What are the identity models available in Office 365?

Office 365 uses cloud-based user authentication service Azure Active Directory to manage user accounts. There are three identity models to setup and manage user accounts.

  • Cloud Identity: User management will be only in Office 365 (Azure AD). No On-Premise servers required to manage users. All the user management like creation done only in Cloud.
  • Synchronized Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Passwords can be synched so that users have the same password on-premises and in the cloud. Users has to sign in on both On-Premise and Office 365, no single sign on experience.
  • Federated Identity: Identities synchronized from on-premises directory to Office 365 (Azure AD) and user management done at On-Premise AD. Users have same password on-premise and in cloud no need to sign in again to use Office 365. Also known as single sign-on.

How to integrate On-Premise environment with Office 365?

To integrate On-Premise services like Exchange, Skype for Business and SharePoint with Office 365,

  1. Synchronize On-Premise directory with Office 365 (Azure Active Directory) using DirSync or Azure AD Sync or Azure AD Connect.
  2. Once the directory sync completed, SSO implementation required so that users can log on both environments with their on-premises credential. It can be implemented using ADFS / ADFS Proxy combination or we can use Azure AD connect.
  3. Create hybrid environment to migrate users from On-Premise to cloud by running the Hybrid Configuration Wizard in Exchange Server. You can keep few of the users in Cloud and others in On-Premise based on our requirement.

What kind of Identity Model you are using in your company?

If your environment is purely in Office 365 and don’t have an On-Premise AD, then you can inform the interviewer that it is a Cloud Identity and you are managing every object creation in Azure AD.

If you are Using AD Connect and ADFS then you will be using Federated Identity. Object management will be done in On-Premise Active Directory.

What Identity Model you prefer and why companies prefer to use Federated Identity Model?

Though it is complex to setup Federated Identity Model, I prefer Federated Identity. With Federated Identity Model, Object creation and authentication will happen in On-Premise AD for the services enabled for a user in Office 365.

Companies prefer to manage their objects in their On-Premise AD and also the Authentication via ADFS infrastructure.

What is DirSync, Azure AD Sync and Azure AD connect?

DirSync, Azure AD Sync and Azure AD connect used to synchronized On-Premise AD objects to Office 365 (Azure Active Directory) which is required for Federated Identity.

DirSync is the commonly known product to synchronize on-premise directory to azure active directory. DirSync does not support Multi forest directory synchronization.

Azure AD Sync is the next version of DirSync, it supports multi-forest directory synchronization and Password write back.

Azure AD Connect is the latest version of Directory Synchronization software from Microsoft. Azure AD Connect recommended for larger organization with large number objects and it is having additional features like SSO and group write back feature.

Why we need to Sync AD objects to Azure AD?

To have a Single Sign On experience and to enable the services like Exchange Online \ SharePoint Online by assigning a license on account, we need an Object in Azure. Once the objects are Synced license will be assigned on the respective user account to enabled the Office 365 services. When user access the office 365 services like Exchange online \ SharePoint online, the user account will be validated for license and based on the Identity model used, authentication will be validated and the services will be allowed.

How you will ensure the On-Premises active directory objects can be Synced to Azure AD?

Before the AD Objects Sync to Azure AD, it is better to validate whether the objects are ready to be Synced with Azure AD. We can run the ID FIX tool before the AD connect Installation to validate whether the AD objects are good to Synchronize from On-Premise to Azure.

ID FIX tool helps to validate whether any duplicate object entries or any duplicate SIP address etc.

What are the prerequisites to Deploy Azure AD Connect? Or prerequisite for Integrating On-Premise Exchange environment with Office 365?

To integrate On-Premise Exchange, we need to Sync the On-Premise Objects to Azure AD to enable the licenses on the access which allows the user to access the required services. Once the AD connect configuration completed and the Sync started, we need to deploy ADFS for Authentication.

Below the prerequisites to consider before the Azure AD Connect installation which synchronize On-Premise directory to Office 365 (Azure Active Directory)

  • Azure subscription is required; if you register for Office 365 subscription then in the backend, you have Azure AD for directory services.
  • Add and verify the domain yourcompany.com from which you are going to synchronize the objects to Azure AD. If office 365, yourcompany.onmicrosoft.com is going to be default domain when you get the Office 365 subscription, along with that your On-Premise AD domain name to be added and verified.
  • We can run IdFix tool to find errors like duplicates and formatting problems in your directory. Errors highlighted using IDFix be fixed so that objects can synchronize with Azure AD
  • AD Schema version and forest functional level must be Windows Server 2003 or later. Password writes is supported on Windows Server 2008 Service pack or later and apply KB2386717. Writable DC is required and RODC is not supportable. Enable AD recycle bin.
  • Group Managed Service account is supported on Windows 2012 or later.
  • If ADFS feature is going to be enabled in Azure AD Connect, then the ADFS or Web Application Proxy are installed on Windows 2012 R2 or later.
  • Azure AD Connect requires a SQL Server Database to store Identity Data. Default installation of SQL express supports only 10 GB and a Max of 100K Objects only. Select an SQL server based on your requirement.
  • Global Admin account from Azure AD and Enterprise Administrator account from On-Premise is required to setup Azure AD Connect
  • .NET Framework 4.5.1 and Windows Management Framework 4.0 required for Azure AD Connect installation.
  • Internet access required from Azure AD Connect Server to On-Premise AD and Azure AD.

What is the limit of objects that can be Synced to Azure AD?

Default limit is 50K when we get the Office 365 Subscription. In addition, 300K Objects can be Synchronized to Azure AD. If there is a requirement to Sync more than 300K Object, we can contact Microsoft to increase the limit. I know a company who is allowed to Sync 1500K objects to Azure AD.

Why we need to add and verify the domains in Office 365?

On-Premise Active Directory domain to be added and verified in Azure AD for the directory synchronization to occur and adding the domain will increase the default 50K Objects limit to 300K Objects.

On-Premise exchange will have email address like xyz.com, we need to add the domain in Office 365 to get the same email address for Exchange Online users. If we want to add an Additional external email addresses in On-Premise Exchange, we need to add and verified so that Office 365 create that domain as accepted domain in Exchange online.

Give a short introduction about yourself?

I’m “YourName” having X years of experience in Messaging and Collaboration Support. Currently working in so and so company for the last 5 years and handling On-Premise Exchange and Office 365 Environment for X number of users. We are currently migrating mailbox to office 365 and almost half of the mailbox migrated to Office 365. I’m working on the Office 365 migration project from the beginning and involved in on the planning and execution. I have learned many things during my Office 365 migration project and having good troubleshooting skills related for Office 365. I’m very much interested in working on Messaging Services and will love to explore new things related to messaging and collaboration service.

Give a short explanation about the infrastructure that you are supporting?

I’m supporting a Single Forest domain with Hybrid Exchange environment for X number of users with AD connect, ADFS and Enterprise Pack E3 licenses assigned for all the Office 365 Users. In addition, we use EMS E3 license for Mobility and Security requirements. Currently we are in the migration stage migrating mailboxes in phases. We have a plan to migrate almost all the users and will retain few mailboxes in On-Premise for company’s compliance and security requirement. In parallel, we are enabling services like SharePoint Online and other Office 365 services for users.

What are the day to day activities that you do as an Office 365 Admin?

I will schedule the mailboxes for migration, we are migrating 500 user to Office 365 on daily basis. In addition, Service Health check and Monitoring the message center alerts are the main task that we do on daily basis. We have a list of things to check to ensure the service is healthy and users are able to access office 365 services without any issues. We have 24/7 operations support who takes care of reported issues. I will be assigned with tickets to work on an issue, and we follow strict SLA to ensure the tickets are closed on time. Migration schedules will be there, I will work on them and address the issues if any during the migration.

How you started the Office 365 Migration?

Our IT leaders approved On-Premise Exchange to Office 365 migration. Different teams were involved in the planning and Corporate Security was involved to do the security assessment.

  1. We did a network performance analysis from different location to see if any bandwidth increase to be done using psping, tracert tools. Internet Proxy exceptions were configured on all client machines to route the office 365 related traffic via firewall.
  2. The security controls that was defined by corporate security are validated to see the options available in Office 365 / Azure to implement it.
  3. We started the planning, like domain name in Office 365, capacity planning on Directory Synchronization and ADFS for federated authentication etc.
  4. Once finalized, we bought the Office 365 subscription (Enterprise E3 & EMS E3) and deployed the services in order like deploying AD connect and then ADFS, running hybrid configuration etc.
  5. We did a pilot move and perform a complete use case validations and show case the results to leadership team and Corporate Security Team.
  6. After their approval, we started to migrate the mailboxes to Office 365.

What are the tools that you used to do the network assessment for Office 365?

Ping Test, Ps Ping, Tracert to Office 365 urls. We used these tools to check the network latency and to ensure the office 365 nearest datacenter IP address are resolving to our requests.

What are the security controls that are implemented in your environment?

Inform the interviewer that it is big list. For example, the office 365 services will be fully functional from Azure AD Managed computers and on the personal devices, users will have read only access. We achieved this via Azure conditional access policies.

What do you know about Office 365?

Office 365 is a cloud-based service from Microsoft that offers access to Office applications like word excel and other productivity tools like Skype Online, Exchange Online and One Drive for Business online. Office 365 includes plans for use at home and business. Services available or enabled to you based on the subscription plan that you are choosing from Microsoft.

What are the subscription available for purchase from Office 365?

  • For home, we have three products as Office 365 home, Office 365 Personal and Office Home & Student 2016 for PC
  • For Business, Microsoft has three products as Office 365 Business, Office 365 Business Premium and Office 365 Business Essentials
  • For Enterprise, Microsoft has four products as Office 365 Pro Plus, Office 365 Enterprise E1, Office 365 Enterprise E3 and Office 365 Enterprise E5.

Apart from the above many add on services like Azure AD Premium P2, Azure Information Protection Plan are available which can be purchased as a stand-alone service based on the business requirement.

What are the services included in Enterprise E3 Plan?

Most of the companies normally prefer Office 365 Enterprise E3 Plan because that has the required services that can operate an enterprise Organizations. Below services are included in Office 365 Enterprise E3 Plan

You can run the below command to check the service status.

(Get-MsolAccountSku | where {$_.AccountSkuId -eq ‘TenantName:ENTERPRISEPACK’}).ServiceStatus

What are the additional services available in Office 365 Enterprise E5 Plan?

Office 365 Enterprise E5 Plans includes all the servers available in Enterprise E3 Plans plus

Customer Lockbox, Advanced Data Governance and Security, Office 365 Cloud App Security, Power Bi Pro, Audio Video Conferencing and Fast Track deployment support.

What is Enterprise Mobility and Security Service in office 365?

Enterprise Mobility and Security (EMS) provides a security solution for the challenges in mobile first cloud first situation. EMS not only protect the organization identity it also identifies security breaches before they cause damage.

Microsoft Office 365 2 plans with Enterprise Mobility plus Security

  • Enterprise Mobile + Security E3 includes Azure Active Directory Premium P1, Microsoft Intune, Azure Information Protection Premium P1, and Microsoft Advanced Threat Analytics.
  • Enterprise Mobile + Security E5 includes Azure Active Directory Premium P2, Azure Information Protection Premium P2 and Microsoft Cloud App Security.

Explain the Enterprise Mobility Security services?

Below are the Enterprise Mobility and Security E3 Services

  • Azure Active Directory Premium P1 – AAD Premium P1 provides a secure single sign on to cloud and on-premise apps. MFA, Conditional access and advanced security reporting.
  • Microsoft Intune: Intune provides mobile device and app management to protect corporate apps and data on any device.
  • Azure Information Protection Premium P1: AIP Premium P1 provide encryption for all files and emails across cloud and on premises storage location. Cloud based files tracking can be achieved.
  • Microsoft Advanced Threat Analytics: ATA provides protection from advanced targeted attacks by using user behavioral analytics

Below are the Enterprise Mobility and Security E5 Services

  • Azure Active Directory Premium P2: AAD Premium P2 provides AAD Premium P1 features + Identity and Access Management with advanced protection for users and privileged identities.
  • Azure information Protection Premium P2: AIP Premium P2 provides AIP Premium P1 features + intelligent classification and encryption for files and emails shared inside and outside organization.
  • Microsoft Cloud App Security: CAS provides enterprise grade visibility, control and protection for your cloud applications.

Recently, Microsoft announced an option in OWA to control the additional storage like Box addition in OWA, which allows users to add an attachment or Save a document in email to the third party storage options.

Microsoft Announcement on AdditionalStorageProvidersAvailable Parameter.

You can validate the change by running the below command.

Get-OwaMailboxPolicy “Policy Name” | fl additional*

If that parameter set as True, your users will have the below options to add third party storage accounts in OWA.

To restricted the third part storage accounts like Box or DropBox in OWA, disable that option by running the below command

Set-OWAMailboxPolicy “Policy Name” – AdditionalStorageProvidersAvailable:$false

Once that option disabled, user will not see the option to add third party storage option as shown below.

Make a note: OneDrive will not be considered as thirdparty storage option and earlier available command thirdpartyfileprovidersavailable will not work after 15th August 2019.