin Role

Get-AzureADDirectoryRole | where { $_.DisplayName -eq “Company Administrator” } | Get-AzureADDirectoryRoleMember | Ft DisplayName

  1. Enable Multi factor Authentication for users

We can enable MFA at the user level so that it will prompt MFA whenever an Office 365 accessed or we can trigger MFA when certain application accessed by creating Conditional Access Policies.

  1. Monitor Identity Synchronization using Azure AD Health Agents

We can download Azure AD Health Agent from Azure AD Portal and Install in AD Connect servers to monitor the health of AD objects Synchronization to Azure.

  1. Enable Group based licensing if planned

We can automate the license enablement and disablement by assigning the license to a Group. If a user removed from the group, then the license will be removed. If user is member of many groups with the same license enabled, then the license will be used once.

Azure AD Portal -> License -> Select the license and Click on Assign to a User or group.

  1. Enabling Azure AD Identity Protection provides
  • Consolidated view of flagged users and risk events detected using machine learning algorithms
  • Set risk-based Conditional Access policies to automatically protect your users
  • Improve security by acting on vulnerabilities

To enable Identity Protection:

Search for Azure AD Identity Protection in Azure Portal and click on Create to configure the Azure AD Identity protection.

Azure AD Identity Protection allows you to configure

MFA Registration Policy – This is an option to enforce user to configure MFA for a secure sign in experience.

Sign-In Risk Policy – Azure AD analyzes each sign-in of a user to detect suspicious actions. Like, sign in from an un-familiar location. We can block the access if the sign in is from un-familiar location.

User Risk Policy – Azure AD analyzes each sign-in of a user to detect suspicious actions. Like, sign in from an un-impossible travel.

  1. Configure Privileged Identity Management to support on-demand assignment of the global administrator role
  2. We can continue to use federated authentication If we are already using Federation with ADFS authentication,
  3. You can create a dynamic group for devices or for users, but you cannot create a rule that contains both users and devices. You cannot create a device group based on the device owners’ attributes. Device membership rules can only reference device attributes.
  4. Self Service Group Management and Password resets. Configuring the Group Management and the Password Reset options to reduce the administrator efforts.

Planning Authentication:

Below are the authentication options Available. Microsoft will focus on Seamless SSO.

Federation Authentication with ADFS

Large organizations preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

Note: You need to maintain an ADFS infrastructure to have this federation sign-in option and it is having additional benefits where, you use On-Premise MFA server or Azure MFA for multifactor authentication.

Authentication Flow:

When a Microsoft 365 application like Exchange accessed, it will redirect the user to authenticate with Azure AD, Azure AD do a home realm discovery from the user name and if the domain is federated, users will be redirected to get an access token from ADFS servers. ADFS server asks for User Name and Password and it validate the credential with On-Premise AD. On-Premise AD validates the credentials and if credentials are valid, it will send a Security Token along with user claims and ADFS share the details to Users. User shares the security token with Azure AD and Azure AD configured to accept tokens from ADFS and Azure AD provides and Access Token and a Refresh Token to User. User sends the Access Token to Exchange and the access provided to User.

Password Hash Synchronization Authentication

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

Pass-through Authentication

If we use the Pass-through authentication, user name the password gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

Azure AD Seamless SSO (enabled when choosing PHS or PTA)

Azure AD Seamless SSO allow users to sign in to services that use Azure AD user accounts without having to type in their passwords, and in many cases their usernames alone required.

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

Tips: To configure a Sign in method, Azure AD Connect -> User Sign-In to select the preferred authentication.

If Seamless SSO fails, the other enabled option PTA or PHS will be used for authentication and If Seamless SSO configured, it is recommended that you periodically roll over these Kerberos decryption keys – at least once every 30 days.

Azure AD Domain Join is not required when using Seamless SSO, but Azure AD Domain Join and Seamless SSO can be combined. If combined, Azure AD Domain join takes preference.

On Design and Implement Microsoft 365 Services, We need to know how and why to manage domains in Microsoft 365 and this section covers the below topics.

  • Add and configure additional domains
  • Configure user identities for new domain name
  • Configure workloads for new domain name
  • Design domain name configuration
  • Set primary domain name
  • Verify Custom Domain

Add and configure additional domains

When you sign up for Office 365, it includes a default domain name like domainname.onmicrosoft.com. Adding a Domain in Office 365 will help you to have your domain name in your email address instead of that default domain. You need to prove the domain ownership by adding a TXT record on your DNS to add the domain in Microsoft 365.

To add a default domain:

Login to O365 Admin Portal https://portal.office.com/adminportal/home -> Setup -> Domains -> Add a Domain -> enter your domain name -> Verify the domain by creating a TXT record that shows up -> Setup Online Services that you want to use -> Update the DNS records -> Complete the steps.

Tips: To verify the domain, Office 365 will show an option where if domain registered under GoDaddy, Office 365 will verify the domain on your behalf when you login to your GoDaddy account or you can create TXT record that shows up on the domain addition page.

TXT record verification method prompts for a TXT record or an MX record can be created to show the proof of domain ownership.

If you create a MX record, make sure you are ok to receive emails through Microsoft 365 Exchange Online Protection as your email gateway. If you have an existing email gateway in On-Premise and continues to receive the internet emails through the existing system, then do not verify the domain using MX record. Always prefer TXT record to verify the domain.

Configure user identities for new domain name

Microsoft 365 have different Identity models available that you can choose based on your requirement.

Cloud Identity: User Identity management will be only in Office 365 (Azure AD). No On-Premise servers required to manage users. All the objects management, authentication and authorization done only in Cloud (Microsoft 365 Azure AD).

Synchronized Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and object management done at On-Premise AD. Passwords Hash can be synced so that users have the same password in on-premises AD and in the cloud Azure AD. On-Premise and Office 365 will have same identity after the Synchronization but Users has to sign in every time when accessing On-Premise and Office 365 application, no single sign on experience.

Federated Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Identities Synced to Azure AD used to enable the Office 365 services by assigning a license. Users always authenticate in on-premise AD to access a Microsoft 365 cloud applications via Federated Authentication (ADFS and ADFS Proxy combination). Federated Authentication provides for Single Sign On experience.

Tips: We can see the current authentication method at Azure AD Portal -> Azure AD Connect.

If you want to change the Authentication method, change it from Azure AD connect configuration. We can see the current authentication method at Azure AD Portal -> Azure AD Connect

Configure workloads for new domain name

When you verify the custom domain, it will provide an option to configure the record required for enabling the workloads\services like Exchange, Skype for Business, Teams, SharePoint\OneDrive and Mobile Device Management for Office 365. We need to plan the services that we are going to be enable for the organization and when enabling, it will show the DNS records that is required for those services. Once the records created in your DNS (Internet), the services enabled for that domain will be verified and the licensed users can access the service.

Tips: Office 365 can register TXT records on your behalf if you sign in to GoDaddy account or you can manually create the TXT records required for services enabled.

Based on the workload selection, Office 365 will prompt you to create the required records. Other Office 365 workloads like Planner, Forms and PowerApps do not require a DNS record.

In addition to the above, we need to know how to enable the services and do the initial configuration for the below Microsoft 365 workloads

  • Windows 10 Enterprise
  • Office 365 (EXO, SPO, OD4B, Teams)
  • Enterprise Mobility + Security

Design domain name configuration

Designing Domain Name includes, adding a custom domain like superhybridcloud.com, sub domain like support.superhybridcloud.com and multiple domains like learnexchangeserver.com, learnHybridCloud.com to your Office 365 Subscription.

We can add up to 900 domains in Microsoft 365 domain settings. However, you need to verify the proof ownership for each domain.

Tips: If you are using Cloud Identity, sub domain additions automatically verified. However, the DNS records should be created for the services enabled for that domain.

If you have a requirement to add a sub domain, do not setup Microsoft to manage your DNS by creating NS records.

If the parent domain is federated identity, sub domains can be added only from the ADFS servers. You need enable the services once the sub domain added from ADFS server.

PowerShell: New-MsolFederatedDomain -DomainName support.superhybridcloud.com

Set primary domain name

If we add multiple domains in Office 365, we have the option to set one domain as Primary Domain.

To Set the Primary Domain:

Login to O365 Admin Portal https://portal.office.com/adminportal/home -> Setup -> Domains -> Select the domain -> Set as Default.

Tips: If we create user objects in Azure AD, the UPN or the email address stamped with the default domain name – domainname.onmicrosoft.com. This is applicable for Cloud Identity only or when the objects created directly in Office 365.

Deploying Windows 10 Enterprise and Intune Setup has a prerequisite to validate the primary domain.

Verify custom domain

If we add an additional domain, it is referred as the custom domain (you need to prove that you are the owner of that domain to Microsoft) and create the DNS records for each Office 365 workloads. Custom domain is nothing but the email addresses that you want on the email addresses for the mailboxes in Microsoft 365.

To Set the Custom Domain, login to O365 Admin Portal https://portal.office.com/adminportal/home -> Setup -> Domains -> Add the domain -> verify the domain by creating the TXT record provided.

Microsoft Exchange Online allow you to create a max of 300 Transport Rules. If for any reason, you have exceed the 300 Transport Rule limit, you will get the below error message when you create the 301 Transport Rule.

What next?

If you approach Microsoft, even if you are an enterprise organization, they will say no to increase the Transport Rule limit. Microsoft will ask you to consolidate the Transport rules and later they may consider your request.

So, how to consolidate?

  • Delete the Transport Rules, which are not in enabled status.
  • Do a cleanup by removing the unwanted Transport Rules by validating whether the transport rules are really in use by viewing the Rule Hits.

(Get-MailDetailTransportRuleReport -TransportRule “Rule Name” -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)).count

If the count shows as 0 for the above command, you can consider that rule is not in use and can deleted the Rules.

  • Validate the rules and see if any rules can be combined to reduce the Transport Rule number.

Still the numbers are not reducing then show the consolidation details Microsoft Support and they may consider your request.

Mid to enterprise level organization are using Federated Authentication for Office 365 / Azure. Many organization deploys ADFS in a Farm having High availability and few went ahead and deployed ADFS Farms in 2 datacenters. I know few companies deployed ADFS environment deployed in 2 of their own data centers for high availability and in addition a 3rd instance of ADFS Proxy and ADFS server combination (ADFS service name as sts.superhybridcloud.com) with geo load balancing in Azure Cloud (with a writable DC as well in Azure).

Your ADFS deployed like above is fully business continuity plan complaint, users will be able to access Office 365 applications if both ADFS farm in On-Premise datacenter is down.

ADFS federated sign-in authentication with Password Hash Synchronization to Azure AD is good to have option for large enterprises as additional DR. You may have a query why Password Hash Sync is required when ADFS deployed in 3 datacenters and the name says Password Hash Sync to Azure AD which is a SAAS service.

Why you should not worry about Password Hash Sync?

  • In On-Premise, AD stores passwords in the form of a hash value which represents the actual user password.
  • A hash value is a result of a one-way mathematical function. There is no method to revert the result of a one-way function to the plain text version of a password.
  • Password hash cannot be used to sign in to on-premises network.
  • When Password Hash Synchronization enabled, AD has the password stored in a MD4 hash format and DC encrypts the MD4 hash with MD5 hash + Additional Key and send it to AD connect PHS agents. AD Connect PHS agent gets the password in the format of MD5 hash + additional key and it decrypts the MD5 hash using MD5CryptoServiceProvider and the additional key. AD connect PHS agent decrypts the MD5 hash and the it is having the password in MD4 hash.
  • Though the AD Connect PHS Agent decrypts the MD5 hash and the password now available as MD4 hash and no option for the PHS agent to view the clear text password. MD5 hash encryption that was done in AD is only for replicating the MD4 hash to AD Connect server.
  • PHS agent will do many conversions and it results a secured hash (combination of MD4+salt+PBKDF2+HMAC+SHA256) will be synchronized to Azure AD over SSL.

Note: The original MD4 hash is not transmitted to Azure AD. Instead, the SHA256 hash of the original MD4 hash is synchronized. As a result, if the hash stored in Azure AD is obtained, it cannot be used in an on-premises pass-the-hash attack.

Enabling Password Hash Sync:

Changing the configuration in AD connect to enable Password Hash Sync as an Authentication option. Password Hash Sync Agent Sync the SHA256 value every 2 minutes once. We can ensure the Password Hash Sync status enabled by checking the Azure AD connect option in Azure AD Portal.

In addition, you can use the below command to check the password hash sync status.

Hope you are enabling Password Hash Sync as an additional option that you can use in case of any issue with your ADFS infrastructure.

Before looking at handling the terminated employee login and restricting access to company data from Office 365, we need to understand the details about the authentication and Refresh Token and Access Token.

Authentication: when a user access any service that is integrated with Azure AD like Office 365 (EXO) -> EXO will redirect the user Azure AD, Azure AD do the realm discovery -> If the domain is federated, then user will be redirected to federated service like ADFS -> ADFS authenticated the user with Active Directory and return a token -> User will present the token to Azure AD -> Azure AD validates the claims and authentication is successful -> Azure AD provides a Refresh token and a Access Token to user -> Users send the access token to EXO and he will have access to EXO service.

Access Token: Azure AD when identifies the authentication is successful, it provides access token and refresh token pair to user. User will send the access token to respective service like EXO to get access to the services. By default, it will have a time to live value of 1 hour and it cannot be revoked / expired by admin.

Refresh Token: when the access token about to expire after an hour, behind the scene… Refresh token will be send to Azure AD to get a new access token and a new access token \ refresh token pair will be provided to users. User present the new access token to EXO to retain the access. Refresh token are valid for 90 days and can be revoked by admins.

Note: Once the authentication is successful, user will be re prompted to authenticate after a max of 90 days. Refresh and Access token combination can be re used in the back end to access the Office 365 services without re-authentication for 90 days. Password Expiry \ Account Lock out will be identified during the access token refresh\renew interval and user will be prompted to authenticate.

Okay, let’s jump into find options to control terminated employee Sign-In access to Office 365 services

  • Disabling and Resetting User Password – Disabling the account in On-Premise AD / Resetting the password is the first step you will do to stop the user from using Corporate Credential to access the Office 365 Services. These change has to replicate to Azure AD, so that Azure AD restricts the user from sign in using his existing credential or stop him from accessing the company resource because of disabled account. So ensure you keep the Azure AD Connect Sync Cycle to run every 30 minutes once.
  • Revoke the Tokens using PowerShell – Revoke-AzureADUserAllRefreshToken –ObjectID “ID”

This command would revoke all the tokens including the Password based Cookie which we use on OWA.

Optionally / Additionally… we can do the below changes.

  • Disabling Exchange Protocols: Exchange Online will automatically prompt the user to re-authenticate when password changes when accessing Exchange using MAPI, OWA, EWS, POP/IMAP. In addition to that, disable those protocol immediately once the user is terminated.

  • Block the Sign-In in Azure AD: User account can be blocked from Sign in Azure using below command

  • Remote wipe the user mobile device:

Important thing to note: Note: The user will still have access to the Outlook cached mode data on the desktop and if it is on a personal desktop, there is no way to prevent the users from exporting the data to PST.

So, what is the option available for this scenario? Ensure you are allowing access to company data only from company managed (Azure AD Domain Joined) machines. On other side, enable litigation hold to retain the data for ever.

You may want to have a Hybrid Exchange LAB environment to prepare your Microsoft 365 Certification exam. If needed you can follow the instructions below to get your LAB ready in few hours. By the way, it is not free but it won’t cost you much to prepare for your exam.

Below are details of my LAB in Azure that I used to prepare for my Microsoft 365 exam. I’m now an Microsoft 365 Certified Enterprise Administrator Expert certification holder

LAB Requirements:

Azure Trial Subscription: You can easily sign up for Azure Free Trial with 200$ Credits

Office 365 E3 Trial Subscription: You can try Microsoft 365 Trail as well – 30 days free.

Certificate: *.DomainName.com purchased from 3rd Party vendor is required. You can get a wildcard certificate for 40$ Per Year.

Azure Virtual Machines: 4 Virtual Machines (Domain Controller, Exchange 2016, AD Connect Server (Installed on DC), ADFS & ADFS Proxy)

Azure Load Balancer: 2 Load Balancer, One for Exchange (mail.suprehybridcloud.com) & another for STS (sts.superhybridcloud.com)

Azure Storage Account: Create a storage account with LRS type to Keep your Virtual Disk

Azure Virtual Network: Create a Vnet with address space 10.0.0.0/16 & 2 Subnets (Internal – 10.0.0.0/24) & (DMZ – 10.0.1.0/24). Set the DNS Server as 10.0.0.4.

Azure Network Security Group: You can place all the Virtual Machines under this NSG and create the below Inboud Rules to have proper communication between servers.

Step by Step details:

Step 1: Sign Up for Office 365 E3 Trial – To have a clean domain naming options.. choose the required Azure Default domain name for example, superhybridcloud.onmicrosoft.com as default domain if you external email domain is superhybridcloud.com. During the Trial sing up, choose the defaul global admin as admin@superhybridcloud.onmicrosoft.com

Step 2: Login to Portal.azure.com admin@superhybridcloud.onmicrosoft.com and sign up for a Trial Azure Subscription. It will ask for a credit card to verify the proof of Identity.

Step 3: Create a Azure Virtual Network, Address space as 10.0.0.0/16 with 2 subnets as Internal – 10.0.0.0/24 & DMZ – 10.0.1.0/24

Step 3: Create Network Security Group and apply it the Subnets

Step 4: Create Azure Storage, with LRS as replication type to minimize the cost

Step 5: Create the Domain Controller VM – Domain Control and Promate the machine as DC with the domain name as SHC.com and login to DC. Add the domain superhybridcloud.com as adding UPN suffix in AD Domain and Trust.

Step 6: Create the Exchange Server VM – Join the machine to DC, Install Exchange 2016 and configure the certificate and change the external url as mail.superhybridcloud.com. On DC -> DNS, Create a new zone for superhybridcloud.com and create the A record for mail.superhybridcloud.com and Autodiscover.superhyridcloud.com that points to exhange server IP.

Step 7: Create an Azure LB Instance -> Configure Exchange Server as the back end node, set up monitoring probe for Port 443, Load balancing Rule that points to Exchange Virtual IP

Step 8: Create NSG Rule – Create Inbound allow rule in NSG for mail.superhybridcloud.com

Step 9: Create the external DNS record for mail.superhybridcloud.com that points to Azure LB Public IP and the OWA mail access.

Step 10: Add and verify superhybridcloud.com as additional\custom domain in Office 365

Step 11: AD Connect Setup – Download and Install AD connect in Domain Controller. Do not setup ADFS related configuration. Choose Exchange Hybrid feature only.

Step 12: Create ADFS VM – Install ADFS role and configure it. Adfs service name as sts.superhybridcloud.com

Step 13: Create ADFS Proxy VM – Create the VM in DMZ subnet. Install ADFS Proxy role and configure it. Create a host entry to sts.superhybridcloud.com that points to ADFS server IP.

Step 14: Create an Azure LB Instance -> Configure sts load balancing. Create ADFS Proxy as as the back end node, set up monitoring probe for Port 443, Load balancing Rule that points to ADFS Proxy Virtual IP.

Step 15: Configure ADFS Sign in – Install MSOnline Module in ADFS Follow the steps as shown below.

Leave your command for any additional information about the Exchange LAB setup in Azure. All the best for your exam preparation.

New components\features introduced in Office 365\Exchange Online Protection like Advance Threat Protection and Anti-Phisinging capabilities etc.. Introuduction of these features changes the mail flow architecture. We will discuss the updated Office 365 Mail Flow Architecute here.

Below the updated mail flow architecture reference diagram.

Mail Flow Explanation:

Inbound Mail Flow:

When the MX record pointed to Exchange Online Protection, emails sent to that domain will be routed to EOP. Edge Blocking component will do the Connection filtering -> Anti-Virus & Anti-Malware scanning will be done by Malware Protection -> Transport Rules will be applied to the emails -> Advanced Threat Protection Safe Attachment feature will scan the attachments -> Email will be checked for Anti-Phishing -> Anti-Spam will do the SPAM checking -> Spoof Detection will be done -> Zero hour Auto Purge protection will happen -> ATP safe link Url wrapping will happen and then the mail will be delivered to Office 365 mailbox.

Outbound Mail Flow:

If an Office 365 User sends an Email to Internet, the mail will be scanned for malicious contents and the normal emails will be delivered to Outbound Pool and the delivered to Internet recipient. If any bulk email detection and suspicious email will be routed the High Risk Delivery Pool or Bulk Mail Pool and there is no guarantee that email will be delivered to respective recipient.

Detailed Explanation:

Below architecture shows the complete details of the Exchange Online Protection mail flow architecture

All the components are self-explanatory, leave your commands for any additional information.